Re: CSS can't talk to array members in workgroup config
- From: R5 <R5@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 11 Sep 2008 09:41:02 -0700
Thanks for the response, but I'm 99% sure the PIX isn't the problem and ISA
is. I changed the configuration so that the array members are now members of
the domain (to eliminate those sorts of issues) and I still get the same
problem, the Configuration Storage Server can not see the array member.
If I run FWEngMon.exe (ISA tool) and essentially disable ISA between the
array member and the CSS (fwengmon /a <css> <array member>), then the array
member shows up on the CSS. No changes being made to the "stupid" PIX, just
the ISA server.
I can't figure out how to allow 1035 into the ISA.
"Jim Harrison (ISA SE)" wrote:
Trying to play the "port" game with RPC across a basic L3.
firewall-like-thingy is a guaranteed path to giggling baldness.
PIX doesn't understand RPC, but ISA does. Unfortunately, ISA doesn't have
the opportunity to use RPC traffic between the CSS and itself because the
PIX "just don't get RPC".
ISA port requirements are spelled out in
http://support.microsoft.com/kb/832017; have a read there.
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html
"R5" <R5@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D4AE1B4-FD36-4808-B0FA-EB1121E6E8C7@xxxxxxxxxxxxxxxx
We have a single NIC ISA 2006 SP1 server sitting on a DMZ network of our
PIX.
The CSS is on the internal network. I have verified the PIX is not the
problem, or at least is most likely not the problem. I used the
FWEngMon.exe
tool and allowed access between the CSS and Array member, then the CSS was
able to see the Array memeber, no problem. What's strange is Array member
has no problem seeing the CSS and is able to make changes to the
configuration. This is usally the other way around (harder to get from DMZ
to inside that vise versa), but futher proves the PIX isn't the problem
since
it allows traffic from the inside to the less trusted network by default,
but
blocks everything from the less trusted to the internal side.
The array member seemed to be blocking some sort of RPC traffic (stuff on
port 1035), but I couldn't come up with a rule to allow incoming tcp 1035
traffic (am I retarded?), but could make only an Outgoing rule (wtf?).
I'm assuming 1035 is being used for authentication, I've opened these ports
on webservers on the DMZ to the DCs before.
- Follow-Ups:
- References:
- CSS can't talk to array members in workgroup config
- From: R5
- Re: CSS can't talk to array members in workgroup config
- From: Jim Harrison \(ISA SE\)
- CSS can't talk to array members in workgroup config
- Prev by Date: Re: CSS can't talk to array members in workgroup config
- Next by Date: Re: CSS can't talk to array members in workgroup config
- Previous by thread: Re: CSS can't talk to array members in workgroup config
- Next by thread: Re: CSS can't talk to array members in workgroup config
- Index(es):
Relevant Pages
|
Loading
