I am having an issue that I simply cannot get past, I am hoping someone may have some ideas!
I have two sites, each site has ISA 2006 SP1 on Windows 2003 x32 SP2 as the Front Firewall.
I have an L2TP IPSEC VPN tunnel that allows the Internal LAN of both sites to communicate and I can ping all servers from both sites using shortname or FQDN.
The AD Domain Controllers are running Windows 2008 x64 SP1 and are able to replicate, DNS changes replicate, etc.. across sites.
However if I try to view the remote servers Event Logs, the error I get back is "The RPC server is unavailable".
I have searched the web for hints that include making some registry changes in HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ (which I have now removed as it has made no difference), and applying SP1 for ISA (which I already have).
All of the servers involved (2 x ISA and 2 x DC) have all updates applied, with no further updates available from the Microsoft Update website.
The Firewall rules that I have are:
Site1 Internal > Site2 (VPN Interface) All Outbound Site2 (VPN Interface) > Internal All Outbound
Site2 Internal > Site1 (VPN Interface) All Outbound Site1 (VPN Interface) > Internal All Outbound
The firewall logs basically show:
"Initiated Connection" Allow rule for "RPC (all interfaces)" protocol
"Closed Connection"
The same pattern can be seen on both ISA Firewall logs. Are there any ideas on what could be the possible cause?
Thanks.
N.
< Message edited by nabu32 -- 5.Feb.2009 9:19:14 PM >
Thanks Paulo for your reply, it is greatly appreciated.
I followed the KB943212 article and checked the file versions against my ISA servers (which happen to have newer versions: 5.0.7523.493).
I created a new custom RPC Protocol (Outbound), selected my DC and enabled all RPC interfaces (around 20 of them, interestingly "Event log TCPIP" was one among them). I created new firewall rules, and basically the same thing happens. This time, instead of the older rules being logged, the new rules and my custom protocol is logged. However, the outcome is the same when trying to view a remote Event Log the dreaded "The RPC server is unavailable" error occurs.
Note:- I have two ISA servers so effectively it looks like this:
W2K8 DC <-> ISA 2K6 SP1 <--L2TP Tunnel--> ISA 2K6 SP1 <-> W2K8 DC
I will try doing a wire trace, as per the original technet blog.
Well I can report good news and that the fix is extremely simple...
Windows 2008 has an exception for its firewall - "Remote Event Log Management" which is disabled (even in the Domain profile). So in the end the Windows Firewall was blocking the requests.
Simply having ISA 2006 SP1 (with patches) all works fine, no need to create specific RPC interfaces, as it is already covered with the built-in "RPC (all interfaces)" protocol.
I could not understand why AD replication worked, while viewing remote Event Logs did not. So "back to basics," I tried to view a remote Event Log on the same subnet on another W2K8 server (rather than across the tunnel), which subsequently failed, thus eliminating ISA altogether
While I am at it. I had another issue which was to do with ISA, and that was managing Exchange 2007 through the Exchange Management Console.
I thought to post the solution.
Whenever I look at a remote Exchange Server through the management console, I would see the following errors:
-------------------------------------------------------- Microsoft Exchange Error -------------------------------------------------------- The following error(s) were reported while loading topology information:
Get-ActiveSyncVirtualDirectory Failed Error: The task was not able to connect to IIS on the server 'exchange1.internal'. Ensure that the server exists and is reachable from this computer: The RPC server is unavailable.
Get-OabVirtualDirectory Failed Error: The task was not able to connect to IIS on the server 'exchange1.internal'. Ensure that the server exists and is reachable from this computer: The RPC server is unavailable.
Get-OWAVirtualDirectory Failed Error: The task was not able to connect to IIS on the server 'exchange1.internal'. Ensure that the server exists and is reachable from this computer: The RPC server is unavailable. --------------------------------------------------------
The event logged on the Exchange Server was: Event ID: 10009 - "DCOM was unable to communicate with the computer exchange1.internal using any of the configured protocols."
The solution here I found (http://blogs.technet.com/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx) was to do with strict RPC compliance stopping DCOM communications. Unchecking the "Enforce strict RPC compliance" option for all the rules involved between my internal and remote site removed this issue.
This has no doubt already been commented on before, I would welcome comments on a better solution if anyone has ideas.