| Author | Messages | |
neilruston
Posts:164
 | | 04/15/2008 7:50 AM |
| Here's the scenario:
ForestA, includes domainA
Forest B, includes domainB
domainA needs to trust domainB
A firewall exists between the 2 environments.
The firewall guys would like to restrict traffic between DCs in the 2
domains and to also restrict the flow of RPC traffic so that only RPC
trust traffic crosses the firewall. It has been suggested that might be
achieved using UUIDs.
[Please don't tell me that this is a dumb solution - I know that  ]
I can use portqry to list out all RPC UUIDs used by DCs but the firewall
guys want the subset used for trusts only.
Does such a RPC UUID breakdown exist anywhere?
Many thanks in advance,
neil
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| Shadow
Posts:6
| | 04/15/2008 9:21 AM |
| Please see the following link:-
How to configure RPC dynamic port allocation to work with firewalls:-
http://support.microsoft.com/kb/154596/
You could then create a tcp UUID Group that specifies the range and add
the member servers.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: 15 April 2008 12:49
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Here's the scenario:
ForestA, includes domainA
Forest B, includes domainB
domainA needs to trust domainB
A firewall exists between the 2 environments.
The firewall guys would like to restrict traffic between DCs in the 2
domains and to also restrict the flow of RPC traffic so that only RPC
trust traffic crosses the firewall. It has been suggested that might be
achieved using UUIDs.
[Please don't tell me that this is a dumb solution - I know that ]
I can use portqry to list out all RPC UUIDs used by DCs but the firewall
guys want the subset used for trusts only.
Does such a RPC UUID breakdown exist anywhere?
Many thanks in advance,
neil
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
This message is confidential, so please treat it appropriately and for its intended purpose only. In particular, if it refers to any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within the terms of the Freedom of Information Act 2000 and related laws. As it would be prejudicial to RM's commercial interests if these were disclosed, please refrain from doing so.
As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents. Any views or opinions presented are those of the author only and not of RM. If you are not the intended recipient of this e-mail, please accept our apologies and arrange for copies of it to be deleted. For your information, RM may intercept incoming and outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England
Registered Number: 1148594
| | | |
| neilruston
Posts:164
| | 04/15/2008 9:32 AM |
| Thanks - I'm aware that this can be done. [Remember, I said I knew the
proposal was dumb ]
The firewall guys want to restrict the flow of RPC so that *only* RPC
trust traffic is permitted. No other RPC traffic is permitted. The KB
won't help to achieve their requirement IMO.
If it were implemented my way, I'd go with the KB and ...
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Shaun Little
Sent: 15 April 2008 14:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Please see the following link:-
How to configure RPC dynamic port allocation to work with firewalls:-
http://support.microsoft.com/kb/154596/
You could then create a tcp UUID Group that specifies the range and add
the member servers.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: 15 April 2008 12:49
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Here's the scenario:
ForestA, includes domainA
Forest B, includes domainB
domainA needs to trust domainB
A firewall exists between the 2 environments.
The firewall guys would like to restrict traffic between DCs in the 2
domains and to also restrict the flow of RPC traffic so that only RPC
trust traffic crosses the firewall. It has been suggested that might be
achieved using UUIDs.
[Please don't tell me that this is a dumb solution - I know that ]
I can use portqry to list out all RPC UUIDs used by DCs but the firewall
guys want the subset used for trusts only.
Does such a RPC UUID breakdown exist anywhere?
Many thanks in advance,
neil
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
This message is confidential, so please treat it appropriately and for
its intended purpose only. In particular, if it refers to any technical
data, terms or prices not generally available or known, such items are
"commercially sensitive information" within the terms of the Freedom of
Information Act 2000 and related laws. As it would be prejudicial to
RM's commercial interests if these were disclosed, please refrain from
doing so.
As Internet communications are not secure, please be aware that RM
cannot accept responsibility for its contents. Any views or opinions
presented are those of the author only and not of RM. If you are not the
intended recipient of this e-mail, please accept our apologies and
arrange for copies of it to be deleted. For your information, RM may
intercept incoming and outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon,
Oxfordshire, OX14 4SE, England
Registered Number: 1148594
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| alainlissoir
Posts:3
| | 04/15/2008 11:03 AM |
| Did you ever check the protocol documentations on MSDN?
[MS-ADTS]: Active Directory Technical Specification in Trust sub-section at
http://msdn2.microsoft.com/en-us/library/cc223756.aspx (and section
7.1.6.8.1.2, 7.1.6.8.1.3)
[MS-NRPC]: Netlogon Remote Protocol Specification
http://msdn2.microsoft.com/en-us/library/cc237008.aspx
I'm sure if you read around you will find information you want.
Regards,
/Alain
wv_home_nav_pearl
(Sent from Windows Vista x64 SP1 and Office 2007 SP1 on HP nc8430 x64)
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 15, 2008 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Thanks - I'm aware that this can be done. [Remember, I said I knew the
proposal was dumb ]
The firewall guys want to restrict the flow of RPC so that *only* RPC trust
traffic is permitted. No other RPC traffic is permitted. The KB won't help
to achieve their requirement IMO.
If it were implemented my way, I'd go with the KB and ...
neil
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Shaun Little
Sent: 15 April 2008 14:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Please see the following link:-
How to configure RPC dynamic port allocation to work with firewalls:-
http://support.microsoft.com/kb/154596/
You could then create a tcp UUID Group that specifies the range and add the
member servers.
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: 15 April 2008 12:49
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Here's the scenario:
ForestA, includes domainA
Forest B, includes domainB
domainA needs to trust domainB
A firewall exists between the 2 environments.
The firewall guys would like to restrict traffic between DCs in the 2
domains and to also restrict the flow of RPC traffic so that only RPC trust
traffic crosses the firewall. It has been suggested that might be achieved
using UUIDs.
[Please don't tell me that this is a dumb solution - I know that ]
I can use portqry to list out all RPC UUIDs used by DCs but the firewall
guys want the subset used for trusts only.
Does such a RPC UUID breakdown exist anywhere?
Many thanks in advance,
neil
_____
Barclays Wealth is the wealth management division of Barclays Bank PLC. This
email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable
laws and regulations in certain jurisdictions. The Barclays Group does not
normally accept or offer business instructions via internet email. Any
action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this email in
error, please notify the sender immediately, delete it from your system and
do not copy, disclose or otherwise act upon any part of this email or its
attachments.
Internet communications are not guaranteed to be secure or virus-free. The
Barclays Group does not accept responsibility for any loss arising from
unauthorised access to, or interference with, any Internet communications by
any third party, or from the transmission of any viruses. Replies to this
email may be monitored by the Barclays Group for operational or business
reasons.
Any opinion or other information in this email or its attachments that does
not relate to the business of the Barclays Group is personal to the sender
and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
This message is confidential, so please treat it appropriately and for its
intended purpose only. In particular, if it refers to any technical data,
terms or prices not generally available or known, such items are
"commercially sensitive information" within the terms of the Freedom of
Information Act 2000 and related laws. As it would be prejudicial to RM's
commercial interests if these were disclosed, please refrain from doing so.
As Internet communications are not secure, please be aware that RM cannot
accept responsibility for its contents. Any views or opinions presented are
those of the author only and not of RM. If you are not the intended
recipient of this e-mail, please accept our apologies and arrange for copies
of it to be deleted. For your information, RM may intercept incoming and
outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire,
OX14 4SE, England
Registered Number: 1148594
_____
Barclays Wealth is the wealth management division of Barclays Bank PLC. This
email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable
laws and regulations in certain jurisdictions. The Barclays Group does not
normally accept or offer business instructions via internet email. Any
action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this email in
error, please notify the sender immediately, delete it from your system and
do not copy, disclose or otherwise act upon any part of this email or its
attachments.
Internet communications are not guaranteed to be secure or virus-free. The
Barclays Group does not accept responsibility for any loss arising from
unauthorised access to, or interference with, any Internet communications by
any third party, or from the transmission of any viruses. Replies to this
email may be monitored by the Barclays Group for operational or business
reasons.
Any opinion or other information in this email or its attachments that does
not relate to the business of the Barclays Group is personal to the sender
and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| neilruston
Posts:164
| | 04/16/2008 6:49 AM |
| Yes I did - that was the first place I looked I found some info there
but expected more :/
I found far more info here:
http://www.hsc.fr/ressources/articles/win_net_srv/
Thanks,
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alain Lissoir
Sent: 15 April 2008 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Did you ever check the protocol documentations on MSDN?
[MS-ADTS]: Active Directory Technical Specification in Trust sub-section
at http://msdn2.microsoft.com/en-us/library/cc223756.aspx (and section
7.1.6.8.1.2, 7.1.6.8.1.3)
[MS-NRPC]: Netlogon Remote Protocol Specification
http://msdn2.microsoft.com/en-us/library/cc237008.aspx
I'm sure if you read around you will find information you want.
Regards,
/Alain
(Sent from Windows Vista x64 SP1 and Office 2007 SP1 on HP nc8430 x64)
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 15, 2008 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Thanks - I'm aware that this can be done. [Remember, I said I knew the
proposal was dumb ]
The firewall guys want to restrict the flow of RPC so that *only* RPC
trust traffic is permitted. No other RPC traffic is permitted. The KB
won't help to achieve their requirement IMO.
If it were implemented my way, I'd go with the KB and ...
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Shaun Little
Sent: 15 April 2008 14:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Please see the following link:-
How to configure RPC dynamic port allocation to work with firewalls:-
http://support.microsoft.com/kb/154596/
You could then create a tcp UUID Group that specifies the range and add
the member servers.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: 15 April 2008 12:49
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Here's the scenario:
ForestA, includes domainA
Forest B, includes domainB
domainA needs to trust domainB
A firewall exists between the 2 environments.
The firewall guys would like to restrict traffic between DCs in the 2
domains and to also restrict the flow of RPC traffic so that only RPC
trust traffic crosses the firewall. It has been suggested that might be
achieved using UUIDs.
[Please don't tell me that this is a dumb solution - I know that ]
I can use portqry to list out all RPC UUIDs used by DCs but the firewall
guys want the subset used for trusts only.
Does such a RPC UUID breakdown exist anywhere?
Many thanks in advance,
neil
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
This message is confidential, so please treat it appropriately and for
its intended purpose only. In particular, if it refers to any technical
data, terms or prices not generally available or known, such items are
"commercially sensitive information" within the terms of the Freedom of
Information Act 2000 and related laws. As it would be prejudicial to
RM's commercial interests if these were disclosed, please refrain from
doing so.
As Internet communications are not secure, please be aware that RM
cannot accept responsibility for its contents. Any views or opinions
presented are those of the author only and not of RM. If you are not the
intended recipient of this e-mail, please accept our apologies and
arrange for copies of it to be deleted. For your information, RM may
intercept incoming and outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon,
Oxfordshire, OX14 4SE, England
Registered Number: 1148594
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| Shadow
Posts:6
| | 04/16/2008 6:54 AM |
| I would certainly be interested in how you manage to resolve the issue,
so keep us posted!
Thanks
Shaun
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: 16 April 2008 11:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Yes I did - that was the first place I looked I found some info there
but expected more :/
I found far more info here:
http://www.hsc.fr/ressources/articles/win_net_srv/
Thanks,
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alain Lissoir
Sent: 15 April 2008 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Did you ever check the protocol documentations on MSDN?
[MS-ADTS]: Active Directory Technical Specification in Trust sub-section
at http://msdn2.microsoft.com/en-us/library/cc223756.aspx (and section
7.1.6.8.1.2, 7.1.6.8.1.3)
[MS-NRPC]: Netlogon Remote Protocol Specification
http://msdn2.microsoft.com/en-us/library/cc237008.aspx
I'm sure if you read around you will find information you want.
Regards,
/Alain
(Sent from Windows Vista x64 SP1 and Office 2007 SP1 on HP nc8430 x64)
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 15, 2008 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Thanks - I'm aware that this can be done. [Remember, I said I knew the
proposal was dumb ]
The firewall guys want to restrict the flow of RPC so that *only* RPC
trust traffic is permitted. No other RPC traffic is permitted. The KB
won't help to achieve their requirement IMO.
If it were implemented my way, I'd go with the KB and ...
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Shaun Little
Sent: 15 April 2008 14:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Please see the following link:-
How to configure RPC dynamic port allocation to work with firewalls:-
http://support.microsoft.com/kb/154596/
You could then create a tcp UUID Group that specifies the range and add
the member servers.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: 15 April 2008 12:49
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Here's the scenario:
ForestA, includes domainA
Forest B, includes domainB
domainA needs to trust domainB
A firewall exists between the 2 environments.
The firewall guys would like to restrict traffic between DCs in the 2
domains and to also restrict the flow of RPC traffic so that only RPC
trust traffic crosses the firewall. It has been suggested that might be
achieved using UUIDs.
[Please don't tell me that this is a dumb solution - I know that ]
I can use portqry to list out all RPC UUIDs used by DCs but the firewall
guys want the subset used for trusts only.
Does such a RPC UUID breakdown exist anywhere?
Many thanks in advance,
neil
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
This message is confidential, so please treat it appropriately and for
its intended purpose only. In particular, if it refers to any technical
data, terms or prices not generally available or known, such items are
"commercially sensitive information" within the terms of the Freedom of
Information Act 2000 and related laws. As it would be prejudicial to
RM's commercial interests if these were disclosed, please refrain from
doing so.
As Internet communications are not secure, please be aware that RM
cannot accept responsibility for its contents. Any views or opinions
presented are those of the author only and not of RM. If you are not the
intended recipient of this e-mail, please accept our apologies and
arrange for copies of it to be deleted. For your information, RM may
intercept incoming and outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon,
Oxfordshire, OX14 4SE, England
Registered Number: 1148594
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| neilruston
Posts:164
| | 04/16/2008 7:09 AM |
| I'm now told we need to establish and maintain a trust in a lab, whilst
monitoring the flow of packets over the wire!
Then we ascertain which UUIDs are required and configure the firewall
appropriately.
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Shaun Little
Sent: 16 April 2008 11:49
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
I would certainly be interested in how you manage to resolve the issue,
so keep us posted!
Thanks
Shaun
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: 16 April 2008 11:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Yes I did - that was the first place I looked I found some info there
but expected more :/
I found far more info here:
http://www.hsc.fr/ressources/articles/win_net_srv/
Thanks,
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alain Lissoir
Sent: 15 April 2008 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Did you ever check the protocol documentations on MSDN?
[MS-ADTS]: Active Directory Technical Specification in Trust sub-section
at http://msdn2.microsoft.com/en-us/library/cc223756.aspx (and section
7.1.6.8.1.2, 7.1.6.8.1.3)
[MS-NRPC]: Netlogon Remote Protocol Specification
http://msdn2.microsoft.com/en-us/library/cc237008.aspx
I'm sure if you read around you will find information you want.
Regards,
/Alain
(Sent from Windows Vista x64 SP1 and Office 2007 SP1 on HP nc8430 x64)
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 15, 2008 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Thanks - I'm aware that this can be done. [Remember, I said I knew the
proposal was dumb ]
The firewall guys want to restrict the flow of RPC so that *only* RPC
trust traffic is permitted. No other RPC traffic is permitted. The KB
won't help to achieve their requirement IMO.
If it were implemented my way, I'd go with the KB and ...
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Shaun Little
Sent: 15 April 2008 14:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Please see the following link:-
How to configure RPC dynamic port allocation to work with firewalls:-
http://support.microsoft.com/kb/154596/
You could then create a tcp UUID Group that specifies the range and add
the member servers.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: 15 April 2008 12:49
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Firewalls, trusts, RPC and UUIDs
Here's the scenario:
ForestA, includes domainA
Forest B, includes domainB
domainA needs to trust domainB
A firewall exists between the 2 environments.
The firewall guys would like to restrict traffic between DCs in the 2
domains and to also restrict the flow of RPC traffic so that only RPC
trust traffic crosses the firewall. It has been suggested that might be
achieved using UUIDs.
[Please don't tell me that this is a dumb solution - I know that ]
I can use portqry to list out all RPC UUIDs used by DCs but the firewall
guys want the subset used for trusts only.
Does such a RPC UUID breakdown exist anywhere?
Many thanks in advance,
neil
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
This message is confidential, so please treat it appropriately and for
its intended purpose only. In particular, if it refers to any technical
data, terms or prices not generally available or known, such items are
"commercially sensitive information" within the terms of the Freedom of
Information Act 2000 and related laws. As it would be prejudicial to
RM's commercial interests if these were disclosed, please refrain from
doing so.
As Internet communications are not secure, please be aware that RM
cannot accept responsibility for its contents. Any views or opinions
presented are those of the author only and not of RM. If you are not the
intended recipient of this e-mail, please accept our apologies and
arrange for copies of it to be deleted. For your information, RM may
intercept incoming and outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon,
Oxfordshire, OX14 4SE, England
Registered Number: 1148594
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| jbmlists
Posts:1
| | 04/18/2008 5:17 AM |
| On Wed, Apr 16, 2008 at 12:45 PM, <neil.ruston@barclayswealth.com> wrote:
> Yes I did - that was the first place I looked I found some info there but
> expected more :/
>
> I found far more info here:
> http://www.hsc.fr/ressources/articles/win_net_srv/
Glad to hear my article is still useful :-)
I intend to update it with links to the different specifications
recently released by MS, including MS-ADTS and MS-NRPC pointed out by
Alain.
Have you confirmed that the firewall you are using indeed supports
MSRPC (DCE/RPC) filtering?
Jean-Baptiste
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| neilruston
Posts:164
| | 04/21/2008 3:57 AM |
| Hi,
The firewall does indeed support UUID filters and in fact ships with an
'AD' filter. I suspect this actually means 'AD replication'. The network
guys want to be as restrictive as possible and only allow the RPC
traffic that is needed.
neil
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jean-Baptiste
Marchand (lists)
Sent: 18 April 2008 10:16
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Firewalls, trusts, RPC and UUIDs
On Wed, Apr 16, 2008 at 12:45 PM, <neil.ruston@barclayswealth.com>
wrote:
> Yes I did - that was the first place I looked I found some info
> there but expected more :/
>
> I found far more info here:
> http://www.hsc.fr/ressources/articles/win_net_srv/
Glad to hear my article is still useful :-)
I intend to update it with links to the different specifications
recently released by MS, including MS-ADTS and MS-NRPC pointed out by
Alain.
Have you confirmed that the firewall you are using indeed supports MSRPC
(DCE/RPC) filtering?
Jean-Baptiste
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|