cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1185
Views
0
Helpful
3
Replies

FTP and Application Inspection for RPC

taro75
Level 1
Level 1

I have to allow RPC communication between windows clients and domain controller.

How can I define rules in FTD so that just by allowing MS-RPC (tcp/135) the authentication between client and domain controller works. That is I would like to prevent allowing dynamic tcp port range. Is it possible with FTD firewalls? Please share the rules/settings/

3 Replies 3

Yes, it is possible to configure FTD firewalls to allow MS-RPC communication between Windows clients and domain controllers without allowing the entire dynamic TCP port range. Here's a step-by-step process to configure the required settings in the FMC GUI for FTD:

1. Log in to the Firepower Management Center (FMC) web interface.

2. Navigate to Objects ) Object Management.

3. Click on "Port Objects" on the left panel and then click on "Add Port Object" to create a new port object for MS-RPC.

4. Enter a name for the port object (e.g., "MS-RPC-135"), set the protocol to "TCP," and enter "135" as the port number. Click "Save" to create the port object.

5. Now, you need to create an access control rule to allow MS-RPC traffic between the Windows clients and domain controllers. Navigate to Policies ) Access Control ) Access Control.

6. Click on "Add Rule" to create a new access control rule.

7. In the "Add Access Control Rule" window, enter a name for the rule (e.g., "Allow MS-RPC Traffic").

8. Set the action to "Allow."

9. Under "Source," click "Add" and select the appropriate network object or group representing the Windows clients.

10. Under "Destination," click "Add" and select the appropriate network object or group representing the domain controllers.

11. Under "Ports," click "Add" and select the "MS-RPC-135" port object you created earlier.

12. Click "Save" to create the access control rule.

13. Deploy the changes to the FTD by clicking "Deploy" at the top right corner of the FMC GUI.

Blocking the dynamic range of ports for MS-RPC service has its cons, such as:

- Possible disruption of other services that rely on dynamic port allocation.
- Increased complexity in managing and maintaining firewall rules.

To avoid these issues, you can follow Microsoft's recommendations on how to configure RPC to use certain ports and secure those ports. You can refer to this Microsoft article for more information: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation

If you follow the Microsoft recommendations and limit the dynamic port range for RPC, you can create additional port objects and access control rules in FMC to allow the specific port range.

Please let me know if you need further assistance.

Best regards,

Cisco Virtual Engineer

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

Thank you for the detailed steps but I need a reference where the communication between Domain Controller and the client PC works just by allowing TCP/135 and without allowing the whole dynamic range. I hope members of this community can share their experiences here.

 

chherna2
Cisco Employee
Cisco Employee
Review Cisco Networking for a $25 gift card