Warhawk72
asked on
One way trust, DMZ forest to internal forest required services accross a firewall. RPC main concern.
Currently, I have a DMZ that the ACL's from the DMZ to the Inside need to be specific down to the protocol and port. The DMZ Domain for this example can be called OutDom, and the inside Domain can be called InDom.
The OutDom has a one way trust with InDom. OutDom trusts InDom.
2 DC's for OutDom, and 4 DC's for InDom.
From the two DC's within DMZ Domain "OutDom", What are the ports these machines will be destined too on the InDom DC's.
Currently I am aware of these requirements:
CA, 88/udp and 88/tcp
LDAP, 389/udp and 389/tcp
LDAP SSL, 636/tcp
SMB, 445/udp, 445/tcp
DNS, 53/udp and 53/tcp
RPC, 135/udp and 135/tcp
RPC and the dynamic ports is the part I do not have a clear picture of how to handle.
I am looking to find what specific RPC services must be allowed. I will then look at the possibilities of setting the RPC services statically to specific port. or port ranges on the InDom Domain Controllers.
Any help would be appreciated. Am I missing anything? GC?
I have read the following material but can not determine the specific RPC services required for the trust to function properly.
"Active Directory in Networks Segmented by Firewalls"
http://www.google.com/url?sa=t&source=web&cd=2&ved=0CBoQFjAB&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2Fc%2Fa%2F3%2Fca3647b8-9948-4f92-8637-fcb8fdfa3de0%2FADSegment_IPSec_W2K.doc&rct=j&q=Active%20Directory%20in%20Networks%20Segmented%20by%20Firewalls&ei=CXn-TIuiOYi8sQORzvGvCw&usg=AFQjCNF69rzZuYyDxCAwpZrEtSi8P7o6bQ&sig2=3-iwdaCj8N4Zvx9b32XSpQ&cad=rja
"Active Directory Replication over Firewalls"
http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx
The OutDom has a one way trust with InDom. OutDom trusts InDom.
2 DC's for OutDom, and 4 DC's for InDom.
From the two DC's within DMZ Domain "OutDom", What are the ports these machines will be destined too on the InDom DC's.
Currently I am aware of these requirements:
CA, 88/udp and 88/tcp
LDAP, 389/udp and 389/tcp
LDAP SSL, 636/tcp
SMB, 445/udp, 445/tcp
DNS, 53/udp and 53/tcp
RPC, 135/udp and 135/tcp
RPC and the dynamic ports is the part I do not have a clear picture of how to handle.
I am looking to find what specific RPC services must be allowed. I will then look at the possibilities of setting the RPC services statically to specific port. or port ranges on the InDom Domain Controllers.
Any help would be appreciated. Am I missing anything? GC?
I have read the following material but can not determine the specific RPC services required for the trust to function properly.
"Active Directory in Networks Segmented by Firewalls"
http://www.google.com/url?sa=t&source=web&cd=2&ved=0CBoQFjAB&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2Fc%2Fa%2F3%2Fca3647b8-9948-4f92-8637-fcb8fdfa3de0%2FADSegment_IPSec_W2K.doc&rct=j&q=Active%20Directory%20in%20Networks%20Segmented%20by%20Firewalls&ei=CXn-TIuiOYi8sQORzvGvCw&usg=AFQjCNF69rzZuYyDxCAwpZrEtSi8P7o6bQ&sig2=3-iwdaCj8N4Zvx9b32XSpQ&cad=rja
"Active Directory Replication over Firewalls"
http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Pber,
I was aware of ISA, yet we are running a Cisco ASA which has no inspection engine for "Microsoft's" RPC service, unfortunately!!!
Thank you for input.
:)
Warhawk72
I was aware of ISA, yet we are running a Cisco ASA which has no inspection engine for "Microsoft's" RPC service, unfortunately!!!
Thank you for input.
:)
Warhawk72
Glad to help. We don't use ISA either, thus don't have that functionality. It would be nice though.
ASKER
And information continues! :)
I submitted a TAC case with Cisco, to discuss the inspection engines and if the ASA could handle MS RPC. Initially the engineer stated that the ASA does not support Microsoft's implementation of RPC, but that I could look into the SUN RPC inspection that the ASA does support. Ugh, yeah I will look into that, not!
So two days later now, I received a follow up email stating that as of version 7.2.1, the DCERPC engine will work for Microsoft's RPC services, I am awaiting documentation to verify that! :)
Warhawk72
I submitted a TAC case with Cisco, to discuss the inspection engines and if the ASA could handle MS RPC. Initially the engineer stated that the ASA does not support Microsoft's implementation of RPC, but that I could look into the SUN RPC inspection that the ASA does support. Ugh, yeah I will look into that, not!
So two days later now, I received a follow up email stating that as of version 7.2.1, the DCERPC engine will work for Microsoft's RPC services, I am awaiting documentation to verify that! :)
Warhawk72
ASKER
Looks like they do have an engine.
time to see if it works!
Here are some links,
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1669527
http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn72.html#wp73498
Taken from Cisco website: http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/inspect_mgmt.html#wp1478733
"DCERPC Inspect Map
The DCERPC pane lets you view previously configured DCERPC application inspection maps. A DCERPC map lets you change the default configuration values used for DCERPC application inspection.
DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.
This typically involves a client querying a server called the Endpoint Mapper (EPM) listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.
DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Because a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts. "
time to see if it works!
Here are some links,
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1669527
http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn72.html#wp73498
Taken from Cisco website: http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/inspect_mgmt.html#wp1478733
"DCERPC Inspect Map
The DCERPC pane lets you view previously configured DCERPC application inspection maps. A DCERPC map lets you change the default configuration values used for DCERPC application inspection.
DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.
This typically involves a client querying a server called the Endpoint Mapper (EPM) listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.
DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Because a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts. "
Hey cool. I will have to investigate.
Thanks for sharing.
Pat
Thanks for sharing.
Pat
I forgot to mention if you use an ISA firewall (possibly other vendors may have implemented this as well), you can turn on turn on a firewall rule with an RPC filter. The RPC filter makes RPC port rules dynamically. Kind of like a stateful firewall. The idea is the firewall monitors the port 135 traffic and finds our what ports the RPC endpoint mapper has negotiated, then it allows the negotiated source/destination dynamically without having to create a separate rule for the complete range of ports.
See this for more info:
http://blogs.technet.com/b/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx