RE: Scripting guys help Interface based rules?

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 9 Dec 2005 10:42:52 -0800

AE from the ISA to itself (a la SBS) will work, but if ISA has to communicate 
off-box for AE, you're screwed (and no sneezes, either).

The only workaround is to port-limit the certsvc and create a custom protocol 
for that.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Friday, December 09, 2005 10:29
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Scripting guys help Interface based rules?

http://www.ISAserver.org

I'm saying that the RPC filter, with or without strict compliance breaks it. 
NOW, I've heard some people say that if you disable strict compliance it will 
work, but I've NEVER been able to repro it, and I really wanted it to work. I 
wanted it to work a lot and tried lots of different scenarios to make it work, 
but it just wouldn't work.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Friday, December 09, 2005 12:18 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Scripting guys help Interface based rules?
> 
> http://www.ISAserver.org
> 
> Are you saying that enforcing strict RPC compliance breaks 
> auto-enrollment to the ISA box?
> 
> t
> 
> -----
> "God is a comedian playing to an
> audience too afraid to laugh."
> 
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, December 09, 2005 9:56 AM
> Subject: [isalist] RE: Scripting guys help Interface based rules?
> 
> 
> http://www.ISAserver.org
> 
> Hi Amy,
> 
> Try running the Certificates MMC snap in to request a machine 
> certificate from an Enterprise CA on an ISA firewall Protected 
> Network.
> That was must first clue that there would be future issues. 
> Also, breaks
> machine autoenrollment. Not an issue with SBS, but it is in a typical 
> Centro-oid deployment.
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
> 
> 
> > -----Original Message-----
> > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> > Sent: Friday, December 09, 2005 11:46 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Scripting guys help Interface based rules?
> >
> > http://www.ISAserver.org
> >
> > The only issues I hit with the RPC filter in SBS is with 3rd party 
> > apps.
> >
> >
> > Amy
> >
> > Harbor Computer Services
> > Small Business Computer Specialists
> >
> > Client Blog: http://smalltechnotes.blogspot.com/
> > Tech Blog: http://isainsbs.blogspot.com/
> > Website: http://www.harborcomputerservices.net/
> >
> >
> >
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Friday, December 09, 2005 12:38 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Scripting guys help Interface based rules?
> >
> > http://www.ISAserver.org
> >
> > This question is only asked because of ignorance of how RPC and DCOM 
> > operate.
> >
> > Remember; the ISA RPC filter was written primarily to support 
> > Exchange.
> > The fact that Exch uses a subset of the RPC potential functionality 
> > is a large part of the reason for "generic" RPC failure across ISA 
> > DCOM, OTOH, (used by WMI) is a superset of RPC functionality, making 
> > the whole problem even bigger.
> >
> > Also consider that except for SBS, ISA is installed in
> "network brick"
> > mode.  Even in SBS, the "strict RPC" switch is on because
> the SBS team
> > didn't hit any issues in their testing until after they shipped SP1.
> >
> > -------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: sbradcpa@xxxxxxxxxxx [mailto:sbradcpa@xxxxxxxxxxx]
> > Sent: Friday, December 09, 2005 07:10
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Scripting guys help Interface based rules?
> >
> > http://www.ISAserver.org
> >
> > But isn't there a way to be more granular?
> >
> > If someone can point me to chapter I forgot in the Bible of ISA 
> > [Shinder] or a MSDN page .... because I'd love to be a bit less 'oh 
> > just wack the box off'
> >
> > > That RPC thang has been ongoing since the release of ISA......=20
> > >
> > > -----Original Message-----
> > > From: sbradcpa@xxxxxxxxxxx [mailto:sbradcpa@xxxxxxxxxxx]=20
> > > Sent: Friday, December 09, 2005 3:32 AM
> > > To: ISA Mailing List
> > > Subject: [isalist] RE: Scripting guys help Interface based rules?
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > > Well some of us SBS folks can at least read such trivial things as 
> > > subscribe and unsubscribe instructions off of listserves
> > [even though
> > > we may not follow them and unsubscribe and end up lurking]
> > >
> > > Right now I'll just be glad when we're not knee jerk
> > wacking off the
> > > RPC filtering.
> > >
> > >
> > 
> <http://spaces.msn.com/members/dmoisan/Blog/cns!1prHWLujp5fNIAaScwFLsA
> > > 4g
> > > !121.entry>
> > >
> > > http://makeashorterlink.com/?Z38D1384C
> > >
> > > I'll let you know about what we think about DiffServ in
> SP2 once we
> > > see SP2.
> > >
> > > Don't worry we have enough to complain about in SBS 2003 R2 ;-)
> > >
> > > > Oh yeh - the SBS folks would turn this on and never give us a 
> > > > moment's
> > >
> > > > peace...
> > > > I can't wait until they start complaining about
> DiffServ in SP2...
> > > > "I turned it on and nothing happened"...
> > > >=20
> > > > --------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG  
> > > >http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > --------------------------------------------
> > > >=20
> > > > -----Original Message-----
> > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > > Sent: Thursday, December 08, 2005 9:50 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Scripting guys help Interface
> based rules?
> > > >=20
> > > > http://www.ISAserver.org
> > > >=20
> > > > Would be an interesting thing to include in a future rev of the
> > > product.
> > > > Maybe with the release after the next release. :) =20  Thomas W 
> > > >Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://spaces.msn.com/members/drisa/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > > **Who is John Galt?**
> > > >=20
> > > > =20
> > > >=20
> > > >=20
> > >
> > > ------------------------------------------------------
> > > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > isalist@xxxxxxxxxx To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List 
> > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as: 
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » Re: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?
• » RE: Scripting guys help Interface based rules?

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---