[isalist] Re: Those kicks just keep getting harder to find
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 28 Jun 2007 13:37:59 -0700
http://www.ISAserver.org
-------------------------------------------------------
I see your pedantic and raise you another one.
I believe your cornfussion on this is what appears to be your
expectation that ISA should query anything regarding RPC. The thing to
remember is that the only components in this chain that actually
understand the RPC within the HTTP are the client and the RPCProxy.
Could ISA be instructed to understand this? Yes - but this is a massive
undertaking at the HTTP layer.
1. RPC/HTTP client behavior - it isn't that the client <may> specify
ports, it's that it <must>. The RPCProxy must know how to communicate
with the endpoint service (as opposed to the EPM) and the client is
required to provide this information. You do have the service / port
associations correct. The reason OL knows about the ports is because
this information is hard-coded into the application.
2. ISA neither knows nor cares about the RPC end of the RPC/HTTP
traffic. RPCProxy configuration - you have to instruct the RPCProxy as
to the valid ports used by application (actually the server) <blah>. If
you're supporting Exchange, these are 6001, 6002, 6004. No EPM is
required or used in this case. If you're using TSG, the port is (IIRC)
3390.
2. OL use of RPC/HTTP vs MAPI - OL only contacts the EPM when using MAPI
(RPC/TCP). When OL is instructed to communicate using HTTP(S), it will
*never* attempt (much less fail) to contact the EPM. ALL OL requests to
the RPCProxy will include one of three ports; 6001, 6002, 6004. You can
use WinHTTPTraceCfg to show this.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, June 28, 2007 1:12 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Those kicks just keep getting harder to find
http://www.ISAserver.org
-------------------------------------------------------
Let me put it a different way while allowing that the client can specify
the port in the URL depending on the environment while supporting my
thoughts in the original thread- not being pedantic here, but this is a
valuable distinction, and if people knew this, they would not have as
many problems as many have.
1) Internally, there is no requirement to change the RPCProxy ports
because the client has access to the EMP. The client will ask the EPM
what ports to use for RPC over HTTP- this is why RDP over HTTP will with
with Outlook on a "fresh" install of Ex2k supporting RPC over HTTP, even
though the RPCProxy's default ValidPorts are 100-500. In this regard,
the requirement is NOT at the RPCProxy in this case because it "works."
The reason it works is that the client is given a port to hit the RPC
proxy that is "proxied" to the Exchange service on 6001-6002 and 6004.
Ultimately, these ports are what Exchange dictates. The info store is
6001, the attendant is 6002, and NSPI is 6004.
2) When you publish RPC/HTTP via ISA, ISA does not, in fact,
publish/support EPM queries for the client to find out what RPC ports
are available on the published server. In this case, in the default
install, the client will not be able to connect to the back end server
through ISA even with a "properly" working RPCProxy because ISA will not
query the EPM of the Ex box on behalf of the client. The client,
wondering WTF, will then say "whatever" and try to connect to the
Exchange box on what it thinks the "true" ports are- this being
6001-6002 and 6004. ISA does indeed do what the client asks (you are
technically right on this point) and tries to contact the backend proxy.
It fails, because the RPCProxy is only listening on 100-500. For ISA
deployments (or other 'direct' RPC/HTTP to Exchange configs), only
6001-6002 and 6004 are used. 593 gets hit too, but it isn't a
requirement.
3) Ergo, therefore, and fooqoff, at the end of the day, if you are going
to deploy RPC/HTTP via ISA, you must change the ValidPorts on the
RPCProxy to 6001-6002 and 6004 (or a range covering that). To be further
pedantic, this is not a requirement for the RPCProxy to work, it is a
requirement for the RPCProxy to listen on specifically requested ports
from the end client to support Exchange RPC/HTTP to work, which is
required in non-EPM supported deployments like ISA.
As an aside, it is curious as to why a "direct" request to the Exchange
Information Store, System Attendant, and Name Service Provider Interface
fails in the absence of the RPCProxy installation since that's what the
freaking Exchange install is already listening on, but that's another
mystery.
So, finally, based on all of this, my previous response to the "Those
kicks just keep getting harder to find" was appropriate in that when one
tries to make an Exchange box an RPC proxy, it should say something
about the ports it needs to work in addition to the "hey, do you have
the RPCProxy service installed" suggestions.
Hopefully that will clear things up. If you would like to go into this
any further, I say "bring it fat boy, and put your shot glasses where
your mouth is" for a Vegas drinking showdown. ;)
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, June 28, 2007 12:14 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Those kicks just keep getting harder to find
http://www.ISAserver.org
-------------------------------------------------------
Nope; the blog counters your assertion.
OL (and TSG) specifies the use of relevant ports in the URL when it
makes the request to the RPCProxy.
The requirement to change these values is at the RPCProxy; not at ISA.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, June 28, 2007 11:33 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Those kicks just keep getting harder to find
http://www.ISAserver.org
-------------------------------------------------------
Actually, if you look at Stefaan's article you'll see what I'm talking
about.
Without any changes to the RPCProxy keys, an internal RPC/HTTP client
will work perfectly. The same client on the outside via ISA will fail.
ISA *always* uses those ports, as is evident by the requirement to
change the reg key.
When monitoring the ISA traffic, ISA always talks to Exchange RPC with
those ports- so, I would have to say though the client requests to ISA
what it wants, ISA "does something" in that it does not use the ports
the client requested, but rather, 6001-6002 and 6004 when talking to the
back end server.
If you look back through some ISAServer.org posts, you'll see references
to people having problems with RPC_DATA_IN and RPC_DATA_OUT - while
references were made to the HTTP filter, the reality is that these
people did not properly configure the RPCProxy to listen on the ports
ISA uses.
This is easily tested- set the ports for ValidPorts back to default
(100-500). Try RPC/HTTP directly to the Exchange server (internally).
Works like a dream. Now try via ISA with the rule you had that was
already working. It fails.
Unless the ValidPorts range include 6001-6002 and 6004, ISA pub will not
work.
You will actually be demonstrating this at the Vegas Blackhat training
you are giving ;)
http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-tm-ms-bbe.html
T
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, June 28, 2007 10:49 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Those kicks just keep getting harder to find
http://www.ISAserver.org
-------------------------------------------------------
ISA doesn't do anything; the RPC/HTTP client specifies those ports.
The URL is constructed by the RPC/HTTP client as: RPC_[IN | OUT]_DATA
/rpcproxy.dll?exchserver:port HTTP/1.x
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, June 28, 2007 9:43 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Those kicks just keep getting harder to find
http://www.ISAserver.org
-------------------------------------------------------
The RPCProxy default ports are 100-500 or some such on the Ex box.
That's fine for internal use of RPC/HTTP as it will work without changes
via RPC endpoint lookup, but if you publish via ISA, when ISA talks to
the RPCProxy, it uses 6001-6002 and 6004.
If you do not change the ValidPorts config in the RPDProxy key, your ISA
pub rule will fail. That's the facts Jack!
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, June 28, 2007 9:24 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Those kicks just keep getting harder to find
http://www.ISAserver.org
-------------------------------------------------------
What ISA edits you be maky?
ISA no care what ports happen between RPCProxy & Exchange - all happen
behind ISA.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, June 28, 2007 9:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Those kicks just keep getting harder to find
http://www.ISAserver.org
-------------------------------------------------------
The publisher to Exchange only usey those portie. If you no makey edits
for ISA, it no workie.
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, June 28, 2007 9:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Those kicks just keep getting harder to find
http://www.ISAserver.org
-------------------------------------------------------
Er - "..via ISA, which only uses those RPC ports.."?
ISA no be control those ports for RPC/HTTP.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, June 28, 2007 8:47 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Those kicks just keep getting harder to find
You also might be asking yourself "Hey Self, why did the Exchange Team
not include the 6000-6004 RPC port range by default in Ex2k3 when they
know that the only way people would deploy RPC/HTTP over the Internet is
via ISA, which only uses those RPC ports." Because it's more fun to
make the admin edit the registry while telling them "if you edit the
registry, we are not responsible for your system anymore" particularly
when that's they only possible way it can work!
t
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, June 28, 2007 8:09 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Those kicks just keep getting harder to find
"You might be asking yourself "Hey Tom, why did you enable RPC/HTTP in
the Exchange Server configuration when you haven't installed the
RPC/HTTP Proxy service yet?" The reason why I did it this way was to
show off the Exchange development team's sense of humor. Sure, they
could have configured things so that when you enable Outlook Anywhere it
would check to see if the RPC/HTTP Proxy service was installed, but it's
a lot more fun for them to think about you trying to troubleshoot for a
few days why RPC/HTTP isn't working. You'd think they'd get enough
jollies by making you use PowerHell for the certificate request and
assignment."
:\
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
