Beware that dcomcnfg has some bugs. It has a nice interface, but it's not
capable of doing what it's supposed to. If you use it you must manually
correct it's registry entries in order to get your port range working.
Q201911: BUG: DCOMCNFG Writes Ports Named Value in Incorrect Format
http://support.microsoft.com/support/kb/articles/Q201/9/11.ASP?LN=EN-US&SD=g
n&FR=0
Lars
-----Opprinnelig melding-----
Fra: Jason Witty [mailto:[EMAIL PROTECTED]]
Sendt: 2. august 2000 21:42
Til: [EMAIL PROTECTED]
Kopi: [EMAIL PROTECTED]
Emne: Re: [FW1] Microsoft IIS 4.0 and MTS 2.0
If MTS is using DCOM to generate that RPC traffic, you can run
"$winnt\system32\dcomcnfg" on the MTS server to set it to only use a
port range - say (TCP port 5000-5020). Hope this helps!
Jason
[EMAIL PROTECTED] wrote:
>
> Hello,
>
> I have a web server on my DMZ running IIS 4.0 and MTS 2.0 with and ODBC
> connection to a MS-SQL server behind our firewall. It was decided that it
would
> be more secure to remove MTS from the web server and but it on the DB
server or
> another server on the same subnet (basically remove it from the DMZ).
>
> Now you do this on MTS by exporting the specific package you need which
creates
> a clinet install program that you run on the web server. However, I'm
having a
> problem with the configuration of my firewall. Now I have two rules one
letting
> everything from web server to mts server and vive-versa (this is in a test
> environment so it's safe for now). Looking at the logs the web server
makes an
> initial udp connection using port 135 and then it picks a random udp high
port.
> Also I need the second rule even though it is using the same ports (I
don't know
> wh the fw does not see this as a reply and let it through).
>
> Opening udp high ports from my dmz to my internal network is not very
secure.
> Does anyone know how to limit the port range? Has anyone done this
before?
>
> Thanks,
>
> Joe
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
