Segmenting Networks with ISA 2004 – Filtering access to Domain Controllers - Stanislas Quastana's WebLog - Site Home

Purpose

This document explains how to use ISA Server 2004 as an application layer firewall between a Windows 2000 domain controller and a Windows 2000 member server.

This configuration allows:

- Integrate a stand alone server in a Windows 2000 Active Directory
- open user session
- apply Group policies

Network diagram

Network rules Matrix

Source IP	Source Port	Transport	Protocol	Destination IP	Destination port	Commentaries
Member servers in DMZ	*	UDP TCP (1)	DNS	DNS Server used for AD resolution	53	Name resolution
Member servers in DMZ	*	UDP TCP (2)	Kerberos-Sec	AD - Domain Controllers	88	Authentication mechanism
Member servers in DMZ	*	UDP	NTP	AD - Domain Controllers	123	Time synchronization
Member servers in DMZ	*	TCP	RPC End Pointmapper	AD - Domain Controllers	135	Necessary to ask it first to retrieve port value for RPC Service.
Member servers in DMZ	*	UDP TCP	LDAP	AD - Domain Controllers	389	Use to query Active Directory
Member servers in DMZ	*	TCP	Microsoft CIFS	AD - Domain Controllers	445	Microsoft File share. Necessary for applying Group Policies
Member servers in DMZ	*	TCP	Microsoft CIFS	DFS root servers	445	Microsoft File share
Member servers in DMZ	*	TCP	Microsoft CIFS	DFS replicas servers	445	Microsoft File share
Member servers in DMZ	*	TCP	RPC (All interfaces)	AD - Domain Controllers	>1024	Can be an IP range on a traditional firewall. Not necessary to define if you use ISA 2004 RPC filter.
Member servers in DMZ	N/A	ICMP	Ping	AD - Domain Controllers	N/A
AD - Domain Controllers	N/A	ICMP	Ping	Member servers in DMZ	N/A

*: all
N/A: Non Applicable

(1) TCP is used for DNS zone transfer and when answer exceed 512 bytes
(2) By default, Windows 2000 and Windows XP use UDP when the data can be fit in packets fewer than 2,000 bytes. Any data above this value uses TCP to carry the packets. The value of 2,000 bytes is configurable by modifying a registry key and value.

Additional information:

How to Force Kerberos to Use TCP Instead of UDP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474

HOWTO: Configure RPC Dynamic Port Allocation to Work with Firewall
http://support.microsoft.com/default.aspx?scid=kb;en-us;154596

Firewall Rules to define on ISA Server 2004 between a DC and a member server

In this example:
- LAN3 contains member servers
- Internal (192.168.102.x/24) contains the Domain Controller (192.68.102.10)

2 protocols are analyzed deeply: DNS and RPC

DNS AD firewall access rule detect and block
- DNS length overflow
- DNS zone transfer
- DNS name overflow

RPC AD firewall access rule limits RPC traffic to UUIDs that are mandatory to open a user session and to apply Group Policies.

UUID	RPC Service
{12345778-1234-ABCD-EF00-0123456789AB}	LSA
{12345778-1234-ABCD-EF00-0123456789AC}	SAM
{12345778-1234-ABCD-EF00-01234567CFFB}	Net Logon
{6BFFD098-A112-3610-9833-012892020162}	Computer Browser
{E3514235-4B06-11D1-AB04-00C04FC2DCD2}	MS NT Directory DRS Interface
{F5CC59B4-4264-101A-8C59-08002B2F8426}	Directory DRS
{F5CC5A18-4264-101A-8C59-08002B2F8426}	Directory NSP
{F5CC5A7C-4264-101A-8C59-08002B2F8426}	Directory XDS

To define AD RPC Firewall Publishing Rule, you need previously to create a protocol definition (RPC for AD Logon):

ISA Server 2004 includes a RPC filter that allows dynamic open for high ports used by RPC applications (those high port numbers are returned by the RPC End Port Mapper to the RPC client). By this way, it is unnecessary to open static high ports for RPC.

RPC Filter allows to filter RPC Request by interfaces (UUID)