ISA Server 2004 utilizes a concept of a server publishing rule to protect specific services such as RPC. A server publishing rule enables a specific service on a single server to be published to the clients on a separate network. For example, an Exchange server in a protected Exchange network can have the MAPI RPC service published to the clients in the separate Clients network, making only that service available to them. Or, a DNS server in a perimeter (DMZ) network could have the DNS service published to clients in an internal network.
Server publishing rules are often confused with ISA Access rules, which enable specific protocols to traverse between networks. There are some fundamental differences between publishing rules and access rules, however, such as the following:
Publishing an RPC Service
It is a relatively straightforward process to publish an RPC service in ISA Server 2004. The following step-by-step procedure illustrates how to publish general RPC traffic to a particular server. In this scenario, users on the Internal network need to have full RPC access to a server on the DMZ network, so an RPC server publishing rule is created.
For more secured RPC access, it is best to ascertain which UUIDs will be used and to restrict RPC access to only those interfaces. This process is illustrated in later sections of this chapter. Although less secure than UUID restrictions, using this process to publish RPC to a server is still much more secure than allowing "bare" RPC access to a server. ISA still hides much of the RPC service's promiscuity.
Creating Custom RPC Protocol Definitions
By default, only two types of RPC options are available for RPC-based server publishing rules. The first option is to open all RPC interfaces, which is what was used for the scenario in the previous section. The other defined RPC protocol definition is used for Exchange MAPI access to mailboxes that use RPC. This protocol definition includes all the custom UUIDs that Outlook and Exchange need to communicate over MAPI.
In addition to using the default RPC protocol definitions, custom RPC protocols can be created and used for server publishing rules. If custom definitions are created for RPC, the service can be secured even further to allow only RPC traffic to the UUID services that the rule absolutely needs, rather than open up blanket RPC access.
For example, an RPC protocol definition could be made for Active Directory domain controller replication that uses the UUIDs that are required for replication to take place. Or, a RPC protocol definition could be created to allow access to a system using the Microsoft Management Console (MMC), which uses a different unique ID.
To determine which UUID is used by a particular service, the Network Monitor tool can be used to "sniff" the packets that hit a server and determine which UUIDs are necessary. This procedure is covered in later portions of this chapter.
To create a custom RPC protocol definition, do the following:
In addition to using existing defined service UUIDs, it is also possible to add them manually to the RPC protocol definition by clicking the Add Interfaces Manually radio button on the Select Server dialog box and clicking Next. This brings up the Adding Interfaces to the Protocol Definition dialog box, which enables custom UUIDs to be added to the RPC protocol definition.
To add the custom UUIDs, click the Add button and enter the UUID into the dialog box shown in Figure 15.7.
Figure 15.7. Manually adding UUIDs to an RPC protocol definition.
UUIDs should be entered enclosed in brackets, and the option for defining whether RPC will manually assign a specific port or dynamically assign one of the high ports is also provided. Click OK and continue with the wizard, adding as many custom UUIDs as necessary for the specific protocol definition.
After they are created, custom protocol definitions can be used specifically for server publishing rules, so that very secure RPC connections can be made to the servers.