I am a Sr. Systems Engineer with a large hosting company. We use Fortigate firewalls extensively and recently ran into a strange issue invovling remote WMI monitoring of Windows servers behind Fortigate devices. The monitoring product we are using leverages WMI to collect performance statistics from remote instances. The connection is made from a single monitoring server across the public Internet (no VPN). In each case we had firewall policies configured to allow ANY traffic from the monitoring server to the target server. Ping, telnet, RDP, and Remote Procedure Calls (tested via " net use \\<target>\IPC$) all connect successfully. When connecting to WMI remotely to monitor performance, the error " RPC_SERVER_UNAVAILABLE" was fired on the monitoring server. WMI tools such as WBEMTest reported the same error. I verified DCOM permissions (remote WMI calls are made through DCOM) and confirmed that the Windows Firewall was disabled. After extensive troubleshooting, we realized that we only devices experienced this issue when connecting to customers who are behind Fortigate devices. We had no problems with customers behind other firewall products. We took network captures on the source server and target servers in working and non-working environments. What we found was that following the successful RPC Bind, the source server calls the ServerAlive2 method and DCOM on the target instance responds with a list of string and security bindings followed by a result code. On working servers, the string bindings for DCOM include the internal IP addresses for binding to DCOM interfaces. On the servers that were not working, the ServerAlive2 response returned the external IP address for all bindings and no result code. This caused the DCOM interface bind to fail. The packet sniffer on the Fortigate showed that the target server was returning the internal IP addresses, but the external interface was sending the external ip addresses, indicating some type of translation to the outbound packets. We came across documentation for the DCE-RPC Session Helper which states the following: " To accept DCE-RPC sessions you must add a firewall policy with service set to any or to the DEC-RPC (sic) pre-defined service (which listens on TCP and UDP ports 135). The dcerpc session helper also listens on TCP and UDP ports 135" This would seem to imply that adding the service set to ANY would allow for the packets simply to be passed using dynamic ports. This is not the case. We disabled the DCE-RPC Session Helper and were able to connect via remote DCOM / WMI without issue. Network caputures showed the proper bindings being returned from the target server. Is it expected behavior that the Session Helper make changes to outbound traffic? I' m sure this type of issue is not isolated only to the Fortigate devices (I remember similar issues with the Cisco PIX FIXUP protocols). Hopefully, this will save somebody a bunch of troubleshooting. Best, D. McDowell Charlotte, NC