Hey! What up with that? ;)) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Tuesday, August 15, 2006 9:04 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA > > Now THAT was funny-- the shirt add when I looked up "hork" > (even though I > totally knew what it meant) was this: > > http://www.bustedtees.com/shirt/tom/male > > Lol. > > > t > > > On 8/15/06 6:52 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > spoketh to > all: > > > Aha, OK, borking is quite different from horking: > > > > http://www.urbandictionary.com/define.php?term=borked > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >> Sent: Tuesday, August 15, 2006 8:41 PM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: Exchange NSPI Proxy RPC > Communications and ISA > >> > >> There is - this was a clear case of borking. > >> That's a much more complex (and effective) form of f#$%$ing > >> up your system. > >> > >> ------------------------------------------------------- > >> Jim Harrison > >> MCP(NT4, W2K), A+, Network+, PCG > >> http://isaserver.org/Jim_Harrison/ > >> http://isatools.org > >> Read the help / books / articles! > >> ------------------------------------------------------- > >> > >> > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > >> Sent: Tuesday, August 15, 2006 18:45 > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: Exchange NSPI Proxy RPC > Communications and ISA > >> > >> I figured there was an "anti-hork" feature in the ISA CSS > >> replication engine ;) > >> > >> Thomas W Shinder, M.D. > >> Site: www.isaserver.org > >> Blog: http://blogs.isaserver.org/shinder/ > >> Book: http://tinyurl.com/3xqb7 > >> MVP -- ISA Firewalls > >> > >> > >> > >>> -----Original Message----- > >>> From: isapros-bounce@xxxxxxxxxxxxx > >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>> Sent: Tuesday, August 15, 2006 8:34 PM > >>> To: isapros@xxxxxxxxxxxxx > >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >> Communications and ISA > >>> > >>> Replication is a wonderful thing... > >>> > >>> > >>> ------------------------------------------------------- > >>> Jim Harrison > >>> MCP(NT4, W2K), A+, Network+, PCG > >>> http://isaserver.org/Jim_Harrison/ > >>> http://isatools.org > >>> Read the help / books / articles! > >>> ------------------------------------------------------- > >>> > >>> > >>> -----Original Message----- > >>> From: isapros-bounce@xxxxxxxxxxxxx > >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas > W Shinder > >>> Sent: Tuesday, August 15, 2006 18:10 > >>> To: isapros@xxxxxxxxxxxxx > >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >> Communications and ISA > >>> > >>> Hey, wait a minute. There should be multiple CSSs, so did > >> the storage > >>> get horked on all of them? > >>> > >>> Thomas W Shinder, M.D. > >>> Site: www.isaserver.org > >>> Blog: http://blogs.isaserver.org/shinder/ > >>> Book: http://tinyurl.com/3xqb7 > >>> MVP -- ISA Firewalls > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>>> Sent: Tuesday, August 15, 2006 7:25 PM > >>>> To: isapros@xxxxxxxxxxxxx > >>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>> Communications and ISA > >>>> > >>>> Yep - somehow he managed to completely bork his storage. > >>>> We're almost to the point of a complete rebuild <sigh>. > >>>> I'm actually doing a registry compare to see if I can sort > >>> out what he > >>>> broke. > >>>> > >>>> ------------------------------------------------------- > >>>> Jim Harrison > >>>> MCP(NT4, W2K), A+, Network+, PCG > >>>> http://isaserver.org/Jim_Harrison/ > >>>> http://isatools.org > >>>> Read the help / books / articles! > >>>> ------------------------------------------------------- > >>>> > >>>> > >>>> -----Original Message----- > >>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas > >> W Shinder > >>>> Sent: Tuesday, August 15, 2006 17:20 > >>>> To: isapros@xxxxxxxxxxxxx > >>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>> Communications and ISA > >>>> > >>>> Is it a real problem, and dealing with jughead the > >> enterprise admin? > >>>> > >>>> Thomas W Shinder, M.D. > >>>> Site: www.isaserver.org > >>>> Blog: http://blogs.isaserver.org/shinder/ > >>>> Book: http://tinyurl.com/3xqb7 > >>>> MVP -- ISA Firewalls > >>>> > >>>> > >>>> > >>>>> -----Original Message----- > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>>>> Sent: Tuesday, August 15, 2006 6:58 PM > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> Not yet - been critsitting between postings. > >>>>> ..or the other way 'round... > >>>>> > >>>>> ------------------------------------------------------- > >>>>> Jim Harrison > >>>>> MCP(NT4, W2K), A+, Network+, PCG > >>>>> http://isaserver.org/Jim_Harrison/ > >>>>> http://isatools.org > >>>>> Read the help / books / articles! > >>>>> ------------------------------------------------------- > >>>>> > >>>>> > >>>>> -----Original Message----- > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > >>>>> Sent: Tuesday, August 15, 2006 14:44 > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> Jim, > >>>>> > >>>>> Any luck with this? > >>>>> > >>>>> -----Original Message----- > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>>>> Sent: 14 August 2006 00:52 > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> Absotively. > >>>>> Send it on. > >>>>> > >>>>> -----Original Message----- > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > >>>>> Sent: Sunday, August 13, 2006 3:08 PM > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> Yeah I know, have the same issues when looking at closed > >>> betas with > >>>>> cool features which could really help out some of my > >>>> customers. Shame > >>>>> the NDA doesn't extend to MS partners though... > >>>>> > >>>>> PSS dude said that all KB articles related to a RPC > >>> problems where > >>>>> based upon using a large number of clients. He also said > >>>> that as this > >>>>> issue was happening before the DR problems I couldn't > >> include it > >>>>> within the DR call and I would have to log another > >>> call...great! :-( > >>>>> > >>>>> If I give you the SRQ number, is there any chance you could > >>>> point him > >>>>> in the right direction? Pretty please :-) > >>>>> > >>>>> -----Original Message----- > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>>>> Sent: 13 August 2006 22:47 > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> I wish I could say more, but I'm bound by NDA... > >>>>> The KB is on its way out the door and your PSS dewd need > >>>> only do a bit > >>>>> of research. > >>>>> > >>>>> ------------------------------------------------------- > >>>>> Jim Harrison > >>>>> MCP(NT4, W2K), A+, Network+, PCG > >>>>> http://isaserver.org/Jim_Harrison/ > >>>>> http://isatools.org > >>>>> Read the help / books / articles! > >>>>> ------------------------------------------------------- > >>>>> > >>>>> > >>>>> -----Original Message----- > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > >>>>> Sent: Sunday, August 13, 2006 14:41 > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> Whilst PSS logging a call to get some feedback on the DR > >>>> issues I've > >>>>> had with ISA, I mentioned this "new KB artilce" > >>>>> and the chap i was dealing with was pretty clueless about > >>>> it (amongst > >>>>> other things!). > >>>>> > >>>>> You are really starting to become a tease with this > >>> artitcle, as it > >>>>> may solve two problems now! :-P > >>>>> > >>>>> ________________________________ > >>>>> > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>>>> Sent: 13 August 2006 19:15 > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> > >>>>> > >>>>> Not insinuating anything of the sort... > >>>>> > >>>>> Keep your eyes open for that KB that deals in Outlook MAPI > >>>>> connections; I bet it'll help you out here, too. > >>>>> > >>>>> > >>>>> > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > >>>>> Sent: Sunday, August 13, 2006 2:22 AM > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> > >>>>> > >>>>> All relationships are route = I know intradomain is only > >>> supported > >>>>> this way - I'm not a complete newb at this ;-) > >>>>> > >>>>> > >>>>> > >>>>> Complicated setup I know, but pretty much 99% working apart > >>>> from this > >>>>> issue and teh RPC filter failings (other post) > >>>>> > >>>>> > >>>>> > >>>>> Tried with and without strict RPC - no dice, same issues... > >>>>> > >>>>> > >>>>> > >>>>> Internet FW is hardware appliance (dumb packet filter) > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ________________________________ > >>>>> > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>>>> Sent: 13 August 2006 01:43 > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> Ah, yes. > >>>>> > >>>>> While this is a desirable design, it's also a very > >> difficult one. > >>>>> > >>>>> What are the network relationships between the networks? > >>>>> > >>>>> For instance: > >>>>> > >>>>> ExchFE ßà Exch BE == Route > >>>>> > >>>>> ...? > >>>>> > >>>>> Have you disabled Strict RPC on the relevant rules? > >>>>> > >>>>> > >>>>> > >>>>> NAT ain't happenin' FWIW... > >>>>> > >>>>> What's the "Internet FW"? > >>>>> > >>>>> > >>>>> > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > >>>>> Sent: Saturday, August 12, 2006 3:18 PM > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ________________________________ > >>>>> > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>>>> Sent: 12 August 2006 22:41 > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> Maybe a napkin drawing, then? > >>>>> > >>>>> I don't understand how your BE needs specific rules unless its > >>>>> separated from the DC by ISA? > >>>>> > >>>>> > >>>>> > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > >>>>> Sent: Saturday, August 12, 2006 2:19 PM > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> > >>>>> > >>>>> No, not confused, and realise the difference between > >> RPC/HTTP and > >>>>> MAPI. I guess I am obviously not explaining myself very > >>> well with a > >>>>> complex environment and the problem very specific. > >>>>> > >>>>> > >>>>> > >>>>>>> AS such, any NSPI connections are strictly the problem of > >>>>> the BE server. > >>>>> > >>>>> > >>>>> > >>>>> Not in this scenario, as the BE is in an ISA protected network > >>>>> seperated from the DCs and FEs. The rule that allows > >> access from > >>>>> BE=>DCs is using RPC (All interfaces) and yet ISA is > >>>> blocking traffic > >>>>> from the NSPI proxy when using RPC/HTTP. > >>>>> All other RPC traffic from BE=>DCs is working as expected > >>>> and ISA is > >>>>> detecting the RPC dynamic ports correctly. > >>>>> > >>>>> > >>>>> > >>>>> If I allow All outbound protocols from BE=>DCs the NSPI > >>> proxy works > >>>>> and I see ports 1025. 1026 etc being used. It seems as > >> if ISA is > >>>>> missing the intitial RPC negations between the NSPI proxy > >>>> and DCs and > >>>>> hence blocks all dynamic ports after 135 is contacted. > >>>>> > >>>>> > >>>>> > >>>>> Maybe I need to provide some diagrams and/or better > >>> desacirptions... > >>>>> > >>>>> > >>>>> > >>>>> JJ > >>>>> > >>>>> > >>>>> > >>>>> ________________________________ > >>>>> > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >>>>> Sent: 12 August 2006 16:55 > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC > >>>> Communications and ISA > >>>>> > >>>>> I think you're confused; RPC/HTTP doesn't use MAPI; it's > >>>> "just" HTTP > >>>>> traffic. > >>>>> > >>>>> AS such, any NSPI connections are strictly the problem > >> of the BE > >>>>> server. > >>>>> > >>>>> > >>>>> > >>>>> The only way ISA handles RPC traffic is via Exchange RPC or > >>>> RPC (All > >>>>> interfaces) rules. > >>>>> > >>>>> > >>>>> > >>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > >>>>> Sent: Friday, August 11, 2006 5:13 PM > >>>>> To: isapros@xxxxxxxxxxxxx > >>>>> Subject: [isapros] Exchange NSPI Proxy RPC > >> Communications and ISA > >>>>> > >>>>> > >>>>> > >>>>> Hi, > >>>>> > >>>>> Bit of a shot in the dark, as this is a strange issue, > >> but hoping > >>>>> someone can confirm what I am seeing. > >>>>> > >>>>> Basically, I have a pretty secure Exchange environment > >>> whereby both > >>>>> Exchange FE's and BE's are on ISA protected perimeter > >>> networks with > >>>>> the external network connected to the 'traditional LAN' > >>>> e.g., ISA is > >>>>> acting as a multinetwork internal firewall to > >>> specifically protect > >>>>> Exchange from the internal network (all routed > >>>> relationships). In this > >>>>> scenario, ISA is controlling all communications to and from > >>>> Exchange > >>>>> and all email client access is published using web > >> publishing or > >>>>> secure RPC publishing. > >>>>> > >>>>> Up until now everything has been working pretty well (apart > >>>> from the > >>>>> other RPC filter issues in my other posts!) but we have > >>>> come across a > >>>>> specific issue when using RPC/HTTP as follows: > >>>>> > >>>>> The problem seems to lie with the fact that the > >> back-end Exchange > >>>>> server is talking to the GCs and ISA is seeing these > >>> connections as > >>>>> newly initiated connections (e.g. non RPC) as opposed to > >>> detecting > >>>>> them as dynamic ports which have been defined as part > >> of the RPC > >>>>> handshake process. Therefore, ISA is dropping these > >>> connections and > >>>>> prevents the back-end server from communicating with the GCs, > >>>>> specifically for RPC/HTTP (e.g. when using the NSPI proxy). > >>>> All other > >>>>> communications which relate to RPC and ISA's ability to > >>>> detect dynamic > >>>>> RPC ports is being done successfully (e.g. > >>>>> MAPI communications from Outlook to Exchange). It looks > >>> to me as if > >>>>> the back-end Exchange server is initiating it own > >>> connections which > >>>>> ISA sees as communications independent of RPC. The issue > >>>> only appears > >>>>> to arise when the back-end servers proxy the client AD > >>>> communication > >>>>> (e.g. when using the NSPI proxy), as is the case with RPC/HTTP, > >>>>> because Outlook clients have no access to the GCs from > >>> the Internet. > >>>>> For standard MAPI clients, they are simply given a > >>> referral to the > >>>>> actual GCs which they communicate with directly, independent of > >>>>> Exchange (e.g. not using NSPI proxy). > >>>>> > >>>>> Does this sounds familiar? Is Exchange doing something > >>>> weird here or > >>>>> is ISA missing the RPC dynamic port negotiations? > >>>>> > >>>>> Looking at the ISA logs, I see ports 1025, 1027, 1030 etc. > >>>>> being used by the NSPI proxy which I am pretty sure are > >>> going to be > >>>>> the kind of ports dynamic RPC would use. If I add the > >>>> ephemeral ports > >>>>> (1024-65535) to the existing BE=>GC rule everything work > >>>> just fine. If > >>>>> I limit ports to standard intradomain protocols including > >>> RPC then > >>>>> everything works apart from RPC/HTTP and I start seeing > >>> ports 1025, > >>>>> 1027 etc. > >>>>> being denied by ISA as unidentified traffic. > >>>>> > >>>>> Answers on a postcard! ;-) > >>>>> > >>>>> Cheers > >>>>> > >>>>> JJ > >>>>> > >>>>> All mail to and from this domain is GFI-scanned. > >>>>> > >>>>> All mail to and from this domain is GFI-scanned. > >>>>> > >>>>> All mail to and from this domain is GFI-scanned. > >>>>> > >>>>> All mail to and from this domain is GFI-scanned. > >>>>> > >>>>> > >>>>> All mail to and from this domain is GFI-scanned. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> All mail to and from this domain is GFI-scanned. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> All mail to and from this domain is GFI-scanned. > >>>>> > >>>>> > >>>>> > >>>>> > >>>> > >>>> > >>>> All mail to and from this domain is GFI-scanned. > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> All mail to and from this domain is GFI-scanned. > >>> > >>> > >>> > >>> > >> > >> > >> All mail to and from this domain is GFI-scanned. > >> > >> > >> > >> > > > > > > > > > > >