cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1344
Views
0
Helpful
2
Replies

RPC through a router ACL

warodriguez
Level 1
Level 1

There have to be plenty of people who have had to do this before, but I can't seem to find anything on CCO on this. I need to put Windows servers behind an ACL on a router and still permit RPC *without* nailing down the port on the servers (the server people say RPC gets put back to its default config every time they apply a patch). Has anyone done this?

2 Replies 2

jackko
Level 7
Level 7

please have a look at this microsoft doc:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/4dbc4c95-935b-4617-b4f8-20fc947c7288.mspx

i guess if you follow the required ports from the doc, it should work.

just wondering if you are going to publish the server for the internet and allowing inbound rpc directly. if so, please reconsider as rpc is extremely "hot" for virus/worm etc.

Thanks for the link. The problem is that last part: "RPC Server Programs: ". They want you to open every port above 1023 so the server can dynamically assign a port (a little bit like locking the door but leaving all the windows open). Apparently the client contacts the server on one of the well-known port numbers and the server tells it to contact it on the dynamically assigned port. I had hoped that Firewall IOS might be able to look further up the stack to recognize the RPC "conversation" and permit it, but I haven't been able to find any references to that on cco.

The idea of this is to isolate the servers on their own internal network and have the clients access them through the acl; we definitely don't want to allow any rpc from outside. We want to increase internal security by firewalling critical assets within the corporate network. We're using csa on the servers already but wanted to take all possible precautions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: