[146368] in North American Network Operators' Group
Encrypted RPC and firewalling
daemon@ATHENA.MIT.EDU (Lasse Birnbaum Jensen)
Thu Nov 10 03:58:11 2011
From: Lasse Birnbaum Jensen <lasse@sdu.dk>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 10 Nov 2011 09:56:51 +0100
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail-2--989171880
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
hi all
I would like to know how you guys handle encypted rpc across firewalls.=20=
We utilize an ASA platform and the DCERPC inspection cant handle =
encrypted RPC (which is standard in most windows 2008 and default in all =
communication in exchange 2010). Ciscos says: disable encryption or =
create "allow any" rules.
Do you limit the RPC port range on the windows systems and make "holes" =
in the firewall for these or do you disable RPC encryption ?=20
Please share your knowledge in this area.
Best regards=20
Lasse Birnbaum Jensen
Network administrator, IT-Service
University of Southern Denmark
Email: lasse@sdu.dk
--Apple-Mail-2--989171880
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFdDCCBXAw
ggRYoAMCAQICBEW9DX0wDQYJKoZIhvcNAQEFBQAwMTELMAkGA1UEBhMCREsxDDAKBgNVBAoTA1RE
QzEUMBIGA1UEAxMLVERDIE9DRVMgQ0EwHhcNMTEwOTE1MDkxNzQ4WhcNMTMwOTE1MDk0NzQ4WjB+
MQswCQYDVQQGEwJESzEtMCsGA1UEChMkU3lkZGFuc2sgVW5pdmVyc2l0ZXQgLy8gQ1ZSOjI5Mjgz
OTU4MUAwHAYDVQQDExVMYXNzZSBCaXJuYmF1bSBKZW5zZW4wIAYDVQQFExlDVlI6MjkyODM5NTgt
UklEOjExMDU2OTIyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxhM28xxu6eutNkczlBtB4
nA26z5sIKkWN+DEaJC1uxlb1xecClD2vL4keG+4J9PmPXsL6i9PMT9T4k/eI7Y+1uU7LBH/OF6tW
Jh2Ny361sfaTAOMzOWgXUnGF0EnyKeZIeOeA8VFbzVlRUlh8MnwzDi4ODDeOYIWX5mptlu4tEwID
AQABo4ICxTCCAsEwDgYDVR0PAQH/BAQDAgP4MCsGA1UdEAQkMCKADzIwMTEwOTE1MDkxNzQ4WoEP
MjAxMzA5MTUwOTQ3NDhaMIIBNwYDVR0gBIIBLjCCASowggEmBgoqgVCBKQEBAQIEMIIBFjAvBggr
BgEFBQcCARYjaHR0cDovL3d3dy5jZXJ0aWZpa2F0LmRrL3JlcG9zaXRvcnkwgeIGCCsGAQUFBwIC
MIHVMAoWA1REQzADAgEBGoHGRm9yIGFudmVuZGVsc2UgYWYgY2VydGlmaWthdGV0IGfmbGRlciBP
Q0VTIHZpbGvlciwgQ1BTIG9nIE9DRVMgQ1AsIGRlciBrYW4gaGVudGVzIGZyYSB3d3cuY2VydGlm
aWthdC5kay9yZXBvc2l0b3J5LiBCZW3mcmssIGF0IFREQyBlZnRlciB2aWxr5XJlbmUgaGFyIGV0
IGJlZ3LmbnNldCBhbnN2YXIgaWZ0LiBwcm9mZXNzaW9uZWxsZSBwYXJ0ZXIuMEEGCCsGAQUFBwEB
BDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL29jc3AuY2VydGlmaWthdC5kay9vY3NwL3N0YXR1czAX
BgNVHREEEDAOgQxsYXNzZUBzZHUuZGswgYQGA1UdHwR9MHswS6BJoEekRTBDMQswCQYDVQQGEwJE
SzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQTEQMA4GA1UEAxMHQ1JMNTgzODAs
oCqgKIYmaHR0cDovL2NybC5vY2VzLmNlcnRpZmlrYXQuZGsvb2Nlcy5jcmwwHwYDVR0jBBgwFoAU
YLWF7FZkfhIZJ2cdUBVLc647+RIwHQYDVR0OBBYEFInKES+q1NTGTLIEWyzYUmmWdJPrMAkGA1Ud
EwQCMAAwGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCA6gwDQYJKoZIhvcNAQEFBQADggEBAGTRSr7S
k1xY47Q0orU6TU0e+0JG2D1Mcw2Jau9kuAiXjFt379M8nN4bPiSaSJu3VAbsgBtkWo67J2SdJxq6
C3kzsXQ6OpIXD8ESyHfWLnGjm6q/9rrj/UErcQkoN7oDTdCKrgQ7euyWsB3RbtN1nQwg89wCMAgP
oPZjFNRNmk14QMqnock1nBUT2fbuwbVqRSxkDdKaDycTRqXwvCkfrRR4SFly2bIvoFrLFZvsMT97
N4NKM0nM0vdryAU+lzs8NL97bOeWw8ALQLKtwz1sb0i9nl3WPey2LQQoFvFyy2DP0D37bG9uLoRW
DpGkDa4MoDeiNFfaHn5Xxq66bKDCPkoxggHVMIIB0QIBATA5MDExCzAJBgNVBAYTAkRLMQwwCgYD
VQQKEwNUREMxFDASBgNVBAMTC1REQyBPQ0VTIENBAgRFvQ19MAkGBSsOAwIaBQCggfMwGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTExMTEwMDg1NjUyWjAjBgkqhkiG
9w0BCQQxFgQUNy0F4lXWvV3sRky0UbL9qxj6jHgwSAYJKwYBBAGCNxAEMTswOTAxMQswCQYDVQQG
EwJESzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQQIERb0NfTBKBgsqhkiG9w0B
CRACCzE7oDkwMTELMAkGA1UEBhMCREsxDDAKBgNVBAoTA1REQzEUMBIGA1UEAxMLVERDIE9DRVMg
Q0ECBEW9DX0wDQYJKoZIhvcNAQEBBQAEgYBis5Th6hYk3EUenyCUjQErqjCOX6IQI4hZHxaYdowS
ZT10gaEwTei0J4PjXJDPoYpd6YPCBkPpQvdKZ4Xiz6PvNTciM3tCVfrGD8iLRjI7VLqV0qao8sdx
fb0q6YtX3HS8dCllSYF7/i79G9I9QobMfN3bZLtOmKy7KSrlefAYZgAAAAAAAA==
--Apple-Mail-2--989171880--
