Port 1745: Microsoft Winsock Proxy — The control channel for a polite deception

What This Port Is

Port 1745 sits in the registered port range (1024–49151). IANA has not assigned it an official service, but it has a well-documented unofficial life: Microsoft's Proxy Server 2.0 and ISA Server used TCP and UDP port 1745 as the control channel between the Firewall Client and the proxy server itself.¹

The Winsock Proxy Trick

In the late 1990s and early 2000s, corporate networks faced a familiar problem. Applications expected direct Internet access. Proxy servers existed to mediate that access — for security, bandwidth control, and logging. But most applications weren't written to speak proxy. They called Winsock functions like connect() expecting a direct path.

Microsoft's solution was elegant deception. The Firewall Client installed a Layered Service Provider (LSP) on client machines — a shim that sat between any application and the real Winsock. When an app called connect(), the LSP intercepted it and quietly established a connection over port 1745 to the ISA Server instead.²

The application never knew. It believed it was talking directly to the Internet. Port 1745 was the back channel where the ISA Server received those intercepted calls, resolved them against the Local Address Table (LAT), and decided whether to handle them locally or relay them outbound.

The Vulnerability

In 2003, Microsoft issued Security Bulletin MS03-012 disclosing a flaw in this very mechanism.³ A malformed UDP packet sent to port 1745 could push CPU utilization to 100% and cause the server to stop responding — a denial-of-service attack from inside the network. An attacker didn't need Internet access. They just needed to be on the LAN.

The deception had a hole in it.

What Range This Port Belongs To

Registered ports: 1024–49151. These are ports IANA tracks and assigns to specific services on request, but "registered" doesn't mean "active." Thousands of ports in this range were claimed by software that no longer ships, services that were superseded, or products that simply faded. Port 1745 is in that category — associated with Microsoft Proxy Server 2.0 and ISA Server, both of which reached end-of-life years ago (ISA Server 2006 went end-of-extended-support in 2011).

If you encounter port 1745 open on a modern system, it's almost certainly not ISA Server. It's something else — a custom application, a game server, or a misconfiguration worth investigating.

How to Check What's Listening

Linux/macOS:

# Show what process is bound to port 1745
sudo ss -tlnp | grep 1745
sudo lsof -i :1745

Windows:

# Show listening ports with process IDs
netstat -ano | findstr :1745

# Identify the process by PID
tasklist | findstr <PID>

From outside the machine:

# Test if the port is open (TCP)
nc -zv <host> 1745
nmap -p 1745 <host>

Why Unassigned Ports Matter

The port registry isn't a wall — it's a map. Unassigned doesn't mean unused, and it doesn't mean safe. Port 1745's history is a useful reminder: a port can carry real traffic for years, become associated with a specific security vulnerability, and then go quiet as the software it served stops shipping. The next thing to claim it inherits none of that context and all of that port number.

When you see an unexpected open port, the question isn't "is this registered?" The question is: "what is this process, and why is it listening?"