Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Server2008: Intradomain Traffic
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Server2008: Intradomain Traffic - 12.Feb.2008 5:03:11 AM
|
|
|
ESCde:MR
Posts: 1
Joined: 12.Feb.2008
Status: offline
|
Hello ISA-experts,
I'm currently building up an ISA back-to-back configuration. The DMZ Servers are domain members. The domain is a Windows Server 2008 domain. I illustrated the infrastructure in this network diagram.
DC: Windows Server 2008 EE (DC, DNS)
ISABack: Windows Server 2003 R2 SP2, ISA 2006 Std
WebServer: Windows Server 2008 EE Core
ISAFront: Windows Server 2003 R2 SP2, ISA 2006 EE
As the frontend ISA isn't involved in this problem, I won't write down the configuration of it. The relevant one is the backend ISA which has:
Routing relationship between Internal and DMZ
NAT relationship between Internal and External
Currently there are only two firewall policies:
Allow DNS from DC to external
Allow 'intradomain traffic' between DMZ computers and DCs
'intradomain traffic' means the protocols
Microsoft CIFS (TCP)
Microsoft CIFS (UDP)
DNS
Kerberos-Adm(UDP)
Kerberos-Sec(TCP)
Kerberos-Sec(UDP)
LDAP
LDAP (UDP)
LDAP GC (Global Catalog)
RPC (all interfaces)
NTP (UDP)
Ping.
Now lets get to the problem. The Webserver is a domain member. I joined it to the domain before the ISA firewall was installed (it resided in the same network as the DC). Now, when for example gpupdate /force is run on the webserver, it doesn't work. The backend ISA logs the attempts form the WebServer to initiate a RPC connection to the DC, but the connections are killed by ISA immediatly.
The intradomain policy is applied to the traffic, as I can see in the ISA live logging.
Client: Webserver, Destination: DC, Protocol: RPC (all interfaces), Action: Initiated Connection, Result: 0x0 ERROR_SUCCESS
Client: Webserver, Destination: DC, Protocol: RPC (all interfaces), Action: Closed Connection, Result: 0x80074e24 FWX_E_CONNECTION_KILLED
These two events occur as long as the Webserver tries to reach the DC.
As I have seen from other newsgroups or blogs, the enforce strict RPC compliance trigger can cause problems, but I already disabled it on the intradomain traffic rule as well as in the system policy.
So it seems like I'm stuck at this point. I wonder if it could be that RPC has changed in Server 2008, especially after reading this KB-article. Please ask if I forgot some important information.
I appreciate every attempt to help.
|
|
|
|
|
RE: Server2008: Intradomain Traffic - 13.Mar.2008 11:00:23 AM
|
|
|
itsallwright
Posts: 6
Joined: 13.Mar.2008
Status: offline
|
Hi,
Did you ever find a solution to your problem? Are you running the 32-bit or 64-bit version of Server 2008?
The reason I ask is because we are having the same type of problem going through ISA 2006. Our setup is a little different, but the end result is the same.
We have 2 sites connected through ISA and a site-to-site tunnel. DCDiag Fails the KnowsOfRoleHolders test for all the roles that are on a remote 64-bit server 2008 machine. DFSR fails to replicate across the ISA servers and we are unable to move the Exchange mailboxes across. All communication within the site works fine, but any RPC related traffic seems to be failing when it has to pass through ISA.
We have been slowly rebuilding our servers on the 32-bit version of Server 2008 to get by, but we really don't want to have to drop our Exchange 2007 servers to 32-bit as that configuration is not supported.
Any help you can provide will be greatly appreciated.
TIA,
Jay
|
|
|
|
|
RE: Server2008: Intradomain Traffic - 18.Mar.2008 2:51:28 PM
|
|
|
cheapshot2000
Posts: 2
Joined: 18.Mar.2008
Status: offline
|
I'm having the same problem and see the same connection killed event in the monitoring when a Server 2008 x64 communicates via RPC with other 2008 x64 boxes if they have to go through an ISA 2006 server. Servers that do not have to cross an ISA boundary can communicate fine. I also have arleady disabled the strict RPC.
Anyone have any ideas?
Thanks,
cheapshot
|
|
|
|
|
RE: Server2008: Intradomain Traffic - 19.Mar.2008 11:24:30 AM
|
|
|
Jason Jones
Posts: 1802
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Done this lots with Windows 2003, so I guess Windows 2008 must be doing something different with regard to RPC. Have you tried monitoring with 'All protocols' to ensure any other protocols are not being denied?
Is Windows configured to use IPv4 only?
Have you tried defining static RPC ports and configuring these within ISA as opposed to using the 'RPC (All Interfaces)' protocol?
Not ideal, but may get things working until a fix is found...
< Message edited by Jason Jones -- 19.Mar.2008 11:28:29 AM >
_____________________________
Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Server2008: Intradomain Traffic - 20.Mar.2008 10:37:23 AM
|
|
|
cheapshot2000
Posts: 2
Joined: 18.Mar.2008
Status: offline
|
Thanks Jason for the information. I agree that it does seem similar to the issues with 2003 SP1. From this article, http://blogs.technet.com/filecab/archive/2007/12/26/what-s-new-in-windows-server-2008.aspx, I know RPC has changed in 2008 with the asynchronous calling among others. Being that I am seeing the 0x80074e24 FWX_E_CONNECTION_KILLED errors in my ISA logs, I am wondering if ISA 2006 RPC's filter does not like the changes, esp with the x64 version of 2008.
To further clarify my setup, I have the firewalls turned off on the servers themselves relying on ISA to do all the firewalling. The Site-2-Site rule is not restricted to certain protocols; it allows all outbound through it. It also has the strict RPC disabled (as well as the system policies).
I have not yet tried unbinding ipv6 from the network adaptors on the 2008 servers. I can try defining static port ranges too, but being that ISA is configured to allow all traffic through the tunnel I am not too optimistic. I'll let you know how it goes. Thanks again for the ideas.
|
|
|
|
|
RE: Server2008: Intradomain Traffic - 21.Mar.2008 1:49:29 PM
|
|
|
itsallwright
Posts: 6
Joined: 13.Mar.2008
Status: offline
|
Jason, thanks for your replies. I tried running "netsh int ipv4 set dynamicport" on the 2008 servers to force them to use the 2003 server defualts and that did not help.
You mentioned "Have you tried defining static RPC ports and configuring these within ISA as opposed to using the 'RPC (All Interfaces)' protocol?". I am not sure what you mean by this, but it did get me looking around.
I tried to unbind the RPC filter from the RPC (All Interfaces) protocol and this worked. This leads me to my next question.
What is the RPC filter needed for and what problems or security holes did I just create by doing this?
Thanks,
Jay
|
|
|
|
|
RE: Server2008: Intradomain Traffic - 26.Mar.2008 9:42:19 AM
|
|
|
Jason Jones
Posts: 1802
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
A friend at MS has confirmed this is a bug in the RPC filter specific to x64 Windows Server 2008...waiting to hear about the availability of a fix...
Cheers
JJ
_____________________________
Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Server2008: Intradomain Traffic - 26.Mar.2008 10:27:29 PM
|
|
|
itsallwright
Posts: 6
Joined: 13.Mar.2008
Status: offline
|
That did it! Thank you very much Jason for all your replies and for finding this patch. We are in business again.
I feel like I might have hijacked this post from ESCde:MR. Hopefully this patch fixes his issue too.
Thanks again,
Jay
|
|
|
|
|
RE: Server2008: Intradomain Traffic - 12.May2008 10:06:29 AM
|
|
|
ldoodle
Posts: 60
Joined: 21.Mar.2005
From: England
Status: offline
|
Hello,
Has this fix been publicly released or is still on a 'contact us if you want it' basis.
I have this problem (and can confirm it doesn't exist when using 32-bit W2K8) so need it fixed.
Thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
