Testing firewall rules on Windows for TCP ports with Telnet

Often times we need to test connectivity on environments to prove that firewall rules have been implemented correctly and it often has to happen before software is installed and configured on the servers.
Firewall rules are implemented by network engineers to let network traffic go through between different computers. The rules have a direction, which means that a rule is setup to allow traffic originating from a computer A (client) to a destination computer B (server) on a certain port of the destination machine. To allow traffic originating from the computer B to computer A, another rule would need to be created.

We will be testing firewall rules to prove that there is TCP connectivity across two machines separated by a firewall. To do that on a Windows OS for the TCP protocol, we can use the Telnet client tool. From the Windows Command Prompt, the command is the following:
telnet <DestinationIpAddress> <DestinationPortNumber>
The Telnet Client tool is not installed by default on Windows and if the command is not recognized on the computer you are on, you can install the Telnet Client tool following the steps defined in the following Technet article: Install Telnet Client. Telnet Client is a Server Feature on Server OS and a Windows Feature on Client OS (Windows 7, 8, 10…).

The problem is that if we use the Telnet command to a port on which no process runs, the Telnet command will fail and we won’t know if Telnet failed due to either:

  • The firewall blocking the connection.
  • The firewall letting the traffic through but there is no process listening on the specified port at the destination server.

The error message is the same in both case and looks like the following:
Connecting To x.x.x.x...Could not open connection to the host, on port xxx: Connect failed
Telnet command failing Telnet command failing

So the obvious resolution is to have a process listening on the specified port and it is where a tool like the Port Listener tool comes in handy. This tool can be configured to listen to TCP or UDP network traffic on any port.
All we need to do is to run Port Listener on the destination computer we want to test connectivity to, configure it to listen on a particular port and then run Telnet from the client server machine.

In the example hereunder we want to test if the TCP port 636 (used for LDAPS protocol) is open.

1. Start Port Listener to listen on TCP port 636 on the destination server:
The screenshot hereunder is an old version of Port Listener which supports only TCP, so make sure to download the latest version which also supports listening for UDP traffic.
Start Port Listener
Port Listener v 1.02 offers the choice to listen to either TCP or UDP traffic:
Start Port Listener

2. Execute the Telnet command from the client server:
Telnet Client Tool

… which now succeeds as Port Listener is running on the server:
Telnet Client Tool succeeds

Leave a Reply

Your email address will not be published. Required fields are marked *