• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about article on Intradomain Communications through the ISA Firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> RE: Discussion about article on Intradomain Communications through the ISA Firewall Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about article on Intradomain Communicati... - 4.Mar.2005 10:23:00 AM   
Ole.Nielsen

 

Posts: 15
Joined: 12.Feb.2005
Status: offline
Wouldn't it be a much more secure senario, if you were able to restrict the RPC traffic further, so only necessary interfaces (by UUID) were allowed through?

I've tried to accomplish this by creating a custom RPC Protocol definition, but I can't get it to work. Hope anyone can help!

(Please note: I've posted a variant of this problem as a reply to the article on the ISA firewall's RPC stateful inspection feature here: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=24;t=000473).

Best regards,
ISA Fan

(in reply to tshinder)
Post #: 21
RE: Discussion about article on Intradomain Communicati... - 7.Mar.2005 9:58:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi ISA Fan,

I'll take a look.

Thanks!
Tom

(in reply to tshinder)
Post #: 22
RE: Discussion about article on Intradomain Communicati... - 9.Mar.2005 5:52:00 PM   
david68

 

Posts: 10
Joined: 20.Jan.2005
From: in front of my workstation
Status: offline
Hello:

Followed the article and ran into this issue:

When I try to join my domain from the DMZ server, I get prompted for a username / password to join, I enter that info in but then get "There are no more endpoints available from the endpoint mapper" and the joining of the domain fails.

ISA does not log any errors that I can see.

Thanks

(in reply to tshinder)
Post #: 23
RE: Discussion about article on Intradomain Communicati... - 12.Apr.2005 8:40:00 PM   
CurtisGF

 

Posts: 30
Joined: 12.Feb.2003
From: Virginia
Status: offline
Hi.

After following this article, I cannot login to the domain on my test server. It is already a member of the domain.

I get errors concerning NetBIOS in the firewall logs. Specifically, from the perimeter server to the local host.

I've obviously gotten something wrong somewhere, just don't know where.

This perimeter network is not really anonymous, but not fully authenticated either. I am using private network addresses throughout and have changed the network relationship to route from NAT.

Suggestions?

Thanks.
Curtis

(in reply to tshinder)
Post #: 24
RE: Discussion about article on Intradomain Communicati... - 12.Apr.2005 10:35:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by david68:
Hello:

Followed the article and ran into this issue:

When I try to join my domain from the DMZ server, I get prompted for a username / password to join, I enter that info in but then get "There are no more endpoints available from the endpoint mapper" and the joining of the domain fails.

ISA does not log any errors that I can see.

Thanks

Hi David,

What connections from the DMZ host do you see blocked in the ISA firewall's log file?

Thanks!
Tom

(in reply to tshinder)
Post #: 25
RE: Discussion about article on Intradomain Communicati... - 12.Apr.2005 10:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by CurtisGF:
Hi.

After following this article, I cannot login to the domain on my test server. It is already a member of the domain.

I get errors concerning NetBIOS in the firewall logs. Specifically, from the perimeter server to the local host.

I've obviously gotten something wrong somewhere, just don't know where.

This perimeter network is not really anonymous, but not fully authenticated either. I am using private network addresses throughout and have changed the network relationship to route from NAT.

Suggestions?

Thanks.
Curtis

Hi Curtis,

You defintitely need to change the Network Rule back to route to support the Kerberos auth, etc.

HTH,
Tom

(in reply to tshinder)
Post #: 26
RE: Discussion about article on Intradomain Communicati... - 13.Apr.2005 7:32:00 PM   
CurtisGF

 

Posts: 30
Joined: 12.Feb.2003
From: Virginia
Status: offline
Hi Tom,

Thanks for responding, but the relationship is route.

(in reply to tshinder)
Post #: 27
RE: Discussion about article on Intradomain Communicati... - 18.Apr.2005 3:59:00 PM   
CurtisGF

 

Posts: 30
Joined: 12.Feb.2003
From: Virginia
Status: offline
I got it.

It was routing issue. Didn't have a route back to the perimeter network from the DC.

(in reply to tshinder)
Post #: 28
RE: Discussion about article on Intradomain Communicati... - 4.May2005 3:41:00 PM   
benlorenzo

 

Posts: 3
Joined: 4.May2005
Status: offline
I have DC and ISA server 2004 on one win2003serversp1 machine.
I cannot add a winxpsp2 client to the domain, i get an err "the remote proc called failed" I reseached and found tools (netdiag, rpcping) and keep getting rpc type failures on the reports.'
I see tons of netlogon erron in event viewer on the clients that refer to rpc again. I have an rpc problem and im not sure where to start.
I have inherited this network and am new to isa.
Any help would be much appreciated and I have ordered the isa server 2004 book already. also i dont see the "setup" for the clients after the isa 2004 upgrade, where is documented to be?

(in reply to tshinder)
Post #: 29
RE: Discussion about article on Intradomain Communicati... - 5.May2005 6:12:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by CurtisGF:
I got it.

It was routing issue. Didn't have a route back to the perimeter network from the DC.

Hi Curtis,

That'll do it! Good to hear you got it working and thanks for the follow up!

Tom

(in reply to tshinder)
Post #: 30
RE: Discussion about article on Intradomain Communicati... - 15.May2005 10:37:00 PM   
sanderweijers

 

Posts: 9
Joined: 6.Aug.2004
Status: offline
Hi Tom!
I've followed all articles I found about setting up site-to-site vpn and your last one was most helpful. Unfortunatly, still havin problems:

I've got to seperate AD's; MainA and MainB. After setting up a successful VPN using ISA2004 on MainA and RRAS (on W2K) on MainB, I'm able to access MainA from all MainB computers (just 1 server in MainB).
When I try to access MainB from any server or pc in MainA; everything looks fine (ping, rdp, etc).

When I am on the ISA2004 server in MainA (W2k3 domain controller) and try to modify the rights of a folder using the other domain (the domain of MainB), I can see a list of users and computers.
When I am on one of the other servers in MainA (W2K3 dc's or W2K mem's), and try exactly the same, it gives me the error "The following error prevented the display of any items: The server is not operational".

When I filter the log; I only see access denied from source <MainB Server> to destination <MainA selected server>. Ports variating from 1000 to 4000, etc.

I've tried several access policys, but non seem to work. It would not be a problem to allow ALL traffic between the Internal network and the VPN site (as discribed in http://www.isaserver.org/articles/2004s2s2000.html)

Please help!

(in reply to tshinder)
Post #: 31
RE: Discussion about article on Intradomain Communicati... - 6.Jun.2005 11:20:00 AM   
JFQueralt

 

Posts: 8
Joined: 6.Jun.2005
Status: offline
Hi to everyone.
Im quite sure this is not an ISA Server topic but as far as Im facing this problem trying to join my DMZ server to the domain... The network is a usually DMZ net.

The problem is my DMZ server is not able to locate the DNS entry of the Domain Controler.
The TCP/IP parameters are:

ISA Server
IP1: 172.0.0.1 (Perimeter)
M: 255.255.255.0
IP2: 10.1.150.10 (Internal)
M: 255.0.0.0
IP3: 192.168.0.1 (External)
M: 255.255.255.0

DMZ Server
IP: 172.0.0.2
M: 255.255.255.0
DNS: 10.1.150.10
DGate: 172.0.0.1

DC Server
IP: 10.1.150.10
M: 255.0.0.0
DNS: 10.1.150.10
DGate: 10.1.150.10

Pings:

DC Server-> DMZ Server NO
DMZ Server -> DC Server NO
TestPC -> DMZ Server YES
DMZ Server -> Test PC YES
ISA Sever -> DC Server YES
TestPC -> ISA Server YES (its an admin station)

For the rule processing, Ive just enabled ALL protocols between the Perimeter and the Internal network (both directions) so Im pretty sure ISA is not blocking.

The monitoring shows no activity except a DNS connections, allowed but without answer from the DC Server.

Any help would be greatly appretiated as Im working in this issue for weeks now.

Regards,

Jean Franctois

(in reply to tshinder)
Post #: 32
RE: Discussion about article on Intradomain Communicati... - 6.Jun.2005 5:05:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jean,

Is there a route relationship between the DMZ and the DC's ISA firewall Network?

Thanks!
Tom

(in reply to tshinder)
Post #: 33
RE: Discussion about article on Intradomain Communicati... - 7.Jun.2005 3:06:00 AM   
JFQueralt

 

Posts: 8
Joined: 6.Jun.2005
Status: offline
Hi, Tom.

Yes. The network relationships are:

Internal -> External NAT
Internal -> DMZ ROUTE
DMZ -> Internal ROUTE
External -> DMZ ROUTE

Anyway, Ive found the problem (at least one of them) resides in the fact that the DC Controler (which is also the DNS Server) is not resolving the DNS requests from the DMZ Server and thus I cant resolve the LDAP entry for locating the Domain Controler.

So, from the DMZ Server I can:
Ping the TestPC without problems (10.1.108.10)
(I can even ping another Test PC with the DHCP IP without problems).

But I cant:
Ping the DC Server (10.1.150.1)
Resolve DC Servers FQDN
Resolve TestPCs FQDN

Monitoring the activity FROM the Perimeter (Source Network = Perimeter) I can see that DNS requests are Opened and Closed correctly but without returning info from the DNS Server.

On a first approach, that means for me that:
- The routing is correclty handled by the ISA Server.
- The DNS requests are correctly routed to the DNS Server.
- The DNS service (or DC Server itself) doesnt answer to requests comming from the DMZ Server.

Dont know if its a DNS security restriction or whatever... But Im revising the DNS parameters and nothing comes to light my mind.

BTW, this is cleary becoming off-topic and Im sorry for that.

Jean.

(in reply to tshinder)
Post #: 34
RE: Discussion about article on Intradomain Communicati... - 7.Jun.2005 5:43:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jean,

I'd do a Netmon trace at the DNS server and see who its responding to.

HTH,
Tom

(in reply to tshinder)
Post #: 35
RE: Discussion about article on Intradomain Communicati... - 7.Jun.2005 6:28:00 AM   
JFQueralt

 

Posts: 8
Joined: 6.Jun.2005
Status: offline
Hi, Tom.

I found what it was... just the DC Server was still configured with the Router IP as DefaultGateway. That was the original config before implementing the ISA Server. And thus the routing was completely incorrect.

Sorry for bothering with this off-topic. Now next phase, joining the domain. Hope Ill sort it out.

Thx again, Tom. Keep the good work on.

Jean.

(in reply to tshinder)
Post #: 36
RE: Discussion about article on Intradomain Communicati... - 15.Jun.2005 11:25:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi JF,

Great! Good to hear you got it working and thanks for the follow up!

Tom

(in reply to tshinder)
Post #: 37
RE: Discussion about article on Intradomain Communicati... - 14.Jul.2005 8:30:00 AM   
Qais

 

Posts: 2
Joined: 14.Jul.2005
From: France
Status: offline
quote:
Originally posted by david68:
Hello:

Followed the article and ran into this issue:

When I try to join my domain from the DMZ server, I get prompted for a username / password to join, I enter that info in but then get "There are no more endpoints available from the endpoint mapper" and the joining of the domain fails.

ISA does not log any errors that I can see.

Thanks

Hi,

Try http://support.microsoft.com/kb/899148/en-us.
"Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computers".

If you have a test environment, you can also try to disable the RPC Filter and open ports (1025-1026) localhost-->Internal.

When you disable the rpc filter you can monitor the trafic and see which protocol fails.

Regards,

(in reply to tshinder)
Post #: 38
RE: Discussion about article on Intradomain Communicati... - 20.Jul.2005 6:54:00 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
How does this install change if you're using a back to back firewall config vs. 3 interfaces on a single firewall?

(in reply to tshinder)
Post #: 39
RE: Discussion about article on Intradomain Communicati... - 25.Jul.2005 11:35:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Qais:
quote:
Originally posted by david68:
Hello:

Followed the article and ran into this issue:

When I try to join my domain from the DMZ server, I get prompted for a username / password to join, I enter that info in but then get "There are no more endpoints available from the endpoint mapper" and the joining of the domain fails.

ISA does not log any errors that I can see.

Thanks

Hi,

Try http://support.microsoft.com/kb/899148/en-us.
"Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computers".

If you have a test environment, you can also try to disable the RPC Filter and open ports (1025-1026) localhost-->Internal.

When you disable the rpc filter you can monitor the trafic and see which protocol fails.

Regards,

Hi Qais,

Thanks! The hotfix should allow things to work correctly after its applied.

Tom

(in reply to tshinder)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> RE: Discussion about article on Intradomain Communications through the ISA Firewall Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts