Performing WMI application queries on clients connected via the IAG Network Connector
Scenario
Client computers connected via the IAG network connector (NC) to the LAN could access its network resources normally but failed to run WMI application queries against other computers.
Windows Management Instrumentation (WMI) is implemented using the Distributed Component Object Model (DCOM). This requires proper configuration of the firewall device(s) between the computer performing the WMI query and the destination computer.
In the ISA firewall running on the IAG server, DCOM communication is allowed when strict RPC compliance is not required for the applicable rule that handles this traffic. To resolve this problem I looked to see if Strict RPC compliance was enforced. It was. Turning off the strict RPC compliance for the Network Connector Access rule resolved the issue in this scenario.
Steps to check for and disable strict RPC compliance option
1) In the ISA server management console select the Firewall Policy on the left pane. Scroll down to the Whale::NetworkConnectorAccessRule under Firewall Policy Rules and right-click on that line, selecting the Configure RPC protocol option.
2) Ensure that the Enforce strict RPC compliance option is not checked for this rule, and click OK.
3) Click Apply to save changes and update the configuration.
If another custom NC rule was created, ensure that the same is true for that rule.
For testing purposes, one other option could be to disable the RPC Filter globally. Care must be exercised as this might affect other rules on the system. If you have determined that it is safe to do so, this can be accomplished by selecting Add-ins on the left pane, selecting the Application Filters tab and right-clicking the RPC Filter. Select the Disable option:
Check the Apply option to save changes and update the configuration.
For more details on WMI and configuration in different scenarios, please check the following link: https://msdn.microsoft.com/en-us/library/aa389290(VS.85).aspx
Author
Renato Menezes
Security Support Engineer – IAG Team
Microsoft – North Carolina
Tech Reviewer
Vic Singh Shahid
Escalation Engineer – ISA /IAG Team
Microsoft – North Carolina
Comments
- Anonymous
January 01, 2003
PingBack from http://security9608.start4all.com/2009/05/04/technical-rollup-in-common-may-2009-technical-rollup-mail-security/