Hello Tom, question regarding this article and the Front-end backend article. Both you state to set this key. How will this impact the other servers in my environment? i.e. SQL boxes, file servers? Do I need to set this key on them too? Would it be easier to use the RPC filter to control the communication from the front end box/member server to my Domain controllers and back end email server?
Thanks for any advice!
quote:You need to add a DWORD value named TCP/IP Port and set the value to the port you want to use. YouĂll need to carry out this procedure on each of the domain controllers in your domain.
Perform the following steps on each of the domain controllers in your domain to change the RPC replication port to 50000:
1. Click Start and click Run. In the Open text box enter Regedit and click OK. 2. Go to the following Registry key:
3. Click the Edit menu and point to New. Click DWORD Value. 4. Rename the entry from New Value #1 to TCP/IP Port, then double click the entry. 5. In the Edit DWORD Value dialog box, select the Decimal option. Enter 50000 in the Value data text box. Click OK. 6. Restart the domain controller.
and again here:
quote:If you want access to features requiring Remote Procedure Calls, such as authentication or implicit logon, but do not want to open the wide range of ports above 1024, you can configure your domain controllers, global catalog servers, and all other back-end servers to use a single known port for all RPC traffic.
In order to authenticate clients, the registry key must be set on all servers the front-end server may contact via RPC (for example, your global catalog server). This can be any port not already in use. In the following example we will set the following registry key to a specific port, such as 1600:
4. Click Edit, point to New and click DWORD Value. 5. Change the name of New Value #1 to TCP/IP Port and press ENTER. 6. Double click the TCP/IP Port value. 7. In the Edit DWORD Value dialog box, select the Decimal option. In the Value data text box, enter 1600. Click OK. 8. Close the Registry Editor.
Hi Tom I've been trying to get this to work, but I think I must have made a stupid mistake because Pings from the DMZ server to the Domain Controller do not work.
On trying to join the DMZ server to the network I get
"DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain #internalnetworkname# The query was for the SRV record for _ldap._tcp.dc._msdcs.#internalnetworkname# The following domain controllers were identified by the query: #dcname#.#internalnetworkname# Common causes of this error include : Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses. - Domain controllers registered in DNS are not connected to the network or are not running."
ISA Server Internal NIC IP:192.168.0.200, no gateway, DNS = 192.168.0.200 (self) DMZ NIC IP: 192.168.2.2, no gateway, no DNS External NIC IP: 192.168.1.3, gateway = 192.168.1.1, no DNS (192.168.1.1 is the local IP of the ADSL modem)
DMZ Server 192.168.2.5 DNS & Gateway 192.168.2.2 (ISA Server)
DC Server 192.168.0.1, no gateway, DNS = 127.0.0.1
Edit: Ok, just added an additional network rule :- DMZ Member Server -> Internal (NAT) and pings resolve, joining the domain works etc etc
Obviously I misunderstood things. I thought Route network rules were bi-directional so that the DMZ <-> Internal (Route) rule I already had should have (in my understanding) allowed traffic both to & from the DMZ to the Internal network (provided it adhered to the Firewall policy access rules I have configured)... seems that that belief was wrong.
Is there a consequence to the new NAT rule which I haven't thought of, that will cause me problems?
< Message edited by Stoneink -- 16.Oct.2006 7:41:09 PM >
Hi Tom, I have couple of questions.
1) I want to create two DMZ one will have server not member of domain but still requires to talk with SQL. FTP Server which will require to copy files to internal network What access rule I need for webserver to access data from SQL and 2) DMZ with servers which are member of domain [Exchange (not front end, it is the only exchange server], TS Server] MY ISA is a domain member (is it secure or I should change it?) I have started working on #1 but When I try to access website (ASP and ASP.net site) . I get error HTTP Error 403.1 - Forbidden: Execute access is denied. Internet Information Services (IIS) 1433 is allowed from DMZ-Internal
I create a simple website with .htm page and I dont have any problem opening this site from any network.
< Message edited by bhavin78 -- 20.Jan.2007 10:04:13 PM >
I would like to use your column's idea for an intradomain by substituting a router for the computer as the "DMZ Member Server". Is this possible? I have listed the detail below:
I log into my home network which is wireless and on an IP separate from the domain behind the ISA 2004 firewall. The wireless is secured with only a NAT. The users all have personal firewalls for protection. The network is connected to a different IP and your column suggested to me that there may be an easier method of logging into my domain. Currently I login by creating a VPN to the domain and then accessing by RDP to the servers when needed.
In my case, there is no server in what would be the DMZ. There is only my machine and the others in the home who are behind the wireless router - which is on 192.168.1.0 (Gateway 192.168.1.1).