• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on RPC Inspection

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Discussion about article on RPC Inspection Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on RPC Inspection - 19.Feb.2005 1:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on the ISA firewall's RPC stateful inspection feature at http://isaserver.org/articles/2004rpc.html

HTH,
Tom

[ February 19, 2005, 02:06 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on RPC Inspection - 19.Feb.2005 4:29:00 PM   
Moez

 

Posts: 13
Joined: 14.May2003
From: Tunisia
Status: offline
Very Good article, Thank you Frederic and Thomas [Smile]

(in reply to tshinder)
Post #: 2
RE: Discussion about article on RPC Inspection - 19.Feb.2005 5:04:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Moez,

I didn't know there were more ISA firewall MVPs from France! Great! Congrats and I hope to meet you at the worldwide MVP conference!

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion about article on RPC Inspection - 25.Feb.2005 1:23:00 AM   
PaulCyr

 

Posts: 60
Joined: 17.Mar.2001
From: Charlottetown, PE, Canada
Status: offline
What other types of RPC traffic would a company typically secure in this manner?
I can see Outlook 2003 and Exchange but what else?

The following article describes the RPC dependant services:

[URL=http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_rpc_what .asp]What Is RPC?[/URL]

(in reply to tshinder)
Post #: 4
RE: Discussion about article on RPC Inspection - 25.Feb.2005 11:42:00 PM   
samisa05

 

Posts: 11
Joined: 1.Jan.2005
Status: offline
Hello,

An interesting topic. May I ask if this applies to ISA2004 on Win2000 server? I don't seem to be able to capture UUID using Win2000 Server Netmon. My admin workstation runs XP, though.

Thanks.
Sam

(in reply to tshinder)
Post #: 5
RE: Discussion about article on RPC Inspection - 27.Feb.2005 9:14:00 PM   
Ole.Nielsen

 

Posts: 15
Joined: 12.Feb.2005
Status: offline
Great article! Thanks!

I've tried to use it to secure authentication traffic:

A terminal server in one domain authenticates users from a child domain - and therefore has to communicate with the DCs in the child domain over the ISA Firewall.

The authentication process involves RPC traffic among other things. Everything is great when I use the default "RPC (all interfaces)" definition in my Access Rule, but I would like to restrict the allowed RPC interfaces a bit further, so I've created a custom RPC protocol definition comprising the UUIDs, I see in my Ethereal network trace, which are:

{12345778-1234-abcd-ef00-0123456789ab} LSA
{12345778-1234-abcd-ef00-0123456789ac} SAMR
{338cd001-2244-31f1-aaaa-900038001003} WINREG
{E1AF8308-5D1F-11C9-91A4-08002B14A0FA} EPM
{e3514235-4b06-11d1-ab04-00c04fc2dcd2} DRSUAPI

But the ISA keeps rejecting the RPC traffic according to the Default Rule, Destination Port 135, Protocol "RPC (All Interfaces)".

I've noticed, that when you create a new RPC Protocol definition, the primary connection will be 135/TCP INBOUND. And for Access Rules to work, the direction is usually OUTBOUND.

But in the article you create an RPC Protocol definition and use it in an Access Rule, don't you?

Are you able to explain, how I can get my Access Rule to work?

Best regards,
ISA Fan

(in reply to tshinder)
Post #: 6
RE: Discussion about article on RPC Inspection - 4.Mar.2005 12:06:00 PM   
ioda@niks.by

 

Posts: 5
Joined: 8.May2002
Status: offline
I've tried to use it too, but dos't work.

(in reply to tshinder)
Post #: 7
RE: Discussion about article on RPC Inspection - 6.Mar.2005 12:20:00 AM   
fesnouf@hotmail.com

 

Posts: 64
Joined: 14.Jan.2002
From: Paris
Status: offline
Sorry for the delay, ... went skiing ;-)

Could we exchange a few mails to see what is going on ? .. then as soon as it works, we can post the answer on ISAServer.org

My email is frederic@esnouf.net.

Fred [Cool]

(in reply to tshinder)
Post #: 8
RE: Discussion about article on RPC Inspection - 7.Mar.2005 9:34:00 PM   
fesnouf@hotmail.com

 

Posts: 64
Joined: 14.Jan.2002
From: Paris
Status: offline
An answer for PaulCyr...

I can give you 2 examples about this kind of infrastructure.

Example 1:
I recently worked on an AD design for a company with 50 sites in the world. Part of these sites were the result of mergers, and so no fully 'managed and trusted'. So we wanted to make sure that AD replication from these sites to the 'corporate servers' were secured. With a layer 3 firewall, the only option is to force all the RPC service to use specific ports... with ISA 2004 as a firewall we just had to filter UUIDs...
On site was located in Asia and this site was trusted. We wanted to authorize the local IT team to manage a few servers at corporate site (I mean run a few MMCs). With a layer 3 firewall no way. With ISA I implemented exactly what I describe in the article.

Example 2 : suppose that a small company ask another company to manage the server (create users, exchange mailboxes, ...). This external company works via VPN. If you want to limit what this company can see from their site, RPC filtering is perfect. (of course if you give TSE you are bad).

What is you experience and comments about the article ? and the need of filtering RPC ?

Thanks

Fred

(in reply to tshinder)
Post #: 9
RE: Discussion about article on RPC Inspection - 13.Jun.2005 12:58:00 PM   
tkeeler

 

Posts: 7
Joined: 8.Jan.2005
Status: offline
Hi - I'm having the same problems as ISA Fan and ioda@niks.by; I'm wondering if there was any followup or solution to their problem.

If so, would someone mind posting the conversation so I can work on my server? Currently i'm resorting to using RPC (all interfaces)...

Thanks!

(in reply to tshinder)
Post #: 10
RE: Discussion about article on RPC Inspection - 14.Oct.2005 5:22:00 AM   
hennish

 

Posts: 26
Joined: 1.Dec.2004
Status: offline
I'm trying to set up an RPC rule for allowing SQL replication over RPC. However, I can't find a single page on MS or the web describing which UUIDs are required for this. [Frown]

Sure, I can do a packet sniff to determine the UUID required for SQL, but is that really the way ISA admins are supposed to have to work?

MS, wake up and smell the complexity! [Smile]

(in reply to tshinder)
Post #: 11
RE: Discussion about article on RPC Inspection - 12.Dec.2005 4:27:38 PM   
nofear

 

Posts: 95
Joined: 28.Nov.2005
Status: offline
hi
i want to ask something
I have new ISA2004 SERVER and i have internal,DMZ and external networks

i have a MOM server in the DMZ ,and i have the MOM agent (client) in the internal network,
i think RPC is used to enable there communication

now,how should i enable such comunication??


----------------
another question:

Suppose i have an exchange in the DMZ and iam in the internal network,now i will first contact to port 135 to the exchange to specify the high port of the target service i want to connect to ,the out of the BOX ISA would monitor the traffic by default?? and then he would see the return port that i will use to connect to the exchange and thus he would allow the connection??
or should i create a rule to allow 135 port from internal to DMZ??

(in reply to tshinder)
Post #: 12
RE: Discussion about article on RPC Inspection - 13.Jan.2006 12:53:23 AM   
a13antichrist

 

Posts: 46
Joined: 5.Jul.2005
Status: offline
Like everyone else here, I have had nothing but trouble with this RPC filter, and have become extremely skeptical, especially of the ISA MMC example used. Ethereal shows that the ISA MMC NEVER makes any request on 135 - it always uses the MS Firewall Control port as configured in the Protocol definitions on 3847. Other RPC apps call first of all of couse to EPMAP, the expected 135.

The access rule / inbound setting is curious also - set to inbound, the rule is completely ignored, which explains why everything is denied by the default rule, because the traffic is not recognised as fulfilling the criteria of that rule. Changing the direction to Outbound results in the traffic being recorded under the Access Rule - but this removes the Interfaces tab from the protocol properties. And in any case the access is still denied - the initial RPC call to 135 is allowed but the subsequent high-port traffic is denied.
Using a server publishing rule, which is what would be expected on an Inbound protocol, the traffic is identified as RPC (all interfaces), and is permitted, but then the client sends the OXID Resolver interface, not the one attached to the app, and communication continues on 135 only. Now given that the OXID Resolver uses DCOM protocols, this can never work with ISA because you can't access the Configure RPC Protocol option to uncheck "Enforce strict RPC compliance" when the protocol is used in a Publishing rule - only in an Access Rule can you select this.

One further interesting thing: If I create an access rule allowing the MS Firewall Control protocol, and then use the ISA RPC protocol in a publishing rule, it will allow the client MMC to connect. I have disabled the System Policy Rule that allows Remote Management. When I disable the publishing rule again the client connects but will not allow any changes. In the live logging I see denied RPC (all interfaces) connections. Ethereal continues to report that the communication is being attempted over the UUID interface specified in the [now disabled] RPC protocol. 

So, I am at a loss, as it would seem is everybody else here, to see how this RPC filter is supposed to work. Any input is mooooore than welcome. Does ANYBODY actually have a working RPC filter?

< Message edited by a13antichrist -- 13.Jan.2006 1:11:59 AM >

(in reply to nofear)
Post #: 13
RE: Discussion about article on RPC Inspection - 30.Jan.2007 7:45:00 PM   
marty.bloomfield

 

Posts: 2
Joined: 29.Jan.2007
Status: offline
I am seeing the same thing using isa 2006 and want to know if someone solved it and how?

i've been able to use the rpc(all interfaces work) but i want to go deeper and specifically grant certain uuid's.


(in reply to tshinder)
Post #: 14
RE: Discussion about article on RPC Inspection - 6.Aug.2007 6:06:40 PM   
wkillmer

 

Posts: 1
Joined: 6.Aug.2007
Status: offline
I am having the same problems as the others have mentioned.  I can only get the RPC to work if it is set to outbound, and open a range of ports.  I need to be able to filter bu UUID, but I haven't been able to get this to work.  Monitoring the logging in ISA 2004 it shows the RPC(All Interfaces) as denied.  If I switch this protocol to outbound, or create a new protocol on port 135 as outbound, then the request on 135 is allowed, but the subsequent calls on the dynamic port are blocked...

Please help.

If somebody has an actual working configuration could they post the xml export file so I can import it and see how it works.

(in reply to marty.bloomfield)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> Discussion about article on RPC Inspection Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts