How To: Configure Static RPC for WFISA
Configuring FStorageSrv DCOM and RPC Access in ISA/TMG
Due to the default nature of RPC, a dynamic port (between 49152 and 65535 on Server 2008 or later) is used between client and server when configuring communication between Burstek products. In order to restrict access to the servers, it is imperative to only allow the required communication on required ports. In order to avoid opening a range of ports on a server for RPC communication, a static endpoint can be configured on the FStorageSrv DCOM object in order to configure and utilize a specified port for communication. Included below, are the steps to be taken on a TMG server in order to allow RPC communication originating from a remote server. Please note that the same steps can be taken for a server running ISA Server 2004/2006, but since ISA Server completely replaces the Windows Firewall, step 3 can be skipped.
Note: The below steps are to be configured on the target/destination server for client > server communication between all Burstek products. For Server 2008 and later, the dynamic port range for both TCP and UPD communication is 49152-65535. This means that if no static endpoint is configured, any port between the above range may be used for RPC communication between servers.#Open the Component Services manager by entering dcomcnfg in the run utility or command prompt
Configure Static Endpoint port
- Expand ‘Computers’ | ‘My Computer’ | ‘DCOM Config’, then right-click the ‘FStorageSrv’ object and click ‘Properties’.
- Navigate to the ‘Endpoints’ tab, then click ‘Add’
- Ensure that the ‘Connection-oriented TCP/IP’ Protocol Sequence is selected, then select the ‘Use static endpoint’ option, and enter a valid port for the RPC communication.
- Click ‘OK’ and save the changes.
- Restart the ‘FStorageSrv’ service to apply the changes
Enable RPC communication
- In the TMG Management Console, create an Access Rule to allow communication from the client machine, to the TMG Server (localhost).
- Configure the allowed protocols with the ‘RPC (all interfaces)’ protocol, along with the static endpoint TCP Port configured in the ‘FStorageSrv’ DCOM object. The custom port should be created (default settings, with no secondary connections) and applied in TMG.
- Configure the Access Rule for ‘All Users’
- Once the rule has been created, right-click the newly-created rule (prior to applying the changes) and select ‘Configure RPC Protocol’
- Uncheck the ‘Enforce strict RPC compliance’ check box, then save and apply the changes in TMG.
Configure the local Windows Firewall
This will allow inbound communication on the TCP port configured for the static endpoint configured in the ‘FStorageSrv’ DCOM object
Note: Skip this step if using ISA Server.
- Open the Windows Firewall manager by navigating to ‘Start’ | ‘Administrative Tools’ | ‘Windows Firewall with Advanced Security’
- Navigate to the ‘Inbound Rules’ section in the left menu
- Right-click ‘Inbound Rules’, then click ‘New Rule...’
- Select the ‘Port’ option, then click ‘Next’
- Select the ‘TCP’ option, then select ‘Specific local ports’ and enter the custom port specified previously as the static endpoint for FStorageSrv
- Click ‘Next’, select the ‘Allow the connection’ option, then click ‘Next’
- Leave all firewall policy types applied and click ‘Next’
- Name the rule, then click ‘Finish’
Note: If the client server also has ISA or TMG server installed, step 2 must be performed on the client to allow the RPC communication from the client machine (localhost) to the target server. It is important to note that ‘Strict RPC Compliance’ must be disabled on the Access Rule configured to allow the RPC communication.