RPC filter being too smart for its own good
- From: Alexandre Gauthier <gauthiera@xxxxxxxxxxxxxxxxx>
- To: 'isalist@xxxxxxxxxxxxx'
- Date: Tue, 23 Aug 2005 11:58:36 -0400
Greetings all.
First of all, I would like to mention I do not have much field experience
with ISA 2004 - I am more fluent with Cisco ACLs, pf (OpenBSD) and Linux
netfilter (iptables).
But I am learning ;)
So yeah, we are experiencing a problem over here that had me running in
circles for the past two days. Since last Friday, some strange things are
occurring...
It all started when we noticed that one of our scripts was failing. The
script basically takes for input a list of machines, then uses WSH functions
and objects to connect to them, and returns the available disk space. Some
black magic (which is just a foreach loop, really) is done, and a mail is
sent if the disk space is low.
However, since last Friday, it fails with no particular message or hangs on
the ISA 2004 server. I dug in a little, and deducted that the WSH functions
were simply calling WMI objects, and by extension, using the RPC protocol.
(At this point if I'm wrong, someone please slap me.)
So before I go further, allow me to detail our setup.
The corporate network is a 192.168.10.0/24 network (24 bits, that is
255.255.255.0) - cash registers in boutiques (which are remotely connected
through VPN) are in the 192.168.9.10/24 network.
The ISA 2004 (standard) server is running in single nic configuration,
behind a Netopia Netscreen applicance - it is used (to the best of my
understanding, I did not design this network) to limit/filter
internal-to-external (and to some extend, internal, if you consider the cash
registers) traffic from the workstations, and basically allow internet
access through the firewall client. (Machines don't have a default gateway,
and even if they did, the Netscreen would not NAT them out, it only NATs out
a handful of static IP addresses).
The ISA Machine runs Windows Server 2003 Standard (Service Pack 1 - yes I am
aware of the RPC filtering issues) and ISA is ISA 2004 Standard (SP1 as
well, since I am aware of the issues :P).
So far, using an MMC to manage (by this I mean, trying to access, say, the
logical disk manager) the ISA 2004 server fails with "The RPC server is not
available", which confirms my theory. I ran a monitoring query which
produced relevant output.
So apparently the "connection closed" event occurs with result code
0x80074e24 which, according the ISA 2004 SDK documentation means "ISA Server
killed a connection".
(you may verify here:)
http://msdn.microsoft.com/library/en-us/isasdk/isa/error_codes.asp
I next fired up ethereal on my linux laptop, which is connected to a hub
with my workstation, and captured the traffic. Apparently, it goes this way:
My workstation and the ISA server perform a handshake.
My workstation presents its UUID.
The server says "All's right with the world. Come in on the following port."
Then my workstation tries to connect on the following port, a few times. No
answer.
Then the ISA server sends another datagram that says "come in on the
following port+1"
And then it fails.
For kicks, I have created a rule that allows RPC from all network to all
networks, published my own machine (and made sure the "strict RPC" was
disabled for it is required for DCOM and apparently WMI) and so far, no
dice. It always fails.
I would also like to mention that we are still on an NT4 domain here, hence,
the Active Directory internal policy that enforces strict RPC has no effect,
and is not even enabled...
Any ideas? I still can't get RPC traffic (any kind, which means backups also
fail) to the ISA server box at all.
Also, it was working last Friday, I have no clue what happened in between -
nobody comes in on weekends...
--
Alexandre Gauthier
Analyste Réseau / Network Analyst
Québec Loisirs - www.quebecloisirs.com
(514) 340-2964
Other related posts:
