Microsoft KB Archive/943212

= You cannot filter the RPC traffic based on universally unique identifiers (UUID) by using an access rule in ISA Server 2006 =

Article ID: 943212

Article Last Modified on 11/13/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition

-



SYMPTOMS
You use access rules in Microsoft Internet Security and Acceleration (ISA) Server 2006 to allow RPC traffic between routed networks. However, ISA Server 2006 does not provide an option to filter the RPC traffic based on universally unique identifiers (UUID). This behavior may prevent you from controlling access to specific servers based on UUIDs. Currently, you can filter RPC traffic only based on UUIDs in a server publishing rule that uses the RPC Server protocol.



RESOLUTION
To resolve this problem, apply the hotfix package that is described in the following Microsoft Knowledge Base article:

943215 Description of the ISA Server 2006 hotfix package: October 7, 2007

To create an RPC protocol that can be used in an access rule, follow these steps:
 * 1) Open the ISA Server Management console.
 * 2) In the console tree, expand Microsoft Internet Security and Acceleration Server 2006.
 * 3) If you are running ISA Server 2006 Standard Edition, expand the node that corresponds to the ISA Server computer. If you are running ISA Server 2006 Enterprise Edition, expand Arrays, and then expand the node that corresponds to the array.

Note In ISA Server 2006 Enterprise Edition, you can also create an RPC protocol at an enterprise level. To do this, expand Enterprise, and then click Enterprise Policies.
 * 1) On the Toolbox tab, click Protocols.
 * 2) Click New, and then click RPC Protocol.
 * 3) In the RPC Protocol Name box, type a name that you want to use for the new protocol, and then click Next.
 * 4) Take one of the following actions, based on your situation:
 * 5) * If you want to extract UUIDs from the RPC server, click Select interfaces, specify the name of the RPC server in the Server Name box, click Next, click to select the interfaces that you want to include in the RPC protocol, and then click Next.
 * 6) * If you want to manually specify the UUIDs, click Add interfaces manually, click Next, click Add to add the specific interfaces that you want to include in the RPC protocol, and then click Next.
 * 7) Click Finish.
 * 8) In the Protocols list, find the newly created RPC protocol in the User-Defined folder, right-click the RPC protocol, and then click Properties.
 * 9) On the Parameters tab, click the 135, TCP, Inbound entry in the Primary Connections list, and then click Edit.
 * 10) In the Direction list, select Outbound, and then click OK two times.

After you follow these steps, you can use the newly created RPC protocol in an access rule to control the RPC UUIDs that are allowed. You can use the new RPC protocol in an Allow access rule that applies to the Selected protocols scope or to the All outbound traffic except selected scope. You cannot use the new RPC protocol definition in a Deny access rule. If you use the RPC protocol that is used in a Deny rule, any RPC traffic will be denied.



WORKAROUND
To work around this problem, use a server publishing rule to publish the RPC Server in ISA Server 2006.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbqfe kbexpertiseinter KB943212

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.