Aside from Microsoft's ISA Server 2004, which commercial firewalls can actively filter RPC responses from a Windows 200x server to present only a subset of all supported services (i.e., UUIDs)? My specific requirements are:
- All clients are on separate networks from the RPC server, separated by a firewall.
- All requests between the networks are routed (i.e., no NAT)
- When a client requests RPC to list all services on the server, the firewall will *not* show the true list of RPC services available, but will instead proxy a reduced list of services.
- The firewall is able to maintain context of a RPC session, so that requests for secondary connections to the actual RPC service on its UUID port will not be allowed unless it is in connection with a valid RPC request.
- RPC requests are inspected to make sure they are properly formed (i.e., no random data being sent to port 135).
- Preferably, some entry-level version of the product costs less than $1000. (I still want to hear about products that cost more though.)
I've been working with ISA Server 2004, and while I like it in general as an internal proxy server/firewall, I am having a miserable time working with its custom RPC support. It claims to do all of the above, but I'm finding that the RPC support is buggy, poorly documented, and only appears to work correctly if you use NAT. Since the server I'm trying to protect here is an Active Directory server, I'm not anxious to have every member computer in our domain attach to such a critical machine using an NAT address. That makes it incredibly problematic to switch out the firewall if other problems with it develop.