• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ to LAN denied RPC (All interfaces)

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ to LAN denied RPC (All interfaces) Page: [1]
Message << Older Topic   Newer Topic >>
DMZ to LAN denied RPC (All interfaces) - 1.Jul.2008 3:49:39 PM   


Posts: 10
Joined: 15.Jul.2005
Status: offline
I'm trying to create a new dmz setup with our ISA 2004 setup towards the internal Win2k3 network. I'm running ISA2004 SP3 on Win2K3 SP2.

The problem which I've been investigating for one and a half day now is that I can't get a member server in the domain to get a full domain connection to the AD hosts in the internal lan.

The member server is an freshly installed 2k3 sp2 box and it's already part of the domain. I configured the network rules to route back and forth from the internal network to the DMZ. I've created an access rule from DMZ outbound to Internal with the following protocols:

Kerberos-Adm (TCP/UDP)
Ldap (TCP/UDP)
Ldaps (TCP/UDP)
RCP (all interfaces)

Whit this rule in place I almost have full access to the domain, I can browse shares, ping, query the dns but I can't get it to apply my GPO's.
Whenever I try to perform a gpupdate I'll end up with an RPC (All interfaces) denied message.

I've tried to disable strict RPC rules, I've disabled the filter, I addedd the RSS disable reg entry as wel as the TCP ofload entries. I also added the Server2003NegotiateDisable key. None were successfull.

In the end I created a Allow all rule and disabled the RPC filter alltogether.
After a reboot the access rule worked, however the moment I edit the rule ie adding the right ports the rule stops functioning an I need to start all over again rebooting the server to get it to accept the rule.

Currently I'm stuck, do any of you guys have a clue?
Post #: 1
RE: DMZ to LAN denied RPC (All interfaces) - 1.Jul.2008 5:29:53 PM   


Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

Check this article by Tom Shinder : Allowing Intradomain Communications through the ISA Firewall (2004)



Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to superprutser)
Post #: 2
RE: DMZ to LAN denied RPC (All interfaces) - 2.Jul.2008 3:12:09 PM   


Posts: 10
Joined: 15.Jul.2005
Status: offline
Thanks for your feedback.
The post has been helpfull and did prove somewhat usefull.
After implementing the fixed port 50000 as suggested, the Gpupdate works 6 out of 10 times, during the other times I'm still seeing a lot of these errors:
Log type: Firewall service Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer. Rule: Source: DMZ ( Destination: Internal ( Protocol: RPC (all interfaces) User:
I've done my research and the most common cause is SP2 with the scalable net pack. I've implemented the RSS and offloading tweaks and also updated my nic drivers. Unfortunately with out the required result.

Sometimes I feel like a complete noob...
I seems that removing the IPv6 Binding from my W2K8 DMZ member server resolved the issue. 

< Message edited by superprutser -- 3.Jul.2008 6:28:43 AM >

(in reply to elmajdal)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ to LAN denied RPC (All interfaces) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts