Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RPC through a router ACL

There have to be plenty of people who have had to do this before, but I can't seem to find anything on CCO on this. I need to put Windows servers behind an ACL on a router and still permit RPC *without* nailing down the port on the servers (the server people say RPC gets put back to its default config every time they apply a patch). Has anyone done this?

2 REPLIES
Gold

Re: RPC through a router ACL

please have a look at this microsoft doc:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/4dbc4c95-935b-4617-b4f8-20fc947c7288.mspx

i guess if you follow the required ports from the doc, it should work.

just wondering if you are going to publish the server for the internet and allowing inbound rpc directly. if so, please reconsider as rpc is extremely "hot" for virus/worm etc.

New Member

Re: RPC through a router ACL

Thanks for the link. The problem is that last part: "RPC Server Programs: ". They want you to open every port above 1023 so the server can dynamically assign a port (a little bit like locking the door but leaving all the windows open). Apparently the client contacts the server on one of the well-known port numbers and the server tells it to contact it on the dynamically assigned port. I had hoped that Firewall IOS might be able to look further up the stack to recognize the RPC "conversation" and permit it, but I haven't been able to find any references to that on cco.

The idea of this is to isolate the servers on their own internal network and have the clients access them through the acl; we definitely don't want to allow any rpc from outside. We want to increase internal security by firewalling critical assets within the corporate network. We're using csa on the servers already but wanted to take all possible precautions.

618
Views
0
Helpful
2
Replies