Segmenting Networks with ISA 2004 – Filtering access to Domain Controllers
This document explains how to use ISA Server 2004 as an application layer firewall between a Windows 2000 domain controller and a Windows 2000 member server. This configuration allows:
- Integrate a stand alone server in a Windows 2000 Active Directory- open user session- apply Group policies
Network rules Matrix
Member servers in DMZ
DNS Server used for AD resolution
AD - Domain Controllers
RPC End Pointmapper
Necessary to ask it first to retrieve port value for RPC Service.
Use to query Active Directory
AD - Domain Controllers
Microsoft File share. Necessary for applying Group Policies
DFS root servers
Microsoft File share
DFS replicas servers
RPC (All interfaces)
Can be an IP range on a traditional firewall.
Not necessary to define if you use ISA 2004 RPC filter.
*: allN/A: Non Applicable
(1) TCP is used for DNS zone transfer and when answer exceed 512 bytes(2) By default, Windows 2000 and Windows XP use UDP when the data can be fit in packets fewer than 2,000 bytes. Any data above this value uses TCP to carry the packets. The value of 2,000 bytes is configurable by modifying a registry key and value.
How to Force Kerberos to Use TCP Instead of UDP http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474
HOWTO: Configure RPC Dynamic Port Allocation to Work with Firewall http://support.microsoft.com/default.aspx?scid=kb;en-us;154596
Firewall Rules to define on ISA Server 2004 between a DC and a member server
In this example: - LAN3 contains member servers - Internal (192.168.102.x/24) contains the Domain Controller (188.8.131.52)
2 protocols are analyzed deeply: DNS and RPC
DNS AD firewall access rule detect and block- DNS length overflow- DNS zone transfer- DNS name overflow
RPC AD firewall access rule limits RPC traffic to UUIDs that are mandatory to open a user session and to apply Group Policies.
MS NT Directory DRS Interface
ISA Server 2004 includes a RPC filter that allows dynamic open for high ports used by RPC applications (those high port numbers are returned by the RPC End Port Mapper to the RPC client). By this way, it is unnecessary to open static high ports for RPC.
RPC Filter allows to filter RPC Request by interfaces (UUID)
Hi, Greate site on the UUID topic i just had one question. The list of UUID's is this the same on any AD implementation or does this change? How can i find what my UUID's are and how can i find my Exchange UUID's? Thanks, Tom Decaluwé
UUIDs are the same for each AD implementation (in my example it's Windows 2000 AD)
If you want to find Exchange UUID, you just need to open protocole definition in ISA 2004 GUI (Exchange RPC) everything is already in the box (the full list of UUID for Exchange).
For others UUIDs, you can use a sniffer (NetMonitor or Ethereal) and check UUIDs in packets. You can also use RPCScan or the tool included in ISA 2004 (RPC protocol definition Wizards.