That's the weakness in the English system of law that we inherited. Language nuance rather than common sense takes over. Recently I sat on a jury and it was a good thing that they picked my number to be the one that didn't go into deliberation; I was so disgusted with the prosecutor twisting of words and his obvious disrespect for the collective intelligence of the jury I would have done almost anything to oppose his point of view. Amy -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Tuesday, August 15, 2006 10:07 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA Unfortunately, they're getting closer and closer. Look at what Kermit did with the wiretap act. Moron. Deducing legal precedence from the absolute *absence* of specific language in the law. Let's hope he doesn't get too much further. We can thank Clinton for him... t On 8/15/06 6:52 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> spoketh to all: > I like how all of the borked references are either to computers or a would be > supreme court justice. Don't really see how the two can be related. > > Amy > > > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thomas W Shinder > Sent: Tuesday, August 15, 2006 9:53 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA > > Aha, OK, borking is quite different from horking: > > http://www.urbandictionary.com/define.php?term=borked > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >> Sent: Tuesday, August 15, 2006 8:41 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA >> >> There is - this was a clear case of borking. >> That's a much more complex (and effective) form of f#$%$ing >> up your system. >> >> ------------------------------------------------------- >> Jim Harrison >> MCP(NT4, W2K), A+, Network+, PCG >> http://isaserver.org/Jim_Harrison/ >> http://isatools.org >> Read the help / books / articles! >> ------------------------------------------------------- >> >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder >> Sent: Tuesday, August 15, 2006 18:45 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA >> >> I figured there was an "anti-hork" feature in the ISA CSS >> replication engine ;) >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- ISA Firewalls >> >> >> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: Tuesday, August 15, 2006 8:34 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> Replication is a wonderful thing... >>> >>> >>> ------------------------------------------------------- >>> Jim Harrison >>> MCP(NT4, W2K), A+, Network+, PCG >>> http://isaserver.org/Jim_Harrison/ >>> http://isatools.org >>> Read the help / books / articles! >>> ------------------------------------------------------- >>> >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder >>> Sent: Tuesday, August 15, 2006 18:10 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> Hey, wait a minute. There should be multiple CSSs, so did >> the storage >>> get horked on all of them? >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 >>> MVP -- ISA Firewalls >>> >>> >>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>> Sent: Tuesday, August 15, 2006 7:25 PM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>> Communications and ISA >>>> >>>> Yep - somehow he managed to completely bork his storage. >>>> We're almost to the point of a complete rebuild <sigh>. >>>> I'm actually doing a registry compare to see if I can sort >>> out what he >>>> broke. >>>> >>>> ------------------------------------------------------- >>>> Jim Harrison >>>> MCP(NT4, W2K), A+, Network+, PCG >>>> http://isaserver.org/Jim_Harrison/ >>>> http://isatools.org >>>> Read the help / books / articles! >>>> ------------------------------------------------------- >>>> >>>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas >> W Shinder >>>> Sent: Tuesday, August 15, 2006 17:20 >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>> Communications and ISA >>>> >>>> Is it a real problem, and dealing with jughead the >> enterprise admin? >>>> >>>> Thomas W Shinder, M.D. >>>> Site: www.isaserver.org >>>> Blog: http://blogs.isaserver.org/shinder/ >>>> Book: http://tinyurl.com/3xqb7 >>>> MVP -- ISA Firewalls >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>>> Sent: Tuesday, August 15, 2006 6:58 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> Not yet - been critsitting between postings. >>>>> ..or the other way 'round... >>>>> >>>>> ------------------------------------------------------- >>>>> Jim Harrison >>>>> MCP(NT4, W2K), A+, Network+, PCG >>>>> http://isaserver.org/Jim_Harrison/ >>>>> http://isatools.org >>>>> Read the help / books / articles! >>>>> ------------------------------------------------------- >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>>>> Sent: Tuesday, August 15, 2006 14:44 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> Jim, >>>>> >>>>> Any luck with this? >>>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>>> Sent: 14 August 2006 00:52 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> Absotively. >>>>> Send it on. >>>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>>>> Sent: Sunday, August 13, 2006 3:08 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> Yeah I know, have the same issues when looking at closed >>> betas with >>>>> cool features which could really help out some of my >>>> customers. Shame >>>>> the NDA doesn't extend to MS partners though... >>>>> >>>>> PSS dude said that all KB articles related to a RPC >>> problems where >>>>> based upon using a large number of clients. He also said >>>> that as this >>>>> issue was happening before the DR problems I couldn't >> include it >>>>> within the DR call and I would have to log another >>> call...great! :-( >>>>> >>>>> If I give you the SRQ number, is there any chance you could >>>> point him >>>>> in the right direction? Pretty please :-) >>>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>>> Sent: 13 August 2006 22:47 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> I wish I could say more, but I'm bound by NDA... >>>>> The KB is on its way out the door and your PSS dewd need >>>> only do a bit >>>>> of research. >>>>> >>>>> ------------------------------------------------------- >>>>> Jim Harrison >>>>> MCP(NT4, W2K), A+, Network+, PCG >>>>> http://isaserver.org/Jim_Harrison/ >>>>> http://isatools.org >>>>> Read the help / books / articles! >>>>> ------------------------------------------------------- >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>>>> Sent: Sunday, August 13, 2006 14:41 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> Whilst PSS logging a call to get some feedback on the DR >>>> issues I've >>>>> had with ISA, I mentioned this "new KB artilce" >>>>> and the chap i was dealing with was pretty clueless about >>>> it (amongst >>>>> other things!). >>>>> >>>>> You are really starting to become a tease with this >>> artitcle, as it >>>>> may solve two problems now! :-P >>>>> >>>>> ________________________________ >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>>> Sent: 13 August 2006 19:15 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> >>>>> >>>>> Not insinuating anything of the sort... >>>>> >>>>> Keep your eyes open for that KB that deals in Outlook MAPI >>>>> connections; I bet it'll help you out here, too. >>>>> >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>>>> Sent: Sunday, August 13, 2006 2:22 AM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> >>>>> >>>>> All relationships are route = I know intradomain is only >>> supported >>>>> this way - I'm not a complete newb at this ;-) >>>>> >>>>> >>>>> >>>>> Complicated setup I know, but pretty much 99% working apart >>>> from this >>>>> issue and teh RPC filter failings (other post) >>>>> >>>>> >>>>> >>>>> Tried with and without strict RPC - no dice, same issues... >>>>> >>>>> >>>>> >>>>> Internet FW is hardware appliance (dumb packet filter) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>>> Sent: 13 August 2006 01:43 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> Ah, yes. >>>>> >>>>> While this is a desirable design, it's also a very >> difficult one. >>>>> >>>>> What are the network relationships between the networks? >>>>> >>>>> For instance: >>>>> >>>>> ExchFE ßà Exch BE == Route >>>>> >>>>> ...? >>>>> >>>>> Have you disabled Strict RPC on the relevant rules? >>>>> >>>>> >>>>> >>>>> NAT ain't happenin' FWIW... >>>>> >>>>> What's the "Internet FW"? >>>>> >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>>>> Sent: Saturday, August 12, 2006 3:18 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>>> Sent: 12 August 2006 22:41 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> Maybe a napkin drawing, then? >>>>> >>>>> I don't understand how your BE needs specific rules unless its >>>>> separated from the DC by ISA? >>>>> >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>>>> Sent: Saturday, August 12, 2006 2:19 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> >>>>> >>>>> No, not confused, and realise the difference between >> RPC/HTTP and >>>>> MAPI. I guess I am obviously not explaining myself very >>> well with a >>>>> complex environment and the problem very specific. >>>>> >>>>> >>>>> >>>>>>> AS such, any NSPI connections are strictly the problem of >>>>> the BE server. >>>>> >>>>> >>>>> >>>>> Not in this scenario, as the BE is in an ISA protected network >>>>> seperated from the DCs and FEs. The rule that allows >> access from >>>>> BE=>DCs is using RPC (All interfaces) and yet ISA is >>>> blocking traffic >>>>> from the NSPI proxy when using RPC/HTTP. >>>>> All other RPC traffic from BE=>DCs is working as expected >>>> and ISA is >>>>> detecting the RPC dynamic ports correctly. >>>>> >>>>> >>>>> >>>>> If I allow All outbound protocols from BE=>DCs the NSPI >>> proxy works >>>>> and I see ports 1025. 1026 etc being used. It seems as >> if ISA is >>>>> missing the intitial RPC negations between the NSPI proxy >>>> and DCs and >>>>> hence blocks all dynamic ports after 135 is contacted. >>>>> >>>>> >>>>> >>>>> Maybe I need to provide some diagrams and/or better >>> desacirptions... >>>>> >>>>> >>>>> >>>>> JJ >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>>>> Sent: 12 August 2006 16:55 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >>>> Communications and ISA >>>>> >>>>> I think you're confused; RPC/HTTP doesn't use MAPI; it's >>>> "just" HTTP >>>>> traffic. >>>>> >>>>> AS such, any NSPI connections are strictly the problem >> of the BE >>>>> server. >>>>> >>>>> >>>>> >>>>> The only way ISA handles RPC traffic is via Exchange RPC or >>>> RPC (All >>>>> interfaces) rules. >>>>> >>>>> >>>>> >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>>>> Sent: Friday, August 11, 2006 5:13 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Exchange NSPI Proxy RPC >> Communications and ISA >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> Bit of a shot in the dark, as this is a strange issue, >> but hoping >>>>> someone can confirm what I am seeing. >>>>> >>>>> Basically, I have a pretty secure Exchange environment >>> whereby both >>>>> Exchange FE's and BE's are on ISA protected perimeter >>> networks with >>>>> the external network connected to the 'traditional LAN' >>>> e.g., ISA is >>>>> acting as a multinetwork internal firewall to >>> specifically protect >>>>> Exchange from the internal network (all routed >>>> relationships). In this >>>>> scenario, ISA is controlling all communications to and from >>>> Exchange >>>>> and all email client access is published using web >> publishing or >>>>> secure RPC publishing. >>>>> >>>>> Up until now everything has been working pretty well (apart >>>> from the >>>>> other RPC filter issues in my other posts!) but we have >>>> come across a >>>>> specific issue when using RPC/HTTP as follows: >>>>> >>>>> The problem seems to lie with the fact that the >> back-end Exchange >>>>> server is talking to the GCs and ISA is seeing these >>> connections as >>>>> newly initiated connections (e.g. non RPC) as opposed to >>> detecting >>>>> them as dynamic ports which have been defined as part >> of the RPC >>>>> handshake process. Therefore, ISA is dropping these >>> connections and >>>>> prevents the back-end server from communicating with the GCs, >>>>> specifically for RPC/HTTP (e.g. when using the NSPI proxy). >>>> All other >>>>> communications which relate to RPC and ISA's ability to >>>> detect dynamic >>>>> RPC ports is being done successfully (e.g. >>>>> MAPI communications from Outlook to Exchange). It looks >>> to me as if >>>>> the back-end Exchange server is initiating it own >>> connections which >>>>> ISA sees as communications independent of RPC. The issue >>>> only appears >>>>> to arise when the back-end servers proxy the client AD >>>> communication >>>>> (e.g. when using the NSPI proxy), as is the case with RPC/HTTP, >>>>> because Outlook clients have no access to the GCs from >>> the Internet. >>>>> For standard MAPI clients, they are simply given a >>> referral to the >>>>> actual GCs which they communicate with directly, independent of >>>>> Exchange (e.g. not using NSPI proxy). >>>>> >>>>> Does this sounds familiar? Is Exchange doing something >>>> weird here or >>>>> is ISA missing the RPC dynamic port negotiations? >>>>> >>>>> Looking at the ISA logs, I see ports 1025, 1027, 1030 etc. >>>>> being used by the NSPI proxy which I am pretty sure are >>> going to be >>>>> the kind of ports dynamic RPC would use. If I add the >>>> ephemeral ports >>>>> (1024-65535) to the existing BE=>GC rule everything work >>>> just fine. If >>>>> I limit ports to standard intradomain protocols including >>> RPC then >>>>> everything works apart from RPC/HTTP and I start seeing >>> ports 1025, >>>>> 1027 etc. >>>>> being denied by ISA as unidentified traffic. >>>>> >>>>> Answers on a postcard! ;-) >>>>> >>>>> Cheers >>>>> >>>>> JJ >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> All mail to and from this domain is GFI-scanned. >>>> >>>> >>>> >>>> >>> >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> >>> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> > > > >