Re: DCOM on Gauntlet

Chris Brenton Mon, 31 May 1999 12:59:32 -0700
Rudolf Schreiner wrote:
> 
> > In short, you can get DCOM to place nice with a firewall by making some
> > registry changes. The changes allow you to pick and choose the ports
> > DCOM will use. This will allow you to setup a couple of plugs in order
> > to pass the traffic.
> 
> Did you really _try_ it?

Yup. Including Exchange servers I've probably done this 30+ times. I've
seen a few systems where this would not work (registry changes caused
the clients to stop connecting). In typical MS fashion, this was fixed
by a complete system reload.

> IMHO this doesn't work because DCOM embeds the IP addresses of the
> endpoints in the content.

Good point. I assumed that since MS Proxy was given as a possible
solution, that legal rather than private addresses where being used. If
you are going to use NAT, you need a *real* proxy which understands DCOM
and can make payload changes as required (kinda like the FTP's data
session problem). To the best of my knowledge, no one has created such a
beast although I'm sure if there is a vendor watching this list who has,
they'll sing out now. ;)

As an aside, a quick look at one of my MS Proxy servers reveals that it
*does not* have built in support for DCOM. Things like NetShow are
configured to open all ports between 1025-5000. So, IMO MS Proxy will
get the original poster no closer to a solution than Gauntlet.

> This also doesn't solve the callback problem, you
> would need plugs into both directions, with registry changes at client
> _and_ server.

Actually, it does solve the call back problem. The client will only use
ports specified by the server. If you have limited the port range on the
server, the client will only use these ports. Thus no client hacks are
required.

> (Theoretical discussion, I'd never allow DCOM thru a firewall. So I'm not
> unhappy that the line level protocol of DCOM is so braindamaged :-)#

Seeing as this is a "business need vs. risk assessment" issue, I will
not go there. Suffice to say that not everyone is in the same position
to dictate what will or what will not be passed though the firewalls
they manage. ;)

Cheers,
Chris
-- 
**************************************
[EMAIL PROTECTED]

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: DCOM on Gauntlet

Reply via email to
