Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RPC failure because of SP2
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RPC failure because of SP2 - 16.May2007 3:57:42 AM
|
|
|
KrisVG
Posts: 4
Joined: 8.Apr.2007
Status: offline
|
I have an ISA server with 3 interfaces: Internal, External and UsersNetwork. DCs are on the internal network, clients are on the UsersNetwork. All functions OK until I install SP 2 on the Server 2003 R2 ISA SE Server.
A Microsoft article talks about 3 problems:
1. Performance issues under certain circumstances (not my case)
2. Some problems with ADAM when using ISA Enterprise Edition (not my case)
3. Potential problems with RSS in NAT relationships (not my case)
I already tried unchecking the "Strict RPC" checkbox and even tried to disable RSS (even though I'm experiencing my problems in a route relationship and even between the ISA server and the DCs)
Once SP2 is installed machines on the UsersNetwork AND the ISA server itself can no longer correctly log on to the domain (event 1053 "Windows cannot determine the user or computer name"). This results in extremely slow logons. Oddly: once logged on all seems to work OK (i.e. file and printer access, group policies remain unapplied so the situation is unacceptable).
Logging on the ISA server tells me that the ISA server (and clients on the UsersNetwork) try to open an RPC connection to one of the domain controllers and that this fails because the reply from the server is treated as "unidentied traffic" and is blocked by the ISA server (even creating a custom protocol doesn't change this: the traffic keeps being blocked and the logs don't specify a rule that blocks it).
To add to the strangeness: the same configuration on virtual machines (yes, I did test this first) works fine.
Now the question(s):
Does anyone have a Server 2003 Sp with ISA Standard capable of logging on correctly to a domain?
I've always used the "patch everything" principle, what's the (security)risk of not applying SP2?
Anyone heard of a MS statement concerning support for servers that don't have SP2 installed?
Any idea/comment is welcome.
Kris.
|
|
|
|
|
RE: RPC failure because of SP2 - 16.May2007 9:08:09 AM
|
|
|
BrandonOz
Posts: 23
Joined: 30.Jan.2007
Status: offline
|
Give this a try.
Disable the RPC filter, you will find this under Configurations, Add Ins, Applications filters. Once disabled, then setup a rule allowing “All outbound traffic" from your ISA to your DC.
I know this may sound as an uneasy solution, but this is how I temporarily fixed my network as suggested by Microsoft.
Hope it helps.
B
Ref: http://forums.isaserver.org/m_2002041428/mpage_1/key_/tm.htm#2002041428
|
|
|
|
|
RE: RPC failure because of SP2 - 16.May2007 12:12:39 PM
|
|
|
KrisVG
Posts: 4
Joined: 8.Apr.2007
Status: offline
|
Thank you for the suggestion, I'll try it and post the result.
Question: doesn't disabling the RPC filter sort of take away the exact meaning of the firewall? It gives me impression that I'm using the ISA firewall as a simple open-or-close-some-port firewall.
Kris.
|
|
|
|
|
RE: RPC failure because of SP2 - 17.May2007 4:54:02 AM
|
|
|
KrisVG
Posts: 4
Joined: 8.Apr.2007
Status: offline
|
Gents,
Thanks again for the response.
I tried to disable the RPC filtering but to no avail.
However, while I was there I also retried to disable RSS. This time however I did so using the registry editing, not by using the GUI that comes with the HP utilities (I work with an HP server (which only contains HP hardware)).
Apparently this did the trick, so I re-enabled RPC filtering and all keeps on functioning as it should. (I'm not sure but I think the HP GUI only disables RSS for certain NICs and I've got three diferent types of NICs in the server, some of which don't have the option to disable RSS in the HP utilities)
So, in resume, I now have a Server 2003 R2 with SP2, no RSS, RPC filtering enabled and it actually works.
Remaining mistery: why do I have to disable RSS when experiencing problems in a routing relationship and even in a local network relationship?
I'm a bit stressed for time right now, but if I can I'll test re-enabling Strict RPC as well. If that works I'll post it here.
Thanks again for your time and interest,
Kris.
|
|
|
|
|
RE: RPC failure because of SP2 - 17.May2007 11:12:06 AM
|
|
|
KrisVG
Posts: 4
Joined: 8.Apr.2007
Status: offline
|
I just tested re-enabling "Strict RPC" and logons still function as should.
Unfortunately, I still don't see the link between RSS enabled and the RPC calls failing. The explanation in the MS article (http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695) doens't really explain in a detailed manner.
Kris.
|
|
|
|
|
RE: RPC failure because of SP2 - 18.May2007 6:57:37 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: KrisVG
Gents,
Thanks again for the response.
I tried to disable the RPC filtering but to no avail.
However, while I was there I also retried to disable RSS. This time however I did so using the registry editing, not by using the GUI that comes with the HP utilities (I work with an HP server (which only contains HP hardware)).
Apparently this did the trick, so I re-enabled RPC filtering and all keeps on functioning as it should. (I'm not sure but I think the HP GUI only disables RSS for certain NICs and I've got three diferent types of NICs in the server, some of which don't have the option to disable RSS in the HP utilities)
So, in resume, I now have a Server 2003 R2 with SP2, no RSS, RPC filtering enabled and it actually works.
Remaining mistery: why do I have to disable RSS when experiencing problems in a routing relationship and even in a local network relationship?
I'm a bit stressed for time right now, but if I can I'll test re-enabling Strict RPC as well. If that works I'll post it here.
Thanks again for your time and interest,
Kris.
Hi Kris,
Thanks for the info! Appriecate the time it took for you to keep us up to date on this.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
