Avatar of Warhawk72
Warhawk72Flag for United States of America asked on

One way trust, DMZ forest to internal forest required services accross a firewall. RPC main concern.

Currently, I have a DMZ that the ACL's from the DMZ to the Inside need to be specific down to the protocol and port. The DMZ Domain for this example can be called OutDom, and the inside Domain can be called InDom.

The OutDom has a one way trust with InDom. OutDom trusts InDom.

2 DC's for OutDom, and 4 DC's for InDom.

From the two DC's within DMZ Domain "OutDom", What are the ports these machines will be destined too on the InDom DC's.

Currently I am aware of these requirements:

CA, 88/udp and 88/tcp
LDAP, 389/udp and 389/tcp
LDAP SSL, 636/tcp
SMB, 445/udp, 445/tcp
DNS, 53/udp and 53/tcp
RPC, 135/udp and 135/tcp

 
RPC and the dynamic ports is the part I do not have a clear picture of how to handle.

I am looking to find what specific RPC services must be allowed. I will then look at the possibilities of setting the RPC services statically to specific port. or port ranges on the InDom Domain Controllers.

Any help would be appreciated. Am I missing anything? GC?

I have read the following material but can not determine the specific RPC services required for the trust to function properly.

"Active Directory in Networks Segmented by Firewalls"

http://www.google.com/url?sa=t&source=web&cd=2&ved=0CBoQFjAB&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2Fc%2Fa%2F3%2Fca3647b8-9948-4f92-8637-fcb8fdfa3de0%2FADSegment_IPSec_W2K.doc&rct=j&q=Active%20Directory%20in%20Networks%20Segmented%20by%20Firewalls&ei=CXn-TIuiOYi8sQORzvGvCw&usg=AFQjCNF69rzZuYyDxCAwpZrEtSi8P7o6bQ&sig2=3-iwdaCj8N4Zvx9b32XSpQ&cad=rja 

"Active Directory Replication over Firewalls"

http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx 


Internet ProtocolsMicrosoft Legacy OSCisco

Avatar of undefined
Last Comment
Pber

8/22/2022 - Mon
SOLUTION
Mike Thomas

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER CERTIFIED SOLUTION
Pber

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Pber


I forgot to mention if you use an ISA firewall (possibly other vendors may have implemented this as well), you can turn on turn on a firewall rule with an RPC filter.  The RPC filter makes RPC port rules dynamically.  Kind of like a stateful firewall.  The idea is the firewall monitors the port 135 traffic and finds our what ports the RPC endpoint mapper has negotiated, then it allows the negotiated source/destination dynamically without having to create a separate rule for the complete range of ports.
See this for more info:
http://blogs.technet.com/b/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx
ASKER
Warhawk72

Pber,


I was aware of ISA, yet we are running a Cisco ASA which has no inspection engine for "Microsoft's" RPC service, unfortunately!!!

Thank you for input.

:)

Warhawk72
Pber

Glad to help.  We don't use ISA either, thus don't have that functionality.  It would be nice though.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
Warhawk72

And information continues! :)

I submitted a TAC case with Cisco, to discuss the inspection engines and if the ASA could handle MS RPC. Initially the engineer stated that the ASA does not support Microsoft's implementation of RPC, but that I could look into the SUN RPC inspection that the ASA does support. Ugh, yeah I will look into that, not!

So two days later now, I received a follow up email stating that as of version 7.2.1, the DCERPC engine will work for Microsoft's RPC services, I am awaiting documentation to verify that! :)

Warhawk72
ASKER
Warhawk72

Looks like they do have an engine.

time to see if it works!
Here are some links,

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1669527

http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn72.html#wp73498

Taken from Cisco website: http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/inspect_mgmt.html#wp1478733 


"DCERPC Inspect Map

The DCERPC pane lets you view previously configured DCERPC application inspection maps. A DCERPC map lets you change the default configuration values used for DCERPC application inspection.

DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.

This typically involves a client querying a server called the Endpoint Mapper (EPM) listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.

DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Because a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts. "
Pber

Hey cool.  I will have to investigate.
Thanks for sharing.

Pat
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.