Stanislas Quastana's blog on TechNet

Windows Server, Windows Client, Cloud Computing, DirectAccess, sécurité des Systèmes d Information

Blogs

Segmenting Networks with ISA 2004 – Filtering access to Domain Controllers

  • Comments 2
  • Likes

Segmenting Networks with ISA 2004 – Filtering access to Domain Controllers

Purpose

This document explains how to use ISA Server 2004 as an application layer firewall between a Windows 2000 domain controller and a Windows 2000 member server.
 
This configuration allows:

- Integrate a stand alone server in a Windows 2000 Active Directory
- open user session
- apply Group policies


Network diagram

 

Network rules Matrix

Source IP

Source Port

Transport

Protocol

Destination IP

Destination port

Commentaries

Member servers in DMZ

*

UDP

TCP (1)

DNS

DNS Server used for AD resolution 

53

Name resolution

Member servers in DMZ

*

UDP

TCP (2)

Kerberos-Sec

AD - Domain Controllers

88

Authentication mechanism

Member servers in DMZ

*

UDP

NTP

AD - Domain Controllers

123

Time synchronization

Member servers in DMZ

*

TCP

RPC End Pointmapper

AD - Domain Controllers

135

Necessary to ask it first to retrieve port value for RPC Service.

Member servers in DMZ

*

UDP

TCP

LDAP

AD - Domain Controllers

389

Use to query Active Directory

Member servers in DMZ

*

TCP

Microsoft CIFS

AD - Domain Controllers

445

Microsoft File share. Necessary for applying Group Policies

 

Member servers in DMZ

*

TCP

Microsoft CIFS

DFS root servers

445

Microsoft File share

 

Member servers in DMZ

*

TCP

Microsoft CIFS

DFS replicas servers

445

Microsoft File share

 

Member servers in DMZ

*

TCP

RPC (All interfaces)

AD - Domain Controllers

>1024

Can be an IP range on a traditional firewall.

Not necessary to define if you use ISA 2004 RPC filter.

Member servers in DMZ

N/A

ICMP

Ping

AD - Domain Controllers

N/A

 

AD - Domain Controllers

N/A

ICMP

Ping

Member servers in DMZ

N/A

 


*: all
N/A: Non Applicable

(1) TCP is used for DNS zone transfer and when answer exceed 512 bytes
(2) By default, Windows 2000 and Windows XP use UDP when the data can be fit in packets fewer than 2,000 bytes. Any data above this value uses TCP to carry the packets. The value of 2,000 bytes is configurable by modifying a registry key and value.

Additional information:

  How to Force Kerberos to Use TCP Instead of UDP
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474

  HOWTO: Configure RPC Dynamic Port Allocation to Work with Firewall
  http://support.microsoft.com/default.aspx?scid=kb;en-us;154596


Firewall Rules to define on ISA Server 2004 between a DC and a member server

In this example:
- LAN3 contains member servers
- Internal (192.168.102.x/24) contains the Domain Controller (192.68.102.10)

2 protocols are analyzed deeply: DNS and RPC

DNS AD firewall access rule detect and block
- DNS length overflow
- DNS zone transfer
- DNS name overflow


RPC AD firewall access rule limits RPC traffic to UUIDs that are mandatory to open a user session and to apply Group Policies.

UUID

RPC Service

{12345778-1234-ABCD-EF00-0123456789AB}

LSA

{12345778-1234-ABCD-EF00-0123456789AC}

SAM

{12345778-1234-ABCD-EF00-01234567CFFB}

Net Logon

{6BFFD098-A112-3610-9833-012892020162}

Computer Browser

{E3514235-4B06-11D1-AB04-00C04FC2DCD2}

MS NT Directory DRS Interface

{F5CC59B4-4264-101A-8C59-08002B2F8426}

Directory DRS

{F5CC5A18-4264-101A-8C59-08002B2F8426}

Directory NSP

{F5CC5A7C-4264-101A-8C59-08002B2F8426}

Directory XDS


To define AD RPC Firewall Publishing Rule, you need previously to create a protocol definition (RPC for AD Logon):


ISA Server 2004 includes a RPC filter that allows dynamic open for high ports used by RPC applications (those high port numbers are returned by the RPC End Port Mapper to the RPC client). By this way, it is unnecessary to open static high ports for RPC.

RPC Filter allows to filter RPC Request by interfaces (UUID)

 

 

Comments
  • Hi,

    Greate site on the UUID topic i just had one question. The list of UUID's is this the same on any AD implementation or does this change? How can i find what my UUID's are and how can i find my Exchange UUID's?

    Thanks,

    Tom Decaluwé

  • UUIDs are the same for each AD implementation (in my example it's Windows 2000 AD)

    If you want to find Exchange UUID, you just need to open protocole definition in ISA 2004 GUI (Exchange RPC) everything is already in the box (the full list of UUID for Exchange).

    For others UUIDs, you can use a sniffer (NetMonitor or Ethereal) and check UUIDs in packets. You can also use RPCScan or the tool included in ISA 2004 (RPC protocol definition Wizards.

    Cheers

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment