"Distributed Computing Environment / Remote Procedure Calls", is the remote procedure call system developed for the Distributed Computing Environment (DCE). This system allows programmers to write distributed software as if it were all working on the same computer, without having to worry about the underlying network code.
DCERPC inspection module is responsible for processing the data portion of the packet and performing inspection related tasks such as applying translations to IP addresses and ports contained in the packet when applicable, opening secondary channel etc., with the help of other modules
Since FWSM version 4.1 the inspectione engine has been redesigned and enhanched by RCI (Remote Create Instance) calls over RPC and the processing of RPC messaging.
Microsoft is no longer just using EPM (End Point Mapper)
As Microsoft switched from using pure RPC to use DCOM (ORPC) calls, those non-epm calls will be used more and more. Windows RPC/DCOM services use the RPC Endpoint Mapper to accept initial communications on port 135 and then dynamically transition to ports for the service.
"The OXID Resolver resides at different endpoints (ports) depending on the transport being used. The OXID Resolver optimally resides at the same endpoints as the DCE RPC Endpoint Mapper (EPM). To accommodate systems where DCOM will coexist with existing DCE RPC installations (i.e., where an EPM and presumably a complete DCE RPC runtime already exists), the DCOM implementation on that system will register its interfaces with the DCE EPM and all DCOM implementations must be able to fall back if they make DCOM -specific calls on the DCE EPM endpoint which fail."
Starting with Windows 2000, the ISystemActivator COM interface is used instead of the IRemoteActivation RPC interface.
The IOXIDResolver RPC interface (formerly known as IObjectExporter) is remotely used to reach the local object resolver (OR). The Object Resolver component is in charge to:
return protocol sequences, string bindings and machine id for an object server, given its OXID (ResolveOXID() and ResolveOXID2() (only supported by DCOM version 5.2 and above))
respond to ping requests (SimplePing() and ComplexPing() functions)
respond to ServerAlive() and ServerAlive2() functions requests
NON-EMP support for ASA/FWSM
only the RCI (Remote Create Instance) non-EPM message supported
only 1 WMI message is supported
RemoteCreateInstance (Opnum 4)
Any other message type from IRemoteSCMActivator (eg. RemoteGetClassObject) will not be passed
IOXIDResolver (Opnum 5) that is remotely used to reach the local object resolver and is part of the OXID resolver interface. This Opnum is not supported by us. Essentially, this is a RPC call from WMI (WMI uses DCOM to handle remote calls) to a non-epm subsystem that is DCOM based. Packets with opnum 5 don't need inspection support unless there is NAT involved, as there is no need for opening pinholes.
Opnum 3 & 4, EPM.
Opnum=5, this does not contain port numbers and FWSM does not inspect this. If there is a NAT involved, FWSM does not inspect.
CSCsk97762 - ENH: Allow DCERPC inspect to open pin-holes for WMI queries. non epm map
CSCto43960 - FWSM: DCERPC inspection of packet with multiple segments fail
Hello, I would like to know if it's possible to obtain the serial numbers of ASAs through Cisco CSM, I ask this because our office has 200 firewalls managed by CSM and this labor is complicated when accessing one by one.CSM version: 4.20.0 Thank...
Hi guys,I am replacing my ASR 1001 with ASR 1001-x, however the crypto isakmp command doesn't seem to work. When i type crypto ? i do not get isakmp in the options, therefore can't go ahead with the getvpn configurations, can anyone help me here? Tha...
Guys, this should be a simple problem, if I could just find the right documentation!I have a Meraki MX67, with a site-to-site VPN linking to a hub Meraki MX84 HA pair. I have client PCs successfully doing IEEE802.1x authentication on the MX67, using an IS...
I have a ISE environment witch is integrated with AD. I inherited this from 2 past engineers. This being said there are many sites that are attached and use different AD groups to add and remove permisions to different types of network appliances. Is ther...
I am having issues configuring dot1x/mab protocols for my DELL iDRACs. I was hoping to find some support for doing this. I currently have the idracs failing authentication in the RADIUS live logs, meaning that my policy set could be set incorrectly. I hav...