Re: RPC and IPSec
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Mon, 27 Mar 2006 07:35:36 -0600
Yes, that has been previously established.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com
This posting is provided "AS IS" with no warranties, and confers no rights.
"steve" <steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EA27A441-3FCE-48C0-BDA6-0C2ED64CA8AB@xxxxxxxxxxxxxxxx
Hi,
Just to share. i just implement IPsec in my environment.
If in-between your client and DC do not have a firewall, U dont need to
defined a range of dynamic static RPC port. If u have a firewall, then u
need
to allow TCP135 and a range of dynamic high port (example: TCP 5001-5050)
on
the firewall and defined TCP 5001-5050 in all DCs.
if your client and DC is separated by any network devices, check your
switches or router have any access-list.
thanks
steve
"Trond E. Gjelsvik-Bakke" wrote:
Hello.
I have impemented the IPSec policy in the domain controller GPO.
Both of my DC's has this IPSec policy.
When the client is trying to join the domain, I can see that it is
connecting to one of the DC on port 135. The DC is then replying with
port
1025, and when the client then tries to connect the DC again on 1025 it
fails
!!
This is because the DC's RPC range is defined to 57901-57950 trough
IPSec.
Do I need to alter the RPC port range in registry on my DC's to make this
work ??
TEGB
"Paul Bergson" wrote:
This is an rpc error. The machine that the client is trying to attach
to
should be the one telling the client which rpc port to use. The client
machine is provided this info on the initial connection off of port
135.
I'm a little confused on your details but have you defined the port
restrictions on ALL your source machines that this client is goint to
attach
to and have any firewalls, that may be setup between, have these ports
opened up. Have you made any other mods to machines rpc definitions
such as
the one in the description in the link below?
Dynamic allocation of rpc port range
http://support.microsoft.com/kb/154596/en-us
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Trond E. Gjelsvik-Bakke" <Trond E.
Gjelsvik-Bakke@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:53174CBF-DED6-45F1-9DDA-0F0AD9F07986@xxxxxxxxxxxxxxxx
Hello.
I have implementet IPSec on my DC's. The IPSec is as described in
Windows
Security Resource Kit. I hav used recommended IPSec filters for
domain
controllers with DNS.
I have made som adjustments, as I have one Administration LAN that I
have
been given full access.
When I put a client on some other LAN, and try to join this client to
the
domain I get an error: "There are no more endpoints avaliable to the
endpoint
mapper"
The join then fails !!
I guess that this has something to do with IPSec rule:
Predifined RPC Range - TCP - ANY - 57901-57950 - ANY - ME - ALLOW -
YES
This rule is, if I'm not wrong, limiting the ports used by RPC.
If I remove the IPSec or move the client into the Administrative
LAN - It
Joins.
Does anyone have some solution on this ??
.
- References:
- Re: RPC and IPSec
- From: Paul Bergson
- Re: RPC and IPSec
- From: Trond E. Gjelsvik-Bakke
- Re: RPC and IPSec
- From: steve
- Re: RPC and IPSec
- Prev by Date: Re: Virtual PC and MS Server 2003 Trial Versions
- Next by Date: Re: Security permission for shared folders
- Previous by thread: Re: RPC and IPSec
- Next by thread: Re: Logon is slow when 1 dc is down
- Index(es):
Relevant Pages
|
