cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4336
Views
0
Helpful
2
Replies

Microsoft RPC (MSRPC) support

All,

I have a Windows server on the inside of my firewall whose service needs to be reached via Microsoft-style RPC (MSRPC) by clients that are on the outside. How do I configure the firewall to accomodate this? (In case it matters, the code is FWSM Firewall Version 2.3(1).)

As I understand it, MSRPC operates as follows. (Please alert me to any errors.) The client wants to use a service that the server provides, but the service does not have a well-known port number. Rather, the service is identified by a well-known "program number." The client contacts port 135/tcp on the server, specifies the desired program number, and is told on what port number the service is listening. The client then proceeds to contact the service in the normal way (fresh connection; full TCP handshake) on the port it has been told to use.

This behavior presents a problem. The firewall needs to permit the client's second connection, but the destination port cannot be known (or therefore configured into the firewall) in advance. To support MSRPC, therefore, I expected the firewall to have a fixup. It does not have one for MSRPC, though it does *seem* to have a non-configurable one for Sun-style RPC. (See PIX Firewall & VPN Config Guide p. 5-29.) Even though there is supposedly a SunRPC fixup, the documentation's example implies that you should simply identify the service port ahead of time using "rpcinfo" on the client, then configure the firewall statically. Is that really a good idea? It is possible for the service to use a different port at different times, correct? And how is that considered fixup? (What fixup is happening?)

Anyway, the documentation mentions MSRPC again in the appendix devoted to MS Exhange support, and suggests use of the "established" command. The documentation for that command, however, says that it "allows outbound connections return access through the PIX Firewall." In my case, I am concerned with inbound connections.

Thanks much for any advice you can offer.

Christopher Ursich

1 Accepted Solution

Accepted Solutions

vschmidt_2
Level 1
Level 1

I don't know a PIX / IOS fix up for this. But this is the way Microsoft will solve this:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp

<< very brief summary of the above document >>

Restricting the Range of TCP Ports

There are several registry settings that control the DCOM port restriction functionality. All of the named values listed below are located under the HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet registry key (which you must create). Remember that you only need to do this on the server machine. Clients will automatically pick up the right port numbers when they connect to the SCM on the server machine.

Name Ports

Type REG_MULTI_SZ

Value 3000-4000 (Specify one port range per line. One or more port ranges. )

Configuring Your Firewall

The firewall between your server and the Internet should be configured as follows:

Deny all incoming traffic from the Internet to your server.

Permit incoming traffic from all clients to TCP port 135 (and UDP port 135, if necessary) on your server.

Permit incoming traffic from all clients to the TCP ports (and UDP ports, if necessary) on your server in the Ports range(s) specified above.

Greetings Volker

View solution in original post

2 Replies 2

vschmidt_2
Level 1
Level 1

I don't know a PIX / IOS fix up for this. But this is the way Microsoft will solve this:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp

<< very brief summary of the above document >>

Restricting the Range of TCP Ports

There are several registry settings that control the DCOM port restriction functionality. All of the named values listed below are located under the HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet registry key (which you must create). Remember that you only need to do this on the server machine. Clients will automatically pick up the right port numbers when they connect to the SCM on the server machine.

Name Ports

Type REG_MULTI_SZ

Value 3000-4000 (Specify one port range per line. One or more port ranges. )

Configuring Your Firewall

The firewall between your server and the Internet should be configured as follows:

Deny all incoming traffic from the Internet to your server.

Permit incoming traffic from all clients to TCP port 135 (and UDP port 135, if necessary) on your server.

Permit incoming traffic from all clients to the TCP ports (and UDP ports, if necessary) on your server in the Ports range(s) specified above.

Greetings Volker

Volker,

Thanks much for the information.

Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: