Re: RPC and IPSec

Hello.

I have impemented the IPSec policy in the domain controller GPO.
Both of my DC's has this IPSec policy.

When the client is trying to join the domain, I can see that it is
connecting to one of the DC on port 135. The DC is then replying with port
1025, and when the client then tries to connect the DC again on 1025 it fails
!!

This is because the DC's RPC range is defined to 57901-57950 trough IPSec.

Do I need to alter the RPC port range in registry on my DC's to make this
work ??

TEGB

"Paul Bergson" wrote:

This is an rpc error. The machine that the client is trying to attach to
should be the one telling the client which rpc port to use. The client
machine is provided this info on the initial connection off of port 135.
I'm a little confused on your details but have you defined the port
restrictions on ALL your source machines that this client is goint to attach
to and have any firewalls, that may be setup between, have these ports
opened up. Have you made any other mods to machines rpc definitions such as
the one in the description in the link below?


Dynamic allocation of rpc port range
http://support.microsoft.com/kb/154596/en-us

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com

This posting is provided "AS IS" with no warranties, and confers no rights.

"Trond E. Gjelsvik-Bakke" <Trond E.
Gjelsvik-Bakke@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:53174CBF-DED6-45F1-9DDA-0F0AD9F07986@xxxxxxxxxxxxxxxx
Hello.

I have implementet IPSec on my DC's. The IPSec is as described in Windows
Security Resource Kit. I hav used recommended IPSec filters for domain
controllers with DNS.

I have made som adjustments, as I have one Administration LAN that I have
been given full access.

When I put a client on some other LAN, and try to join this client to the
domain I get an error: "There are no more endpoints avaliable to the
endpoint
mapper"
The join then fails !!

I guess that this has something to do with IPSec rule:
Predifined RPC Range - TCP - ANY - 57901-57950 - ANY - ME - ALLOW - YES

This rule is, if I'm not wrong, limiting the ports used by RPC.

If I remove the IPSec or move the client into the Administrative LAN - It
Joins.

Does anyone have some solution on this ??



.

Relevant Pages

  • Re: RPC and IPSec
    ... On which machine did you define the port range? ... Are you sure you don't have a firewall blocking your client from attaching ... I have impemented the IPSec policy in the domain controller GPO. ... Do I need to alter the RPC port range in registry on my DC's to make this ...
    (microsoft.public.windows.server.active_directory)
  • Re: RPC and IPSec
    ... If in-between your client and DC do not have a firewall, ... defined a range of dynamic static RPC port. ... I have impemented the IPSec policy in the domain controller GPO. ... Do I need to alter the RPC port range in registry on my DC's to make this ...
    (microsoft.public.windows.server.active_directory)
  • Re: RPC and IPSec
    ... If in-between your client and DC do not have a firewall, ... defined a range of dynamic static RPC port. ... I have impemented the IPSec policy in the domain controller GPO. ... Do I need to alter the RPC port range in registry on my DC's to make this ...
    (microsoft.public.windows.server.active_directory)
  • Re: RPC and IPSec
    ... This is an rpc error. ... should be the one telling the client which rpc port to use. ... machine is provided this info on the initial connection off of port 135. ... I have implementet IPSec on my DC's. ...
    (microsoft.public.windows.server.active_directory)
  • Re: thin client com ports
    ... I'm glad that you got at least one more client working! ... MCSE, CCEA, Microsoft MVP - Terminal Server ... the COM port settings? ... I am testing several thin clients. ...
    (microsoft.public.windows.terminal_services)