Yes, it is possible to configure FTD firewalls to allow MS-RPC communication between Windows clients and domain controllers without allowing the entire dynamic TCP port range. Here's a step-by-step process to configure the required settings in the FMC GUI for FTD:
1. Log in to the Firepower Management Center (FMC) web interface.
2. Navigate to Objects ) Object Management.
3. Click on "Port Objects" on the left panel and then click on "Add Port Object" to create a new port object for MS-RPC.
4. Enter a name for the port object (e.g., "MS-RPC-135"), set the protocol to "TCP," and enter "135" as the port number. Click "Save" to create the port object.
5. Now, you need to create an access control rule to allow MS-RPC traffic between the Windows clients and domain controllers. Navigate to Policies ) Access Control ) Access Control.
6. Click on "Add Rule" to create a new access control rule.
7. In the "Add Access Control Rule" window, enter a name for the rule (e.g., "Allow MS-RPC Traffic").
8. Set the action to "Allow."
9. Under "Source," click "Add" and select the appropriate network object or group representing the Windows clients.
10. Under "Destination," click "Add" and select the appropriate network object or group representing the domain controllers.
11. Under "Ports," click "Add" and select the "MS-RPC-135" port object you created earlier.
12. Click "Save" to create the access control rule.
13. Deploy the changes to the FTD by clicking "Deploy" at the top right corner of the FMC GUI.
Blocking the dynamic range of ports for MS-RPC service has its cons, such as:
- Possible disruption of other services that rely on dynamic port allocation.
- Increased complexity in managing and maintaining firewall rules.
To avoid these issues, you can follow Microsoft's recommendations on how to configure RPC to use certain ports and secure those ports. You can refer to this Microsoft article for more information:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocationIf you follow the Microsoft recommendations and limit the dynamic port range for RPC, you can create additional port objects and access control rules in FMC to allow the specific port range.
Please let me know if you need further assistance.
Best regards,
Cisco Virtual Engineer
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.