RE: exchange rpc filter

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 14 Mar 2005 04:52:41 -0600

Hi Ara,
 
Are they all using RPC over HTTP? That would be the easiest deployment
scenario.
 
Thanks!
 
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 

________________________________

From: Ara [mailto:ara@xxxxxxxxxxxxx] 
Sent: Sunday, March 13, 2005 12:37 PM
To: [ISAserver.org Discussion List]
Subject: RE: exchange rpc filter


Hello tom,

 

Thank you for the help and time. My problem started at the time that we
have a domain.local scenario and I wanted to make rpc over https going.
There was no ISA at this place till a month ago and they were using VPN
to get outlook access. But that is not the right way because they get
full access to everything. 

 

After putting ISA 2004 in place, I tried to set the rpc over https
feature. At the same time I was following here and saw that there are
problems with local domains. So I stopped to see what the answer is for
it. Either rename the domain (politically impossible) or use a split
dns. I went through split dns and couldn't get it to get following Jim's
article on website (my bad) 

 

So it put me back to this point that let them VPN in and use the
mail.domain.local as their server so they are happy and I think that is
the safe way.

 

There are 2 domain controllers inside apps.domain.local and
pdc.domain.local. Email server is mail.domain.local. I used the dhcp for
VPN so when I VPN in, I will get a computer.domain.local based ip
address which is the same range as internal network.

 

ISA is setup as a 3 legged one, internal has the mail server and domain
controllers, and 3rd one is used for wireless access point. This might
sound crazy as mail is inside but that is my next plan to move it out.

 

I was reading chapter 5 of the document which title says Creating Access
Policy for VPN Clients

 

If you do a favor and tell me what ports and protocols have to be
forwarded from vpn clients to inside network (exhcnage,dns,ldap) or a
document that matches this scenario, that would be appreciated


________________________________

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Sun 3/13/2005 5:32 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: exchange rpc filter


http://www.ISAserver.org

Hi Ara,
 
1. Yes, its correct in the context of the scenario used in the document.
The Exchange Server is on a DC and the DNS is on the DC and the DNS is
configured to resolve both internal and external host names.
 
2. Yes, there should be a DNS allow rule allows members of the VPN
clients network access to the DNS server they need to a resolve internal
and external names
 
3. There is no need for TCP 445 from the VPN clients network to the
Exchange Server if all they need is secure Exchange RPC via a Server
Publishing Rule. It sounds like you're reading the doc that shows how to
control Exchange RPC access in a site to site VPN scenario and use
user/group based auth, which is sort of tricky :)
 
4. If this is a site to site VPN configuration, and you want to allow
all users at the branch office to the Exchange Server using Secure
Exchange RPC (or even if this is a remote access VPN connection and you
want to allow all users), then just create the Server Publishing Rule
and don't mess with the fancy stuff.
 
5. Remind me of your design goal and I'll send you the doc that applies
to your config. Unfortunately, they required that all the docs be put in
one humongous doc, which is not what I wanted and it was not designed to
be presented that way. I have all the separate docs here, so I can send
you the one that applies to your design goals.
 
HTH,
 
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 

________________________________

From: Ara [mailto:ara@xxxxxxxxxxxxx] 
Sent: Saturday, March 12, 2005 5:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] exchange rpc filter


http://www.ISAserver.org

Tom,

 

I have followed your vpn deployment kit for giving vpn users a full
outlook experience. Reading the instruction, there some confusion I am
facing with

 

*       On page 137, you have a screen shot of rules order and basically
any required protocol to do this, but you are pointing the dns to
exchanger server it self. Is that that case when exchange is on same
domain controller? 
*       Would you clear me on a simple requirements that 

1.     there should be a dns allow rule from vpn clients to dns servers
inside ( domain controllers in most cases like mine)

2.     There should be a rule created for tcp 445 and from vpn to
exchange itself? Is this correct?

3.     There should be an exchange rpc filter rule from vpn to exchange
itself?

 

I followed those instructions but I am unable to create profiles from
outlook and get the message that mail server is unavailable. Then I
tracked on log file and found there are some requests for NetBIOS 137.
So I created an allow rule for it and worked but I believe that is not
the right way of doing it

 

Would you be so kind and give me a simple list of required protocols and
directions for outlook to work on vpn

 

Help is much appreciated

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts:

• » exchange rpc filter
• » RE: exchange rpc filter
• » RE: exchange rpc filter
• » RE: exchange rpc filter
• » RE: exchange rpc filter
• » RE: exchange rpc filter

1. Home
2. isalist
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---