Ik wilde via een script WMI aanroepen op een van de ISA 2004 Servers maar dat werd uiteraard geblokkeerd. Na wat zoeken op Google, kwam ik de onderstaande oplossing tegen. Deze oplossing werkt perfect.
1.First you need to make explicict range form dcom high ports you can use via in the registry (see http://support.microsoft.com/?kbid=154596)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
Edit the Ports multi-string to your liking. I use 5000-5100, this should be fine amount for a non application server.(see kb above)
Ports 5000-5100 (multi-string)2. create two basic custom protocols for SMB and dcom,
cust_smb
445 tcp outbound
445 udp send
(no related application filters ticked!)cust_dcom
135 tcp outbound
5000-5100 tcp outbound
(no related application filters ticked!)3. create the rule, allow, source = trusted admin/monitor box(es), destination localhost, protocols: cust_smb, cust_dcom, all users
4. Edit the System policy
Untick the ‘enable’ for Microsoct Management Console, you don’t need it now because we have created a better rule for our trusted box(es) ( note having this ticked will create a hidden rule that can break wmi scripts and alike).
Untick the ‘force strict rpc compliance’ option for Active Dicrectory
Click ok, apply new configuration, restart the isa server
Je kunt ook de onderstaande reg file gebruiken i.p.v. stap 1 uit te voeren.
RPC_Ports.reg:
|
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet] |
Bron: http://forums.isaserver.org/m_410001100/mpage_1/key_/tm.htm#2002017878
ICT-Freak.nl 