Re: CSS can't talk to array members in workgroup config

---

• From: "Jim Harrison \(ISA SE\)" <jmharr@xxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 10 Sep 2008 16:46:13 -0700

---

Trying to play the "port" game with RPC across a basic L3
firewall-like-thingy is a guaranteed path to giggling baldness.
PIX doesn't understand RPC, but ISA does. Unfortunately, ISA doesn't have
the opportunity to use RPC traffic between the CSS and itself because the
PIX "just don't get RPC".
ISA port requirements are spelled out in
http://support.microsoft.com/kb/832017; have a read there.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"R5" <R5@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D4AE1B4-FD36-4808-B0FA-EB1121E6E8C7@xxxxxxxxxxxxxxxx
We have a single NIC ISA 2006 SP1 server sitting on a DMZ network of our
PIX.
The CSS is on the internal network. I have verified the PIX is not the
problem, or at least is most likely not the problem. I used the
FWEngMon.exe
tool and allowed access between the CSS and Array member, then the CSS was
able to see the Array memeber, no problem. What's strange is Array member
has no problem seeing the CSS and is able to make changes to the
configuration. This is usally the other way around (harder to get from DMZ
to inside that vise versa), but futher proves the PIX isn't the problem
since
it allows traffic from the inside to the less trusted network by default,
but
blocks everything from the less trusted to the internal side.

The array member seemed to be blocking some sort of RPC traffic (stuff on
port 1035), but I couldn't come up with a rule to allow incoming tcp 1035
traffic (am I retarded?), but could make only an Outgoing rule (wtf?).

I'm assuming 1035 is being used for authentication, I've opened these ports
on webservers on the DMZ to the DCs before.

.

---

• Follow-Ups:
  • Re: CSS can't talk to array members in workgroup config
    • From: R5

• References:
  • CSS can't talk to array members in workgroup config
    • From: R5

• Prev by Date: CSS can't talk to array members in workgroup config
• Next by Date: Re: CSS can't talk to array members in workgroup config
• Previous by thread: CSS can't talk to array members in workgroup config
• Next by thread: Re: CSS can't talk to array members in workgroup config
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: SBS Prem on dual homed system HELP ... I opened the 443 port and was not able to connect. ... PIX and I heard that it can be stopping the traffic. ... > "chris landman" wrote in message ... You could of course increase the protection by adding ISA. ... (microsoft.public.windows.server.sbs) Re: SBS Prem on dual homed system HELP ... Your PIX config should look something like this. ... I had that port opened, ... the firewall function. ... ISA is designed to protect the internal network by acting as a firewall on ... (microsoft.public.windows.server.sbs) Re: Für die Profis: ISA 2004 und MOM 2005 Agent ... > "denied Unidentified IP Traffic" vom MOM Server zum ISA auf dem Port ... Mapper Port erlaubt und dann "Enforce strict RPC Policy" deaktiviert? ... Next by Date: ... (microsoft.public.de.german.isaserver) Re: SBS2003 Outlook HTTP/RPC not working ... TS requests through a firewall on TCP port 4125, ... To open the port 4125 on ISA, we can re-run CEICW to confirm it. ... server certificate) and then click Next. ... I tend to name these things with as decent reminder as possible and would have expected 'rww rpc fix' rather than just 'rpc fix' if I had saved it in relation to rww alone. ... (microsoft.public.windows.server.sbs) Re: SBS Prem on dual homed system HELP ... > Your PIX config should look something like this. ... > (A lot is cut out, this is the stuff for port forwarding. ... > "chris landman" wrote in message ... You could of course increase the protection by adding ISA. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)