http://blogs.msdn.com/squasta/archive/2006/03/17/553805.aspxPurpose This document explains how to use ISA Server 2004 as an application layer firewall between a Windows 2000 domain controller and a Windows 2000 member server. This configuration allows: - Integrate a stand alone server in a Windows 2000 Activefr-FRCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/squasta/archive/2006/03/17/553805.aspx#568974Wed, 05 Apr 2006 17:28:16 GMT91d46819-8472-40ad-a661-2c78acb4018c:568974Thomas Shinder Blog » Blog Archive » Stanislas Quastana’s Guide to Intradomain Communications Including AD UUIDsPingBack from <a rel="nofollow" target="_new" href="http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/">http://blogs.isaserver.org/shinder/2006/04/05/stanislas-quastanas-guide-to-intradomain-communications-including-ad-uuids/</a>http://blogs.msdn.com/squasta/archive/2006/03/17/553805.aspx#575647Thu, 13 Apr 2006 13:30:06 GMT91d46819-8472-40ad-a661-2c78acb4018c:575647BlackPHI have tried this perfect way of RPC filtering ,but nothing. Maximum result when i have - is error about wrong TCP checksum on EMP Map request level <BR>" <BR>Internet Protocol, Src: 172.16.2.2 (172.16.2.2), Dst: 192.168.1.248 (192.168.1.248) <BR>Transmission Control Protocol, Src Port: 1130 (1130), Dst Port: epmap (135), Seq: 117, Ack: 85, Len: 156 <BR>&nbsp; &nbsp;Source port: 1130 (1130) <BR>&nbsp; &nbsp;Destination port: epmap (135) <BR>&nbsp; &nbsp;Sequence number: 117 &nbsp; &nbsp;(relative sequence number) <BR>&nbsp; &nbsp;Next sequence number: 273 &nbsp; &nbsp;(relative sequence number) <BR>&nbsp; &nbsp;Acknowledgement number: 85 &nbsp; &nbsp;(relative ack number) <BR>&nbsp; &nbsp;Header length: 20 bytes <BR>&nbsp; &nbsp;Flags: 0x0018 (PSH, ACK) <BR>&nbsp; &nbsp;Window size: 65451 <BR>&nbsp; &nbsp;Checksum: 0x7169 [incorrect, should be 0x9142] <BR>&nbsp; &nbsp;SEQ/ACK analysis <BR>&nbsp; &nbsp; &nbsp; &nbsp;This is an ACK to the segment in frame: 6 <BR>&nbsp; &nbsp; &nbsp; &nbsp;The RTT to ACK the segment was: 0.000029000 seconds <BR>DCE RPC Request, Fragment: Single, FragLen: 156, Call: 1 Ctx: 0 <BR>&nbsp; &nbsp;Version: 5 <BR>&nbsp; &nbsp;Version (minor): 0 <BR>&nbsp; &nbsp;Packet type: Request (0) <BR>&nbsp; &nbsp;Packet Flags: 0x03 <BR>&nbsp; &nbsp;Data Representation: 10000000 <BR>&nbsp; &nbsp;Frag Length: 156 <BR>&nbsp; &nbsp;Auth Length: 0 <BR>&nbsp; &nbsp;Call ID: 1 <BR>&nbsp; &nbsp;Alloc hint: 132 <BR>&nbsp; &nbsp;Context ID: 0 <BR>&nbsp; &nbsp;Opnum: 3 <BR>DCE/RPC Endpoint Mapper, Map <BR>" <BR>I used "access" rule, not "public". DMZ and Internal have route relationship. When i remove my "RPC for AD Logon" filter protocol, and add predefined RPC (all interfaces) - all working fine.http://blogs.msdn.com/squasta/archive/2006/03/17/553805.aspx#576322Fri, 14 Apr 2006 12:45:07 GMT91d46819-8472-40ad-a661-2c78acb4018c:576322stanislas-quastana<P><FONT face=Tahoma size=2>Hi, <BR><BR>You <FONT color=#0000ff><STRONG><U>must use a publication rule for RPC filtering</U></STRONG></FONT> (by design the RPC filter apply only to incoming traffic). It's "normal" (by design) that RPC filtering doesn't work with access rule <BR><BR>This publication rule works between 2 routed networks (don't forget to check source ip = client IP &nbsp;adress) <BR><BR>regards</FONT></P> <P><FONT face=Tahoma size=2>Stanislas</FONT></P>