Publishing RPC Services with ISA Server 2004

ISA Server 2004 utilizes a concept of a server publishing rule to protect specific services such as RPC. A server publishing rule enables a specific service on a single server to be published to the clients on a separate network. For example, an Exchange server in a protected Exchange network can have the MAPI RPC service published to the clients in the separate Clients network, making only that service available to them. Or, a DNS server in a perimeter (DMZ) network could have the DNS service published to clients in an internal network.

Server publishing rules are often confused with ISA Access rules, which enable specific protocols to traverse between networks. There are some fundamental differences between publishing rules and access rules, however, such as the following:

  • Individual publishing rules can publish only a single server, whereas access rules can allow blanket access to entire range of systems.

  • Port translation can be accomplished through server publishing rules, but not access rules.

  • Certain application filters in ISA server were designed to work with server publishing rules only, such as the SMTP filter.

  • Web publishing rules can be used in single-NIC (unihomed) scenarios because the web traffic terminates at the ISA Server and is then re-transmitted to the actual web server. This is not possible with access rules (or any other nonweb-based publishing rules, for that matter).

  • Access rules cannot be used to grant access to NAT clients; only server rules can be used for this.

Publishing an RPC Service

It is a relatively straightforward process to publish an RPC service in ISA Server 2004. The following step-by-step procedure illustrates how to publish general RPC traffic to a particular server. In this scenario, users on the Internal network need to have full RPC access to a server on the DMZ network, so an RPC server publishing rule is created.


For more secured RPC access, it is best to ascertain which UUIDs will be used and to restrict RPC access to only those interfaces. This process is illustrated in later sections of this chapter. Although less secure than UUID restrictions, using this process to publish RPC to a server is still much more secure than allowing "bare" RPC access to a server. ISA still hides much of the RPC service's promiscuity.


From the ISA Management Console, click on the Firewall Policy node in the console tree.


Under the Tasks tab in the Tasks pane, click on the link for Create New Server Publishing Rule.


Enter a descriptive name for the rule and click Next to continue.


Enter the IP address of the server that is to be published (remember that you can do only one server for each rule) and click Next to continue.


Under Select Protocol, use the drop-down list to select RPC Server (All Interfaces), as shown in Figure 15.4. Click Next to continue.

Figure 15.4. Creating an RPC server publishing rule.


Under which networks to listen to, check which ones are needed (for this example, the Internal network is checked). Click Next to continue.


Click Finish, Apply, and OK.

Creating Custom RPC Protocol Definitions

By default, only two types of RPC options are available for RPC-based server publishing rules. The first option is to open all RPC interfaces, which is what was used for the scenario in the previous section. The other defined RPC protocol definition is used for Exchange MAPI access to mailboxes that use RPC. This protocol definition includes all the custom UUIDs that Outlook and Exchange need to communicate over MAPI.

In addition to using the default RPC protocol definitions, custom RPC protocols can be created and used for server publishing rules. If custom definitions are created for RPC, the service can be secured even further to allow only RPC traffic to the UUID services that the rule absolutely needs, rather than open up blanket RPC access.

For example, an RPC protocol definition could be made for Active Directory domain controller replication that uses the UUIDs that are required for replication to take place. Or, a RPC protocol definition could be created to allow access to a system using the Microsoft Management Console (MMC), which uses a different unique ID.


To determine which UUID is used by a particular service, the Network Monitor tool can be used to "sniff" the packets that hit a server and determine which UUIDs are necessary. This procedure is covered in later portions of this chapter.

To create a custom RPC protocol definition, do the following:


Open the ISA Management Console.


Click on the Firewall Policy node in the console tree.


Click on the Toolbox tab in the Tasks pane.


Click on Protocols to select it from the list of options in the Tasks pane.


Click on New, RPC Protocol, as shown in Figure 15.5.

Figure 15.5. Creating a custom RPC Protocol definition.


Enter a descriptive name for the protocol and click Next to continue.


In the Select Server dialog box, specific interfaces (UUIDs) from running servers can be viewed and used to create rules. Enter the name of a server to parse and click Next.


Under the Server Interfaces dialog box, shown in Figure 15.6, existing UUIDs from existing services running on the server being examined can be used to create the custom definition. Select any UUIDs that the particular service needs to use by checking them and click Next to continue.

Figure 15.6. Adding server interfaces to a custom RPC protocol.


It is not obvious in many cases which UUIDs are necessary. In certain cases, it may be useful to consult the product documentation to find which interfaces to add.


Click Finish, Apply, and OK to save the changes.

In addition to using existing defined service UUIDs, it is also possible to add them manually to the RPC protocol definition by clicking the Add Interfaces Manually radio button on the Select Server dialog box and clicking Next. This brings up the Adding Interfaces to the Protocol Definition dialog box, which enables custom UUIDs to be added to the RPC protocol definition.

To add the custom UUIDs, click the Add button and enter the UUID into the dialog box shown in Figure 15.7.

Figure 15.7. Manually adding UUIDs to an RPC protocol definition.

UUIDs should be entered enclosed in brackets, and the option for defining whether RPC will manually assign a specific port or dynamically assign one of the high ports is also provided. Click OK and continue with the wizard, adding as many custom UUIDs as necessary for the specific protocol definition.

After they are created, custom protocol definitions can be used specifically for server publishing rules, so that very secure RPC connections can be made to the servers.

    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: