[Wiseass]

I just saw this article.

Link to Infoweek

Quote:

Originally Posted by article

As if the AP's report last week wasn't enough, it looks like Comcast is blocking other online services, including Gnutella, FTP, and even Lotus Notes. I guess Comcast doesn't respect the needs of telecommuters or net neutrality.

Quote:

Originally Posted by article

And let's drill down to Kevin Karnarski's post on Notes and Comcast:

I finally have an end-to-end trace to share which shows that Comcast is filtering the port 1352 traffic. The images below show that Comcast is impersonating and using man-in-the-middle tactics to filter the traffic as stated in the CNet post. The images show a network packet trace from the client side and from the server side during the same session. This was a new memo composed within Notes with a 6-Mbyte attachment and then saved as a draft to the server database. The transfer did not succeed.

So I guess Comcast subscribers can't work from home now either?

My question is to those of you who are Lotus Notes admins, is this severely going to affect you if it's true? I haven't encountered this yet, however we have about 1300 sales people across the country that use their personal internet connection (Comcast/ATT/etc) to connect to our email server. Mainly because we push custom databases down to them, also the web interface is just flat out clunky if you ask me.

I don't know if this belongs in this section, but I am the email/blackberry admin for my company, and I can see this greatly affecting us.

Anyone else got thoughts on this?

[Jadey]

Thank goodness they're not a UK ISP

[Ugg]

My first thought was "wouldn't you want to be doing this sort of thing over a VPN connection anyway?". Of course, the ISP can still block that (I've had "discussions" with an ISP where VPN traffic was put in the slow lane with all the P2P traffic).

[penguin3107]

Quote:

Originally Posted by Wiseass

My question is to those of you who are Lotus Notes admins, is this severely going to affect you if it's true? I haven't encountered this yet, however we have about 1300 sales people across the country that use their personal internet connection (Comcast/ATT/etc) to connect to our email server. Mainly because we push custom databases down to them, also the web interface is just flat out clunky if you ask me.

I don't know if this belongs in this section, but I am the email/blackberry admin for my company, and I can see this greatly affecting us.

Anyone else got thoughts on this?

Why would you have port 1352 open to the public?
You don't require a secure connection to your Domino server for remote users?

Our remote users are required to use a VPN to connect to Domino.

[x14]

I'm with penguin3107.

[Aroc]

The Notes client and Domino server support encrypted communications. That along with enabling "Compare Notes public keys against those stored in Directory" should keep you mostly protected. I have no qualms about leaving 1352 open to the outside world in that case since the attacker would need a valid, certified user ID file (and a valid password for that file).

As for the original post, yes, we too are starting to see port TCP 1352 being blocked more and more these days. Strangely some hotels (outside north america) may block TCP 1352 from guest rooms, but that port may be wide-open in the common lobby areas. We're also seeing the same thing (TCP 1494, TCP 2598 etc for Citrix) on other ports. It seems that in some cases a lot of traffic other than the known web ports are starting to be blocked with increasing frequency. Add to that some places that appear to drop IPsec traffic, effectively killing VPN. So sometimes even opening a VPN tunnel back to the office does not work.

But in all fairness, the frequency of seeing IPsec traffic (VPN) dropped is much less often today than it was say 4-5 years ago, when it seemed that several consumer broadband providers were dropping IPsec, suggesting instead, our telecommuters should opt for >$100/mo "business class" packages.

[pierrebnh]

Quote:

Originally Posted by penguin3107

Why would you have port 1352 open to the public?
You don't require a secure connection to your Domino server for remote users?

Our remote users are required to use a VPN to connect to Domino.

Aroc is right, you don't need VPN to have a secure connection to Domino. And we've run into the same issues with IPSec blocking at hotels.

Thankfully, it looks like Comcast has resolved this issue.

[mahoward]

I work with Kevin, and Comcast finally caved and admitted this was a "bug" (probably associated with their P2P filtering) and has resolved it.

[penguin3107]

Quote:

Originally Posted by pierrebnh

Aroc is right, you don't need VPN to have a secure connection to Domino. And we've run into the same issues with IPSec blocking at hotels.

Thankfully, it looks like Comcast has resolved this issue.

I totally understand that... and I agree to some extent.
The problem with this model is that you're requiring the Notes Client to be properly configured to encrypt the traffic.
You're also exposing your Domino server to the public internet. Albeit, it's one port, but that's still a hole that can potentially be breached.

For me, the Comcast thing isn't an issue. It might be fore some people and I hope that gets fully worked out.

[m4ilm4n]

My first response was "who in their right mind is putting their Domino server out in the wild like that?", but after further thought, I can see proxying port 80 thru a firewall to get to web apps, but anything else is just asking for trouble. I require my users to have an encrypted VPN tunnel running before they start their remote Notes client, and the VPN gateway's policy disallows split tunneling. Maybe I'm just being paranoid, but I've been burned before....

[Wiseass]

Thanks for the replies all, for those of you saying it's "resolved" and a "bug" do you have any article links? I looked at the original and it's not updated, and can't seem to find anything else referring it.

[mahoward]

From the AP article:

Kevin Kanarski, a network engineer for a major law firm, noticed the disruption in August and eventually traced the problem to Comcast. But he got the cold shoulder from the company's customer support department.

On Tuesday, Bowling acknowledged the problem, saying it was unintentional and due to a software bug that has been fixed. Kanarski said transfers started working again last week.