[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

RPC via VPN & Nat

Posted on 2002-05-02
10
Medium Priority
?
474 Views
Last Modified: 2010-05-18
Hi
I have a dcom on a server in our internal network that is called from clients that access our network via GPRS thru a VPN, the component gets called ok.. but when it comes to make an RPC (remote procedure call) the components throws an out of memory error (some microsoft guy said that the system account is Not in the ACL(!?))
is it possible or not to run an RPC thru a VPN? we use cisco based vpn.. if yes can i have some white papers.. links or anything to base on.. (there are 2 pix firewalls between the client and the dcom host but VPN should tunel thru them) btw.. all the possible ports are open (135 + higher ports)

rgrds
0
Comment
Question by:Michel Sakr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 6990792
I see no reason that the RPC calls will not pass through a properly configured IPSEC VPN tunnel.
You say you are using a Cisco based VPN, with two PIX firewalls between the client and host, but you did not specify if the VPN as PIX-to-PIX, router-to-PIX or router-to-router. We need to know the exact termination points of the VPNS if you have:

client -- PIX --- Router --Internet-- router -- PIX -- host

Typically, all IP traffic is configured to pass through the tunnel. If the RPC calls use TCP, then you should not have a problem if the VPN is from PIX to PIX. I would need the PIX software version to know which links to post for VPN setup.

http://www.microsoft.com/com/wpaper/dcomfw.asp
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6990797
Also need to know if your DCOM server is NT 4.0 or Window 2000...

If you have it setup to use UDP, then UDP broadcasts may not be forwarded across the VPN without specific configurations...
0
 
LVL 20

Author Comment

by:Michel Sakr
ID: 7036750
client .. router .. pix ..<i don't know if there's a router here>..pix.. router.. server
Using windows 2000 on the server and NT 4 on the client..
after further investigations The issue seems in the IP packet size, The ip packet size is by default 1500 bytes,
it's being dropped on the router and not fragmented.. tried to minimise the packet size to 1400 byte (from registry on server) but it didn't work.. (minimised the packet size on client too)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 7037182
The PIX firewall needs to allow ICMP unreachables and Packet-too-big messages for path-mtu-discovery to work properly. The router default mtu is 1500 also, so that should not be a problem.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 7063990
for RPC to work, you need portmapper open also...
port 111 udp
opent only port 111 and 1024+ and see if that works.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7075003
You're letting VPN clients do RPC with you?  You're either really brave, or really dumb (you *are* aware of the numerous security holes present in most RPC implementations, yes?).  Please don't make the all-too-common mistake of trusting your VPN users (I could preach all day about that)...

In any case, if you insist:

lrmoore is correct about mtu, if your network will pass (and your clients will listen to) pmtu messages.  You might just want to set your MTU lower, manually, in case pmtu is broken somewhere...

BTW, this *does* work for non-VPN users, yes?  If not, we need to re-evaluate the situation.

Cheers,
-Jon

P.S.  To answer your original question - yes, it is possible, as is any IP-based communication protocol.  You just have to know how to configure your systems properly.





0
 
LVL 20

Author Comment

by:Michel Sakr
ID: 7090242
>You're either really brave, or really dumb ..

we are a mobile operator .. we have some partners that use gprs technology we want to access our server.. it's sort of let's say a wan.. where we will use vpn over it for more security..
the machines we installed on our partner side are fully controlled by us.. the users have limited privilieges on the machines (they don't have admin access.. they can only run 1 specific application).. no input hardware (floppies cd's and the case is sealed..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7871984
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question:

I recommend: moderator support

if there is any objection or other expert commentary to this recommendation then please post in here within 7 days.
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

thanks,
lrmoore
EE Cleanup Volunteer
---------------------
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7873259
I don't know what I recommend - this was clearly in my court, but I must assume I never received an email notif, as the question died.

I suppose we sould see how the original poster wishes to proceed, if he's still around - he had scads of expert pts (makes mine looks pathetic), and might still be active.

Otherwise, I guess I recommend delete - let's leeave this one open a bit longer though, eh?

Cheers,
-Jon
0
 
LVL 20

Author Comment

by:Michel Sakr
ID: 7917482
hmm.. unfortunately the issue was related to the component security model.. where we had to disable component authentication.. I see lmoore have tryied to solve the issue in a rational way..

sorry for the delay
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question