A while ago I needed to create an external trust through a firewall and created this blog entry discussing that.  I decided to revisit this article with an updated article as some new technologies have come into play that can change how the firewall rules are built.

So what has changed? 

Many firewalls have implemented a new filter called DCERPC.  The DCERPC filter basically listens for RPC traffic and monitors what ports are requested and then dynamically open only those ports for each RPC conversation.  Essentially it is a statefull firewall for RPC traffic.

So how can this help us? 

If you've ever setup up a firewall to use one of Microsoft's services through it, you've probably looked at this document: Service overview and network port requirements for the Windows Server system.  And you've probably seen the line: RPC randomly allocated high TCP port ranging from 1024-65535 or 49152-65535.  Requesting this port range from your network guys usually resulted in a no and you had to think of another way of doing what you needed to do.

Now with DCERPC, we can just open up the destination port 135 and apply the DCERPC filter.  The firewall will inspect the RPC data on port 135 and dynamically open the negotiated RPC ports between the two hosts for that conversation.  Once the RPC coversation is over, the ports will be closed again.   Your firewall guys will be much happier with your port requests when you no longer have to request those massive port ranges.

Hope this helps.