Segmenting Networks with ISA 2004 – Filtering access to Domain Controllers
Segmenting Networks with ISA 2004 – Filtering access to Domain Controllers
Purpose
This document explains how to use ISA Server 2004 as an application layer firewall between a Windows 2000 domain controller and a Windows 2000 member server.
This configuration allows:
- Integrate a stand alone server in a Windows 2000 Active Directory
- open user session
- apply Group policies
Network diagram
Network rules Matrix
Source IP |
Source Port |
Transport |
Protocol |
Destination IP |
Destination port |
Commentaries |
Member servers in DMZ |
* |
UDP TCP (1) |
DNS |
DNS Server used for AD resolution |
53 |
Name resolution |
Member servers in DMZ |
* |
UDP TCP (2) |
Kerberos-Sec |
AD - Domain Controllers |
88 |
Authentication mechanism |
Member servers in DMZ |
* |
UDP |
NTP |
AD - Domain Controllers |
123 |
Time synchronization |
Member servers in DMZ |
* |
TCP |
RPC End Pointmapper |
AD - Domain Controllers |
135 |
Necessary to ask it first to retrieve port value for RPC Service. |
Member servers in DMZ |
* |
UDP TCP |
LDAP |
AD - Domain Controllers |
389 |
Use to query Active Directory |
Member servers in DMZ |
* |
TCP |
Microsoft CIFS |
AD - Domain Controllers |
445 |
Microsoft File share. Necessary for applying Group Policies
|
Member servers in DMZ |
* |
TCP |
Microsoft CIFS |
DFS root servers |
445 |
Microsoft File share
|
Member servers in DMZ |
* |
TCP |
Microsoft CIFS |
DFS replicas servers |
445 |
Microsoft File share
|
Member servers in DMZ |
* |
TCP |
RPC (All interfaces) |
AD - Domain Controllers |
>1024 |
Can be an IP range on a traditional firewall. Not necessary to define if you use ISA 2004 RPC filter. |
Member servers in DMZ |
N/A |
ICMP |
Ping |
AD - Domain Controllers |
N/A |
|
AD - Domain Controllers |
N/A |
ICMP |
Ping |
Member servers in DMZ |
N/A |
*: all
N/A: Non Applicable
(1) TCP is used for DNS zone transfer and when answer exceed 512 bytes
(2) By default, Windows 2000 and Windows XP use UDP when the data can be fit in packets fewer than 2,000 bytes. Any data above this value uses TCP to carry the packets. The value of 2,000 bytes is configurable by modifying a registry key and value.
Additional information:
How to Force Kerberos to Use TCP Instead of UDP
https://support.microsoft.com/default.aspx?scid=kb;EN-US;244474
HOWTO: Configure RPC Dynamic Port Allocation to Work with Firewall
https://support.microsoft.com/default.aspx?scid=kb;en-us;154596
Firewall Rules to define on ISA Server 2004 between a DC and a member server
In this example:
- LAN3 contains member servers
- Internal (192.168.102.x/24) contains the Domain Controller (192.68.102.10)
2 protocols are analyzed deeply: DNS and RPC
DNS AD firewall access rule detect and block
- DNS length overflow
- DNS zone transfer
- DNS name overflow
RPC AD firewall access rule limits RPC traffic to UUIDs that are mandatory to open a user session and to apply Group Policies.
UUID |
RPC Service |
{12345778-1234-ABCD-EF00-0123456789AB} |
LSA |
{12345778-1234-ABCD-EF00-0123456789AC} |
SAM |
{12345778-1234-ABCD-EF00-01234567CFFB} |
Net Logon |
{6BFFD098-A112-3610-9833-012892020162} |
Computer Browser |
{E3514235-4B06-11D1-AB04-00C04FC2DCD2} |
MS NT Directory DRS Interface |
{F5CC59B4-4264-101A-8C59-08002B2F8426} |
Directory DRS |
{F5CC5A18-4264-101A-8C59-08002B2F8426} |
Directory NSP |
{F5CC5A7C-4264-101A-8C59-08002B2F8426} |
Directory XDS |
To define AD RPC Firewall Publishing Rule, you need previously to create a protocol definition (RPC for AD Logon):
ISA Server 2004 includes a RPC filter that allows dynamic open for high ports used by RPC applications (those high port numbers are returned by the RPC End Port Mapper to the RPC client). By this way, it is unnecessary to open static high ports for RPC.
RPC Filter allows to filter RPC Request by interfaces (UUID)