http://www.ISAserver.org ------------------------------------------------------- Let me put it a different way while allowing that the client can specify the port in the URL depending on the environment while supporting my thoughts in the original thread- not being pedantic here, but this is a valuable distinction, and if people knew this, they would not have as many problems as many have. 1) Internally, there is no requirement to change the RPCProxy ports because the client has access to the EMP. The client will ask the EPM what ports to use for RPC over HTTP- this is why RDP over HTTP will with with Outlook on a "fresh" install of Ex2k supporting RPC over HTTP, even though the RPCProxy's default ValidPorts are 100-500. In this regard, the requirement is NOT at the RPCProxy in this case because it "works." The reason it works is that the client is given a port to hit the RPC proxy that is "proxied" to the Exchange service on 6001-6002 and 6004. Ultimately, these ports are what Exchange dictates. The info store is 6001, the attendant is 6002, and NSPI is 6004. 2) When you publish RPC/HTTP via ISA, ISA does not, in fact, publish/support EPM queries for the client to find out what RPC ports are available on the published server. In this case, in the default install, the client will not be able to connect to the back end server through ISA even with a "properly" working RPCProxy because ISA will not query the EPM of the Ex box on behalf of the client. The client, wondering WTF, will then say "whatever" and try to connect to the Exchange box on what it thinks the "true" ports are- this being 6001-6002 and 6004. ISA does indeed do what the client asks (you are technically right on this point) and tries to contact the backend proxy. It fails, because the RPCProxy is only listening on 100-500. For ISA deployments (or other 'direct' RPC/HTTP to Exchange configs), only 6001-6002 and 6004 are used. 593 gets hit too, but it isn't a requirement. 3) Ergo, therefore, and fooqoff, at the end of the day, if you are going to deploy RPC/HTTP via ISA, you must change the ValidPorts on the RPCProxy to 6001-6002 and 6004 (or a range covering that). To be further pedantic, this is not a requirement for the RPCProxy to work, it is a requirement for the RPCProxy to listen on specifically requested ports from the end client to support Exchange RPC/HTTP to work, which is required in non-EPM supported deployments like ISA. As an aside, it is curious as to why a "direct" request to the Exchange Information Store, System Attendant, and Name Service Provider Interface fails in the absence of the RPCProxy installation since that's what the freaking Exchange install is already listening on, but that's another mystery. So, finally, based on all of this, my previous response to the "Those kicks just keep getting harder to find" was appropriate in that when one tries to make an Exchange box an RPC proxy, it should say something about the ports it needs to work in addition to the "hey, do you have the RPCProxy service installed" suggestions. Hopefully that will clear things up. If you would like to go into this any further, I say "bring it fat boy, and put your shot glasses where your mouth is" for a Vegas drinking showdown. ;) t -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, June 28, 2007 12:14 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Those kicks just keep getting harder to find http://www.ISAserver.org ------------------------------------------------------- Nope; the blog counters your assertion. OL (and TSG) specifies the use of relevant ports in the URL when it makes the request to the RPCProxy. The requirement to change these values is at the RPCProxy; not at ISA. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Thursday, June 28, 2007 11:33 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Those kicks just keep getting harder to find http://www.ISAserver.org ------------------------------------------------------- Actually, if you look at Stefaan's article you'll see what I'm talking about. Without any changes to the RPCProxy keys, an internal RPC/HTTP client will work perfectly. The same client on the outside via ISA will fail. ISA *always* uses those ports, as is evident by the requirement to change the reg key. When monitoring the ISA traffic, ISA always talks to Exchange RPC with those ports- so, I would have to say though the client requests to ISA what it wants, ISA "does something" in that it does not use the ports the client requested, but rather, 6001-6002 and 6004 when talking to the back end server. If you look back through some ISAServer.org posts, you'll see references to people having problems with RPC_DATA_IN and RPC_DATA_OUT - while references were made to the HTTP filter, the reality is that these people did not properly configure the RPCProxy to listen on the ports ISA uses. This is easily tested- set the ports for ValidPorts back to default (100-500). Try RPC/HTTP directly to the Exchange server (internally). Works like a dream. Now try via ISA with the rule you had that was already working. It fails. Unless the ValidPorts range include 6001-6002 and 6004, ISA pub will not work. You will actually be demonstrating this at the Vegas Blackhat training you are giving ;) http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-tm-ms-bbe.html T -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, June 28, 2007 10:49 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Those kicks just keep getting harder to find http://www.ISAserver.org ------------------------------------------------------- ISA doesn't do anything; the RPC/HTTP client specifies those ports. The URL is constructed by the RPC/HTTP client as: RPC_[IN | OUT]_DATA /rpcproxy.dll?exchserver:port HTTP/1.x -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Thursday, June 28, 2007 9:43 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Those kicks just keep getting harder to find http://www.ISAserver.org ------------------------------------------------------- The RPCProxy default ports are 100-500 or some such on the Ex box. That's fine for internal use of RPC/HTTP as it will work without changes via RPC endpoint lookup, but if you publish via ISA, when ISA talks to the RPCProxy, it uses 6001-6002 and 6004. If you do not change the ValidPorts config in the RPDProxy key, your ISA pub rule will fail. That's the facts Jack! t -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, June 28, 2007 9:24 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Those kicks just keep getting harder to find http://www.ISAserver.org ------------------------------------------------------- What ISA edits you be maky? ISA no care what ports happen between RPCProxy & Exchange - all happen behind ISA. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Thursday, June 28, 2007 9:14 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Those kicks just keep getting harder to find http://www.ISAserver.org ------------------------------------------------------- The publisher to Exchange only usey those portie. If you no makey edits for ISA, it no workie. t -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, June 28, 2007 9:06 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Those kicks just keep getting harder to find http://www.ISAserver.org ------------------------------------------------------- Er - "..via ISA, which only uses those RPC ports.."? ISA no be control those ports for RPC/HTTP. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Thursday, June 28, 2007 8:47 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Those kicks just keep getting harder to find You also might be asking yourself "Hey Self, why did the Exchange Team not include the 6000-6004 RPC port range by default in Ex2k3 when they know that the only way people would deploy RPC/HTTP over the Internet is via ISA, which only uses those RPC ports." Because it's more fun to make the admin edit the registry while telling them "if you edit the registry, we are not responsible for your system anymore" particularly when that's they only possible way it can work! t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Thursday, June 28, 2007 8:09 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Those kicks just keep getting harder to find "You might be asking yourself "Hey Tom, why did you enable RPC/HTTP in the Exchange Server configuration when you haven't installed the RPC/HTTP Proxy service yet?" The reason why I did it this way was to show off the Exchange development team's sense of humor. Sure, they could have configured things so that when you enable Outlook Anywhere it would check to see if the RPC/HTTP Proxy service was installed, but it's a lot more fun for them to think about you trying to troubleshoot for a few days why RPC/HTTP isn't working. You'd think they'd get enough jollies by making you use PowerHell for the certificate request and assignment." :\ Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx