Single NIC (aka "caponized" ISA firewall) supports only HTTP/HTTPS/HTTP tunneled FTP HTH, Tom www.isaserver.org Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] > Sent: Tuesday, August 23, 2005 10:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RPC filter being too smart for its own good > > http://www.ISAserver.org > > Greetings all. > > First of all, I would like to mention I do not have much > field experience > with ISA 2004 - I am more fluent with Cisco ACLs, pf > (OpenBSD) and Linux > netfilter (iptables). > But I am learning ;) > > So yeah, we are experiencing a problem over here that had me > running in > circles for the past two days. Since last Friday, some > strange things are > occurring... > > It all started when we noticed that one of our scripts was > failing. The > script basically takes for input a list of machines, then > uses WSH functions > and objects to connect to them, and returns the available > disk space. Some > black magic (which is just a foreach loop, really) is done, > and a mail is > sent if the disk space is low. > > However, since last Friday, it fails with no particular > message or hangs on > the ISA 2004 server. I dug in a little, and deducted that the > WSH functions > were simply calling WMI objects, and by extension, using the > RPC protocol. > (At this point if I'm wrong, someone please slap me.) > > So before I go further, allow me to detail our setup. > > The corporate network is a 192.168.10.0/24 network (24 bits, that is > 255.255.255.0) - cash registers in boutiques (which are > remotely connected > through VPN) are in the 192.168.9.10/24 network. > > The ISA 2004 (standard) server is running in single nic configuration, > behind a Netopia Netscreen applicance - it is used (to the best of my > understanding, I did not design this network) to limit/filter > internal-to-external (and to some extend, internal, if you > consider the cash > registers) traffic from the workstations, and basically allow internet > access through the firewall client. (Machines don't have a > default gateway, > and even if they did, the Netscreen would not NAT them out, > it only NATs out > a handful of static IP addresses). > > The ISA Machine runs Windows Server 2003 Standard (Service > Pack 1 - yes I am > aware of the RPC filtering issues) and ISA is ISA 2004 > Standard (SP1 as > well, since I am aware of the issues :P). > > So far, using an MMC to manage (by this I mean, trying to > access, say, the > logical disk manager) the ISA 2004 server fails with "The RPC > server is not > available", which confirms my theory. I ran a monitoring query which > produced relevant output. > > So apparently the "connection closed" event occurs with result code > 0x80074e24 which, according the ISA 2004 SDK documentation > means "ISA Server > killed a connection". > (you may verify here:) > > http://msdn.microsoft.com/library/en-us/isasdk/isa/error_codes.asp > > I next fired up ethereal on my linux laptop, which is > connected to a hub > with my workstation, and captured the traffic. Apparently, it > goes this way: > > My workstation and the ISA server perform a handshake. > My workstation presents its UUID. > The server says "All's right with the world. Come in on the > following port." > Then my workstation tries to connect on the following port, a > few times. No > answer. > Then the ISA server sends another datagram that says "come in on the > following port+1" > And then it fails. > > For kicks, I have created a rule that allows RPC from all > network to all > networks, published my own machine (and made sure the "strict RPC" was > disabled for it is required for DCOM and apparently WMI) and > so far, no > dice. It always fails. > > I would also like to mention that we are still on an NT4 > domain here, hence, > the Active Directory internal policy that enforces strict RPC > has no effect, > and is not even enabled... > > Any ideas? I still can't get RPC traffic (any kind, which > means backups also > fail) to the ISA server box at all. > > Also, it was working last Friday, I have no clue what > happened in between - > nobody comes in on weekends... > > > > -- > Alexandre Gauthier > Analyste Réseau / Network Analyst > Québec Loisirs - www.quebecloisirs.com > (514) 340-2964 > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >