RE: RPC filter being too smart for its own good
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 23 Aug 2005 12:03:23 -0500
Single NIC (aka "caponized" ISA firewall) supports only HTTP/HTTPS/HTTP
tunneled FTP
HTH,
Tom
www.isaserver.org
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]
> Sent: Tuesday, August 23, 2005 10:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RPC filter being too smart for its own good
>
> http://www.ISAserver.org
>
> Greetings all.
>
> First of all, I would like to mention I do not have much
> field experience
> with ISA 2004 - I am more fluent with Cisco ACLs, pf
> (OpenBSD) and Linux
> netfilter (iptables).
> But I am learning ;)
>
> So yeah, we are experiencing a problem over here that had me
> running in
> circles for the past two days. Since last Friday, some
> strange things are
> occurring...
>
> It all started when we noticed that one of our scripts was
> failing. The
> script basically takes for input a list of machines, then
> uses WSH functions
> and objects to connect to them, and returns the available
> disk space. Some
> black magic (which is just a foreach loop, really) is done,
> and a mail is
> sent if the disk space is low.
>
> However, since last Friday, it fails with no particular
> message or hangs on
> the ISA 2004 server. I dug in a little, and deducted that the
> WSH functions
> were simply calling WMI objects, and by extension, using the
> RPC protocol.
> (At this point if I'm wrong, someone please slap me.)
>
> So before I go further, allow me to detail our setup.
>
> The corporate network is a 192.168.10.0/24 network (24 bits, that is
> 255.255.255.0) - cash registers in boutiques (which are
> remotely connected
> through VPN) are in the 192.168.9.10/24 network.
>
> The ISA 2004 (standard) server is running in single nic configuration,
> behind a Netopia Netscreen applicance - it is used (to the best of my
> understanding, I did not design this network) to limit/filter
> internal-to-external (and to some extend, internal, if you
> consider the cash
> registers) traffic from the workstations, and basically allow internet
> access through the firewall client. (Machines don't have a
> default gateway,
> and even if they did, the Netscreen would not NAT them out,
> it only NATs out
> a handful of static IP addresses).
>
> The ISA Machine runs Windows Server 2003 Standard (Service
> Pack 1 - yes I am
> aware of the RPC filtering issues) and ISA is ISA 2004
> Standard (SP1 as
> well, since I am aware of the issues :P).
>
> So far, using an MMC to manage (by this I mean, trying to
> access, say, the
> logical disk manager) the ISA 2004 server fails with "The RPC
> server is not
> available", which confirms my theory. I ran a monitoring query which
> produced relevant output.
>
> So apparently the "connection closed" event occurs with result code
> 0x80074e24 which, according the ISA 2004 SDK documentation
> means "ISA Server
> killed a connection".
> (you may verify here:)
>
> http://msdn.microsoft.com/library/en-us/isasdk/isa/error_codes.asp
>
> I next fired up ethereal on my linux laptop, which is
> connected to a hub
> with my workstation, and captured the traffic. Apparently, it
> goes this way:
>
> My workstation and the ISA server perform a handshake.
> My workstation presents its UUID.
> The server says "All's right with the world. Come in on the
> following port."
> Then my workstation tries to connect on the following port, a
> few times. No
> answer.
> Then the ISA server sends another datagram that says "come in on the
> following port+1"
> And then it fails.
>
> For kicks, I have created a rule that allows RPC from all
> network to all
> networks, published my own machine (and made sure the "strict RPC" was
> disabled for it is required for DCOM and apparently WMI) and
> so far, no
> dice. It always fails.
>
> I would also like to mention that we are still on an NT4
> domain here, hence,
> the Active Directory internal policy that enforces strict RPC
> has no effect,
> and is not even enabled...
>
> Any ideas? I still can't get RPC traffic (any kind, which
> means backups also
> fail) to the ISA server box at all.
>
> Also, it was working last Friday, I have no clue what
> happened in between -
> nobody comes in on weekends...
>
>
>
> --
> Alexandre Gauthier
> Analyste Réseau / Network Analyst
> Québec Loisirs - www.quebecloisirs.com
> (514) 340-2964
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
