Re: FW-1 and RPC with MSDTC

[Darren Reed <darrenr () reed wattle id au>]

I think you've misunderstood the question.  At least when one uses Sun RPC
there is a "program number" (/etc/rpc) for each RPC service.  FW-1 allows
you to control access across the firewall based on the RPC number (it's
encoded into the RPC packets).

On the Microsoft front, I've no idea if they have a similar mechanism but
I suspect they do.  Afterall, how else do you get the right port number
back to a query?  The documentation in Samba provides some details and with
some protocol analysis I was able to write a RPC proxy for IP Filter so I
could firewall an Exchange server and still have things work without having
to open up a bunch of ports for no good reason - only 137/tcp or whatever
it is where those lookups happen.

Darren

In some email I received from Michael Nelson, sie wrote:
> That's because the RPC port number is random. See
> http://www.microsoft.com/com/wpaper/dcomfw.asp (written by yours truly)
> for more info. The info
> applies to RPC as well as DCOM.
>
> -mike
>
> On Tue, 9 Jan 2001, Javier Megias wrote:
>
> > We're trying to get one server, that has IIS4 with MSDTC components talk
> > with a SQL Server 7 database with MSDTC,that is in the other interface of
> > the firewall (checkPoint FW-1 SP3). It complains that it can't use RPC or
> > that the RPC call isn't working., so we're triying to find out what RPC app
> > numer we must use; have tried almost everything, and we can't get it to
> > work. The IIS is inside a NT Domain, and the SQL Server 7 is inside a NT
> > group.
> >
> >                     IIS ----------- FW-1 ------SQLServer7
> >
> > I think that the fact could be that we don't really know how RPC really
> > works :-) . Any wizard could light it?
> > Thanks,
> > Javier Megias

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards