http://blogs.technet.com/edgeaccessblog/archive/tags/Network+Connector/default.aspxTags: Network Connectoren-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/edgeaccessblog/archive/2009/03/31/performing-wmi-application-queries-on-clients-connected-via-the-iag-network-connector.aspxTue, 31 Mar 2009 14:35:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3220322edgeaccessblog1http://blogs.technet.com/edgeaccessblog/comments/3220322.aspxhttp://blogs.technet.com/edgeaccessblog/commentrss.aspx?PostID=3220322http://blogs.technet.com/edgeaccessblog/rsscomments.aspx?PostID=3220322<P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><B style="mso-bidi-font-weight: normal"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">Scenario <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></B></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">Client computers connected via the IAG network connector (NC) to the LAN could access its network resources normally but failed to run WMI application queries against other computers.<o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">Windows Management Instrumentation (WMI) is implemented using the Distributed Component Object Model (DCOM). This requires proper configuration of the firewall device(s) between the computer performing the WMI query and the destination computer.<o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">In the ISA firewall running on the IAG server, DCOM communication <SPAN style="mso-spacerun: yes">&nbsp;</SPAN>is allowed when strict RPC compliance is not required for the applicable rule that handles this traffic. <SPAN style="mso-spacerun: yes">&nbsp;</SPAN>To resolve this problem I looked to see if Strict RPC compliance was enforced. It was. Turning off the strict RPC compliance for the Network Connector Access rule resolved the<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>issue in this scenario. <o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><B style="mso-bidi-font-weight: normal"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">Steps to check for and disable strict RPC compliance option <SPAN style="mso-spacerun: yes">&nbsp;</SPAN><o:p></o:p></SPAN></B></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">1) In the ISA server management console select the Firewall Policy on the left pane. Scroll down to the <I style="mso-bidi-font-style: normal">Whale::NetworkConnectorAccessRule</I> under Firewall Policy Rules and right-click on that line, selecting the <I style="mso-bidi-font-style: normal">Configure RPC protocol </I>option.</SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"><IMG style="WIDTH: 620px; HEIGHT: 473px" height=473 src="http://blogs.technet.com/photos/eai_gallery/images/3220310/original.aspx" width=620 align=absMiddle mce_src="http://blogs.technet.com/photos/eai_gallery/images/3220310/original.aspx">&nbsp;</SPAN></P><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"></SPAN>&nbsp;</P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">2) Ensure that the Enforce strict RPC compliance option is <B style="mso-bidi-font-weight: normal">not</B> checked for this rule, and click OK.</SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"><o:p><IMG style="WIDTH: 405px; HEIGHT: 450px" height=450 src="http://blogs.technet.com/photos/eai_gallery/images/3220311/original.aspx" width=405 align=absMiddle mce_src="http://blogs.technet.com/photos/eai_gallery/images/3220311/original.aspx">&nbsp;</o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><o:p><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">3) Click <I style="mso-bidi-font-style: normal">Apply</I> to save changes and update the configuration.</SPAN></o:p></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><o:p><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"><IMG style="WIDTH: 620px; HEIGHT: 172px" height=172 src="http://blogs.technet.com/photos/eai_gallery/images/3220313/original.aspx" width=620 align=absMiddle mce_src="http://blogs.technet.com/photos/eai_gallery/images/3220313/original.aspx"></SPAN></o:p></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><o:p><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">&nbsp;</SPAN></o:p></P><o:p><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">If another custom NC rule was created, ensure that the same is true for that rule. <o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman','serif'; mso-bidi-font-size: 12.0pt">For testing purposes, one other option could be to disable the RPC Filter globally. Care must be exercised as this might affect other rules on the system. If you have determined that it is safe to do so, this can be accomplished by selecting Add-ins on the left pane, selecting the Application Filters tab and right-clicking the RPC Filter. Select the <I style="mso-bidi-font-style: normal">Disable</I><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>option:<o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><o:p><IMG style="WIDTH: 628px; HEIGHT: 292px" height=292 src="http://blogs.technet.com/photos/eai_gallery/images/3220315/original.aspx" width=628 align=absMiddle mce_src="http://blogs.technet.com/photos/eai_gallery/images/3220315/original.aspx">&nbsp;</o:p></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P><o:p> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">Check the <I style="mso-bidi-font-style: normal">Apply </I>option to save changes and update the configuration.</SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><IMG src="http://blogs.technet.com/photos/eai_gallery/images/3220317/original.aspx" align=absMiddle mce_src="http://blogs.technet.com/photos/eai_gallery/images/3220317/original.aspx"></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"></SPAN></P><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">For more details on WMI and configuration in different scenarios, please check the following link: <B style="mso-bidi-font-weight: normal"><SPAN style="COLOR: #4f81bd; mso-themecolor: accent1">http://msdn.microsoft.com/en-us/library/aa389290(VS.85).aspx</SPAN></B><o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><B style="mso-bidi-font-weight: normal"><U><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><BR>Author<o:p></o:p></SPAN></U></B></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">Renato Menezes<o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">Security Support Engineer – IAG Team<o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">Microsoft – North Carolina<o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><B style="mso-bidi-font-weight: normal"><U><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p><SPAN style="TEXT-DECORATION: none">&nbsp;</SPAN></o:p></SPAN></U></B></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><B style="mso-bidi-font-weight: normal"><U><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">Tech Reviewer<o:p></o:p></SPAN></U></B></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">Vic Singh Shahid <o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">Escalation Engineer – ISA /IAG Team<o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">Microsoft – North Carolina<o:p></o:p></SPAN></P> <P class=MsoPlainText style="MARGIN: 0in 0in 0pt"><o:p></o:p></SPAN></P></o:p></SPAN></o:p></SPAN><img src="http://blogs.technet.com/aggbug.aspx?PostID=3220322" width="1" height="1">Network ConnectorIAG