RE: exchange rpc filter

• From: "Ara" <ara@xxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sun, 13 Mar 2005 10:36:41 -0800

Hello tom,

 

Thank you for the help and time. My problem started at the time that we have a 
domain.local scenario and I wanted to make rpc over https going. There was no 
ISA at this place till a month ago and they were using VPN to get outlook 
access. But that is not the right way because they get full access to 
everything. 

 

After putting ISA 2004 in place, I tried to set the rpc over https feature. At 
the same time I was following here and saw that there are problems with local 
domains. So I stopped to see what the answer is for it. Either rename the 
domain (politically impossible) or use a split dns. I went through split dns 
and couldn't get it to get following Jim's article on website (my bad) 

 

So it put me back to this point that let them VPN in and use the 
mail.domain.local as their server so they are happy and I think that is the 
safe way.

 

There are 2 domain controllers inside apps.domain.local and pdc.domain.local. 
Email server is mail.domain.local. I used the dhcp for VPN so when I VPN in, I 
will get a computer.domain.local based ip address which is the same range as 
internal network.

 

ISA is setup as a 3 legged one, internal has the mail server and domain 
controllers, and 3rd one is used for wireless access point. This might sound 
crazy as mail is inside but that is my next plan to move it out.

 

I was reading chapter 5 of the document which title says Creating Access Policy 
for VPN Clients

 

If you do a favor and tell me what ports and protocols have to be forwarded 
from vpn clients to inside network (exhcnage,dns,ldap) or a document that 
matches this scenario, that would be appreciated


________________________________

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Sun 3/13/2005 5:32 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: exchange rpc filter


http://www.ISAserver.org

Hi Ara,
 
1. Yes, its correct in the context of the scenario used in the document. The 
Exchange Server is on a DC and the DNS is on the DC and the DNS is configured 
to resolve both internal and external host names.
 
2. Yes, there should be a DNS allow rule allows members of the VPN clients 
network access to the DNS server they need to a resolve internal and external 
names
 
3. There is no need for TCP 445 from the VPN clients network to the Exchange 
Server if all they need is secure Exchange RPC via a Server Publishing Rule. It 
sounds like you're reading the doc that shows how to control Exchange RPC 
access in a site to site VPN scenario and use user/group based auth, which is 
sort of tricky :)
 
4. If this is a site to site VPN configuration, and you want to allow all users 
at the branch office to the Exchange Server using Secure Exchange RPC (or even 
if this is a remote access VPN connection and you want to allow all users), 
then just create the Server Publishing Rule and don't mess with the fancy stuff.
 
5. Remind me of your design goal and I'll send you the doc that applies to your 
config. Unfortunately, they required that all the docs be put in one humongous 
doc, which is not what I wanted and it was not designed to be presented that 
way. I have all the separate docs here, so I can send you the one that applies 
to your design goals.
 
HTH,
 
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 

________________________________

From: Ara [mailto:ara@xxxxxxxxxxxxx] 
Sent: Saturday, March 12, 2005 5:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] exchange rpc filter


http://www.ISAserver.org

Tom,

 

I have followed your vpn deployment kit for giving vpn users a full outlook 
experience. Reading the instruction, there some confusion I am facing with

 

*       On page 137, you have a screen shot of rules order and basically any 
required protocol to do this, but you are pointing the dns to exchanger server 
it self. Is that that case when exchange is on same domain controller? 
*       Would you clear me on a simple requirements that 

1.     there should be a dns allow rule from vpn clients to dns servers inside 
( domain controllers in most cases like mine)

2.     There should be a rule created for tcp 445 and from vpn to exchange 
itself? Is this correct?

3.     There should be an exchange rpc filter rule from vpn to exchange itself?

 

I followed those instructions but I am unable to create profiles from outlook 
and get the message that mail server is unavailable. Then I tracked on log file 
and found there are some requests for NetBIOS 137. So I created an allow rule 
for it and worked but I believe that is not the right way of doing it

 

Would you be so kind and give me a simple list of required protocols and 
directions for outlook to work on vpn

 

Help is much appreciated

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
ara@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts:

• » exchange rpc filter
• » RE: exchange rpc filter
• » RE: exchange rpc filter
• » RE: exchange rpc filter
• » RE: exchange rpc filter
• » RE: exchange rpc filter

1. Home
2. isalist
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---