Domain Trust & RPC issues joining 1 PC to domain

WildMonkey365 · Dec 31, 2016

I just replaced firewalls/mpls at a 7 site doctors office. I copied the rules on their old units and all other PC's are still connected to their domain & working fine after replacing the equipment. The data vendor for the doctors office unjoined a PC from the domain & could not join it back so he asked me to allow tcp/udp port range 1025-65535 for RPC. The domain is not at the site where this PC is trying to connect but at their corporate location. Here are my reservations with his request as well as the issue with this 1 PC.

A) Since the other PC's never disconnected from the domain & can access remote files on the remote windows server this problem can not be due to the new firewall config or they would all be disconnected.

B) The port range I was asked to allow makes a firewall pretty much useless to their HIPAA enviorment. I have an Implicit Deny both inbound & outbound so the range bothers me.

Is my thinking correct here? Should I even ask? lol

corroded · Dec 31, 2016

the remote computer needs a VPN connection, not open RPC...

How are the sites communicating? I support a multi-site domain, I use a point to point VPN on th routers, hub and spoke style.

???

WildMonkey365 · Dec 31, 2016

corroded :

Hub & Spoke vMPLS which is just dynamic IPsec.

corroded · Dec 31, 2016

OK... Did you do a "stare and compare" between a working setup and the bad one?

WildMonkey365 · Dec 31, 2016

corroded :

Yes. All the other PC's are working fine. They would all get disconnected from the domain if the firewall was set up wrong correct? I looked up all his RPC ports and added about 20 to the rulebase. I'm not comfortable opening 64,000 ports for that. If that's the case he doesn't need a firewall.

corroded · Dec 31, 2016

Still sounds like something on the remote computer is set wrong...

Do you have a laptop that is setup properly that can be deployed to test the connection viability?

Is there a "Client config export" on your central firewall for the proper remote connectivity setup? NOT hand copy.

That or copy the config from a different working remote and try it.

WildMonkey365 · Dec 31, 2016

corroded :

Good thoughts. Honestly my scope of work is to get a new firewall set up at all 7 sites, make sure it is only allowing specified traffic, access a file from main host at each site, make sure DNS Is also coming from main site and all PC's are on domain. I was thinking of deleting the Deny rule to rule out a firewall port issue. This would essentially allow everything to go out. I'm wondering if that is going to be my approach if I should do the same at the main site in their firewall. What are your thoughts?

corroded · Dec 31, 2016

I'd not kill what you've got. If all the remote sites are on the same device (including hardware revisions) and you've matched the firmware between them, what else is different for the one site?

(side thought) HIPPA compliance is just a beginning...

What is missing/added on this one site that is different from the other 6? Find that and it will be fixed.

Do you have a support contract for the firewalls? Cisco/Juniper/ ? When I get my back against it, I call them. It is what the maintenance/support contract is for, and worth it.

Search

Domain Trust & RPC issues joining 1 PC to domain

WildMonkey365

Commendable

corroded

corroded

Splendid

WildMonkey365

Commendable

corroded

Splendid

WildMonkey365

Commendable

corroded

Splendid

WildMonkey365

Commendable

corroded

Splendid

TRENDING THREADS

Latest posts

Moderators online

Share this page