Comments on: Stanislas Quastana’s Guide to Intradomain Communications Including AD UUIDs http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/ Written by Dr Thomas W Shinder, consultant to Microsoft, HP and many Fortune 500 companies on ISA firewall and Web proxy deployments this blog is where administrators get information about ISA Server Universal Threat Management firewalls. Topics include how to manage, deploy, and troubleshoot ISA Server as a network firewall, Web proxy/Web cache, remote access VPN server and VPN gateway to provide a high level of network security for all corporate computers. Wed, 7 Jan 2009 01:17:01 +0000 http://wordpress.org/?v=MU by: BlackPH http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-381 Mon, 17 Apr 2006 14:49:36 +0000 http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-381 it`s new knowlege for me. But if i want use RPC filter for FE Exchange - i will need use only 1 DC+GC :( Very big 10x Stanislas. it`s new knowlege for me. But if i want use RPC filter for FE Exchange - i will need use only 1 DC+GC :(

Very big 10x Stanislas.

]]> by: Thomas Shinder http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-373 Sat, 15 Apr 2006 13:09:57 +0000 http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-373 Hi Stanislas, Thanks! Tom Hi Stanislas,
Thanks!
Tom

]]> by: Stanislas Quastana http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-371 Fri, 14 Apr 2006 21:21:07 +0000 http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-371 Hi, You must use a publication rule for RPC filtering (by design the RPC filter apply only to incoming RPC traffic). It's "normal" (by design) that RPC filtering doesn't work with access rule This publication rule works also between 2 routed networks (don't forget to check source ip = client IP adress) - Stanislas - Hi,

You must use a publication rule for RPC filtering (by design the RPC filter apply only to incoming RPC traffic). It’s “normal” (by design) that RPC filtering doesn’t work with access rule

This publication rule works also between 2 routed networks (don’t forget to check source ip = client IP adress)

- Stanislas -

]]> by: Thomas Shinder http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-365 Thu, 13 Apr 2006 12:35:35 +0000 http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-365 The checksum issue has nothing to do with RCP UUIDs. Make sure you're following the complete procedures in both mine and Stan's articles. HTH, Tom The checksum issue has nothing to do with RCP UUIDs.

Make sure you’re following the complete procedures in both mine and Stan’s articles.

HTH,
Tom

]]> by: BlackPH http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-362 Thu, 13 Apr 2006 10:32:35 +0000 http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/#comment-362 I have tried this perfect way of RPC filtering ,but nothing. Maximum result when i have - is error about wrong TCP checksum on EMP Map request level " Internet Protocol, Src: 172.16.2.2 (172.16.2.2), Dst: 192.168.1.248 (192.168.1.248) Transmission Control Protocol, Src Port: 1130 (1130), Dst Port: epmap (135), Seq: 117, Ack: 85, Len: 156 Source port: 1130 (1130) Destination port: epmap (135) Sequence number: 117 (relative sequence number) Next sequence number: 273 (relative sequence number) Acknowledgement number: 85 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 65451 Checksum: 0x7169 [incorrect, should be 0x9142] SEQ/ACK analysis This is an ACK to the segment in frame: 6 The RTT to ACK the segment was: 0.000029000 seconds DCE RPC Request, Fragment: Single, FragLen: 156, Call: 1 Ctx: 0 Version: 5 Version (minor): 0 Packet type: Request (0) Packet Flags: 0x03 Data Representation: 10000000 Frag Length: 156 Auth Length: 0 Call ID: 1 Alloc hint: 132 Context ID: 0 Opnum: 3 DCE/RPC Endpoint Mapper, Map " I used "access" rule, not "public". DMZ and Internal have route relationship. When i remove my "RPC for AD Logon" filter protocol, and add predefined RPC (all interfaces) - all working fine. I have tried this perfect way of RPC filtering ,but nothing. Maximum result when i have - is error about wrong TCP checksum on EMP Map request level

Internet Protocol, Src: 172.16.2.2 (172.16.2.2), Dst: 192.168.1.248 (192.168.1.248)
Transmission Control Protocol, Src Port: 1130 (1130), Dst Port: epmap (135), Seq: 117, Ack: 85, Len: 156
Source port: 1130 (1130)
Destination port: epmap (135)
Sequence number: 117 (relative sequence number)
Next sequence number: 273 (relative sequence number)
Acknowledgement number: 85 (relative ack number)
Header length: 20 bytes
Flags: 0×0018 (PSH, ACK)
Window size: 65451
Checksum: 0×7169 [incorrect, should be 0×9142]
SEQ/ACK analysis
This is an ACK to the segment in frame: 6
The RTT to ACK the segment was: 0.000029000 seconds
DCE RPC Request, Fragment: Single, FragLen: 156, Call: 1 Ctx: 0
Version: 5
Version (minor): 0
Packet type: Request (0)
Packet Flags: 0×03
Data Representation: 10000000
Frag Length: 156
Auth Length: 0
Call ID: 1
Alloc hint: 132
Context ID: 0
Opnum: 3
DCE/RPC Endpoint Mapper, Map

I used “access” rule, not “public”. DMZ and Internal have route relationship. When i remove my “RPC for AD Logon” filter protocol, and add predefined RPC (all interfaces) - all working fine.

]]>