Check Point blocks certain AD Trafic
From the Checkpoint mailing list an issue concerning Active Directory trafic accros VPNs has pulled our attention. As a member stated an issue with a connection accros a VPN network for integration of a station in AD we have seen that the solution was already available by Microsoft. The issue lies in integration of certain services in Windows 2003 server SP1. Here bellow you will find some explanation.
Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computers
Microsoft SK 899148
On This Page
|•||Firewall or virtual private network (VPN) products from Checkpoint Software Technologies|
|•||Microsoft Internet Security and Acceleration (ISA) Server|
Specifically, firewalls and VPN products that do permit more than one presentation context to be present in a bound RPC protocol data unit (PDU) may cause either of the following symptoms:
|•||Drop RPC frames on the network|
|•||Prematurely close connections from Windows Server 2003 SP1-based computers|
Method 1You can disable RPC filters on firewalls and VPN products if the network requirements make this possible.
Method 2If you need RPC-based operations to function immediately and you cannot update firewalls and VPNs in a timely manner, install the hotfix that is described in this section and then follow these steps:
|1.||Click Start, click Run, type regedit, and then click OK|
and then click the following
|3.||Click the Edit menu, point to New, and then click DWORD Value.|
|4.||Type Server2003NegotiateDisable as the name of the new DWORD Value|
|5.||Right-click Server2003NegotiateDisable, and then click Modify.|
Data box, type
and then click
Note This setting disables the bind time negotation and multiple transfer syntax negotiation.
|7.||Quit Registry Editor. Restart the Windows Server 2003-based computer.|
|8.||After the firewalls and VPN devices are compatible with RPC on the computer that has Service Pack 1 installed, set the value for the Server2003NegotiateDisable entry in the registry to 0. Then, restart the Windows Server 2003-based computer.|
Hotfix informationA supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Server 2003 that contains this hotfix.
To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
Date Version Size File name Platform ---------------------------------------------------------- 05-03-2005 5.2.3790.2436 642,048 Rpcrt4.dll x86 05-03-2005 5.2.3790.2436 1,714,688 Rpcrt4.dll x64 05-03-2005 5.2.3790.2436 2,462,208 Rpcrt4.dll IA-64
Evaluation is especially appropriate where firewalls can filter RPC-based replication traffic between domain controllers. Filtration of RPC-based replication traffic between domain controllers can cause a long-term interruption of Active Directory replication.
Specifically, administrators should try to use monitoring software to make sure that all domain controllers in a forest perform incoming replication within a rolling tombstone lifetime number of days. By default, a rolling tombstone lifetime number of days is 60 days. Domain controllers that cannot perform incoming replication of knowledge of each unique delete within the previous tombstone lifetime number of days will forever be inconsistent for those changes until an administrator intervenes.
Events in the Directory Service event log that indicate that Active Directory replication is failing on Windows Server 2003-based domain controllers include the following:
|•||1862: “the local DC has not recently received replication information from a number of domain controllers” (intersite)|
|•||1864: “the local DC has not recently received replication information from a number of domain controllers” (intrasite)|
|•||2042: “it has been too long since this machine last replicated with the named source” (TSL # of days)|
Repadmin.exe is located in the Support\Tools\ Suptools.msi file on the Windows Server 2003 installation media.
For more information about how to remove lingering objects, click the following article number to view the article in the Microsoft Knowledge Base:
The following error message is typically displayed by components when RPC frames with multiple transfer syntaxes are rejected by a firewall or a VPN generates Windows 32 error 1727:
For information about the DCE RPC specification, visit the following Opengroup Web site:
|•||Microsoft Windows Server 2003 Service Pack 1, when used with:|