Cannot Joined the Workstation to D.C. thru ISA Server 2006
- Good day Guyz,
I'm also at the Visual Foxpro General Forum, but I also here at Windows Server Forums because I have been a hard times to be able to joined one of the workstations at D.C. thru ISA Server below are the following informations:
Windows Server 2003 SP2 - A.D. DNS Integrated, Domain Controller
1 NIC Card - Public IP Address of 178.197.225.194/27
Windows Server 2003 SP2, ISA Server 2006 - Member Server of A.D. DNS Integrated, Domain Controller, DHCP, RRAS
3 NIC Card:
1st NIC Card - Public IP Address of 178.197.225.195/27
2nd NIC Card - Private IP Address of 172.18.0.1/16 - Internal Network
3rd NIC Card - Private IP Address of 172.17.0.1/24 - for VPN Clients
Windows XP Pro SP2
1 NIC Card:
With IP Address of 172.18.0.6
At ISA Server 2006 Firewall:
1. Created Internal (172.18.0.0 - 172.18.255.255) - Networks
2. Created All Access with Route Internal to External - Network Rules
3. Created DHCP Request, DHCP Reply - Firewall Policy
4. Created LAN Internet Access - Firewall Policy
5. Created Server Internet Access - Firewall Policy
All are working fine but I cannot joined my Workstation WinXP to Domain Controller, should I make another Firewall Policy to be able to joined workstations? any idea to help me out, thanks guyz...
Answers
I am not sure i understand your question but...
In order to join your workstation 172.18.0.6 to the domain, you would require a rule allowing all protocols required for domain access.
Among them are RPC and on that rule you would also need to uncheck the "enforce strict RPC".
(The system policy is only relevant for traffic to/from ISA itself, "Local Host")Since joinig is DCOM the port used is "dynamic" unless the DC has been configured in DCOM to use a specific port or range you would need to allow all high ports (1024-65535)
For the client to work as a member of the domain a lot of protocols are required (CIFS, DNS, LDAP(s) DC, LDAP(s) GC, Kerberos, RPC, Ping)
So in order for client to dynamically update DNS that requires secure update you need thoose.- Marked As Answer byradical93 Friday, October 09, 2009 3:35 PM
All Replies
- Joining to the domain is DCOM call that is not supported by RPC filter in ISA.
Right click the rule, Configure RPC , uncheck "Enforce strict RPC compliance".- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorThursday, October 08, 2009 2:27 AM
- Good day, I will try that one, but where I can find that one on the built in System Policy I will find the Configure RPC then uncheck the "Enforce restrict RPC..." By the way the Public IP Address assigned at 2 Servers A.D. Server and ISA Server this was came from Cisco Router which provided by the Telco with /27, with 30 Public IP Address. Thanks for your response, I will continue to look for any possible answer, suggestions, solution on this helpful forum Thank and Regards, Cheers....(",)...
Hi,
Thank you for your post.
In My Humble Opinion, it is not recommend that install ISA Server on Domain Controller.
Regards,
Nick Gu - MSFT- Good day Nick,
I did not install ISA Server 2006 on Domain Controller as stated on my first Help see above and below:
Good day Guyz,
I'm also at the Visual Foxpro General Forum, but I also here at Windows Server Forums because I have been a hard times to be able to joined one of the workstations at D.C. thru ISA Server below are the following informations:
Windows Server 2003 SP2 - A.D. DNS Integrated, Domain Controller
1 NIC Card - Public IP Address of 178.197.225.194/27
Windows Server 2003 SP2, ISA Server 2006 - Member Server of A.D. DNS Integrated, Domain Controller, DHCP, RRAS
3 NIC Card:
1st NIC Card - Public IP Address of 178.197.225.195/27
2nd NIC Card - Private IP Address of 172.18.0.1/16 - Internal Network
3rd NIC Card - Private IP Address of 172.17.0.1/24 - for VPN Clients
Windows XP Pro SP2
1 NIC Card:
With IP Address of 172.18.0.6
At ISA Server 2006 Firewall:
1. Created Internal (172.18.0.0 - 172.18.255.255) - Networks
2. Created All Access with Route Internal to External - Network Rules
3. Created DHCP Request, DHCP Reply - Firewall Policy
4. Created LAN Internet Access - Firewall Policy
5. Created Server Internet Access - Firewall Policy
All are working fine but I cannot joined my Workstation WinXP to Domain Controller, should I make another Firewall Policy to be able to joined workstations? any idea to help me out, thanks guyz... Good day Kent,
I already tested it I find it at "System Policy Rules" - on the right side bar on "Task" tab "Show the System Policy Rules" to show also the built-in Firewall or System Policy Rules which is the "Allow RPC from ISA Server to trusted servers", then Edit the System Rules", then I see the "Enforced restrict RPC Compliance" which I unchecked it and it works, thanks a lot this is nice forum because there are many tricky setup.
But when joining the Workstation PC or Win XP, my question is there will be a connection with the DNS Dynamic Updates with the connection also with the DHCP Automatic Dynamic Updates..., and also the Dynamic Update action which is 1. Secure Only, 2, Non-Secure and Secure, 3 Non-Secure which I set or check the DHCP "Automatic Dynamic Updates....", and set also the DNS with "Non-Secure" so that it will build the trust relationship with D.C. Server and Workstations and the result it will create the Host A Records with the IP Address from DHCP, then it successfully joined the Workstation PC or Win XP.
And I also made a Firewall Policy Rules that will allow "DNS", "LDAP" from "Internal" Network to "Domain Controllers", "All Networks (Local Host)" to be able to have the Authentication the order of the Firewall Policy is no. 5.
Firewall Policy Order:
1. DHCP Request
2. DHCP Reply
3. LAN Internet Access
4. Server Internet Access
5 AD & DNS Access
6. RDP Access
Is there any connection with the 2 above scenario that I have test or possibilities instead of unchecking the "Enforced restrict RPC Compliance"?
Any idea for this it will be a great help also if the 2 above scenario that I have test is possible,
Thanks Kent...(",)...I am not sure i understand your question but...
In order to join your workstation 172.18.0.6 to the domain, you would require a rule allowing all protocols required for domain access.
Among them are RPC and on that rule you would also need to uncheck the "enforce strict RPC".
(The system policy is only relevant for traffic to/from ISA itself, "Local Host")Since joinig is DCOM the port used is "dynamic" unless the DC has been configured in DCOM to use a specific port or range you would need to allow all high ports (1024-65535)
For the client to work as a member of the domain a lot of protocols are required (CIFS, DNS, LDAP(s) DC, LDAP(s) GC, Kerberos, RPC, Ping)
So in order for client to dynamically update DNS that requires secure update you need thoose.- Marked As Answer byradical93 Friday, October 09, 2009 3:35 PM
- Good day Kent,
The 2 scenario that I have test and allowing DNS and LDAP Protocol, and the one you advice to unchecked the "Enforce restrict RPC Compliance" are working find, since we all know that if we put an ISA Server all are closed you must have to know all of your requirements on your internal and external to allow in order to give the services.
Now with this forum I'm now confident enough for implementation, and with this forum also you do not hesitate to ask some questions that you might think that you are not capable of doing, unlike when you ask some question on "Open Source" guyz I found conflict with them when implementing other kinds of firewall as we all know that there is advantages and disadvantages, capabilities and incapabilities, and we have to accept it, but for me its okey...
More power to all of you guys,
Thanks and Regards...(",)... Question......... Why your Domain Controller has a Public IP Address ???
Tarek Majdalani | MS Forefront Edge Security MVP | http://www.elmajdal.net
