About RPC protocols

  • Article

Incoming RPC protocols

When you install Microsoft Forefront Threat Management Gateway, two default remote procedure call (RPC) protocol definitions are provided for incoming requests:

  • Exchange RPC Server—A list of UUID interfaces used for Microsoft Exchange Server is defined as an RPC protocol definition. You can use this protocol definition in server publishing rules in order to deny or allow access to specific Exchange functions.
  • RPC Server (all interfaces)—If this protocol definition is allowed in a server publishing rule, Forefront TMG maps any inbound RPC requests to the published RPC server. If the universally unique identifier (UUID) is registered on the RPC server, access to the procedure is given. If the UUID is not registered on the RPC server, the request is dropped. This protocol is used for publishing ROC servers other than Exchange.

For incoming requests to published RPC servers, Forefront TMG inspects the traffic flowing between the source and destination. Using the protocols used by the RPC client and server, Forefront TMG dynamically opens and closes ports on the external published listener.

Outgoing RPC protocols

When you install Forefront TMG, a default RPC protocol definition is provided for outgoing requests:

  • RPC (all interfaces). When you install Forefront TMG, the RPC (all interfaces) protocol is defined for outbound requests. All UUID interfaces are used for this protocol definition.

You can create access rules that allow use of this outbound RPC protocol definition. With these rules, Forefront TMG inspects the traffic flowing between the source and destination, and it allows internal clients to use the RPC protocol in order to access external resources. For example, you can allow clients on the Internal network access to an external Exchange server. Similarly, you can create outgoing RPC protocol definitions and use these in access rules in order to allow internal clients access to external resources. 

RPC filter

By default, all predefined RPC protocols are bound to the RPC filter. The RPC filter monitors RPC traffic between hosts, and sets up secondary connections as required for RPC traffic. For outbound RPC requests, Forefront TMG inspects the traffic flowing between the source and destination. For incoming requests to published RPC servers, Forefront TMG inspects the traffic flowing between the source and destination, and dynamically opens and closes ports on the external published listener based on the protocols used by the RPC client and server. The RPC filter cannot be applied to traffic tunneled over another protocol, such as RPC over HTTP. When a rule references a protocol that is bound to the RPC filter, then the filter is applied to traffic matching the rule.

Creating custom RPC protocols

You can create additional RPC protocol definitions. Using the New RPC Protocol Wizard, you can either select UUID interfaces from a list of interfaces available on the RPC server, or you can define the interfaces manually. If you do not specify any interfaces for the incoming RPC protocol definition, server publishing rules that allow this protocol definition do not allow any traffic.

When you create a custom RPC protocol by using the wizard, the following defaults are applied:

  • Port TCP 135 is enabled for the custom protocol
  • The custom protocol is bound to the RPC filter

Forefront TMG does not handle traffic defined as "outbound," based on specific UUIDs, and you cannot create a custom protocol definition for specific UUIDs. For traffic defined as "incoming", you can create a custom protocol with specific UUIDs either by selecting them from the endpoint mapper list or by manually creating them.

Enabling strict RPC compliance

By default, strict compliance is enforced for RPC protocols. By enforcing strict compliance, RPC-type protocols, such as Distributed Component Object Model (DCOM), are not allowed through Forefront TMG. More specifically, any traffic (such as DCOM) that does not start an RPC exchange by communicating with the endpoint mapper is blocked.

For publishing rules the strict compliance setting cannot be modified. For access rules, the default "Enable strict RPC compliance" setting is configured on each RPC rule. Turning off this setting does not specifically allow DCOM traffic. It simply disables filtering for this traffic after the endpoint mapper requirements have been met. To allow DCOM traffic through an RPC access rule, either of the following is required:

  • An access rule that allows all protocols between the specified source and destination.

Alternatively, you can do the following:

  1. Create a custom outbound protocol using a port that is not associated with any other application.
  2. Configure the RPC application or DCOM endpoint to use the custom protocol port as a static port.
  3. Create an access rule to allow the protocol between the required source and destination.

Outbound RPC protocols can be configured on a per-rule basis in order to enforce strict RPC compliance.