Any update on this Tom? ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Mon 3/14/2005 2:52 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: exchange rpc filter http://www.ISAserver.org Hi Ara, Are they all using RPC over HTTP? That would be the easiest deployment scenario. Thanks! Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Ara [mailto:ara@xxxxxxxxxxxxx] Sent: Sunday, March 13, 2005 12:37 PM To: [ISAserver.org Discussion List] Subject: RE: exchange rpc filter Hello tom, Thank you for the help and time. My problem started at the time that we have a domain.local scenario and I wanted to make rpc over https going. There was no ISA at this place till a month ago and they were using VPN to get outlook access. But that is not the right way because they get full access to everything. After putting ISA 2004 in place, I tried to set the rpc over https feature. At the same time I was following here and saw that there are problems with local domains. So I stopped to see what the answer is for it. Either rename the domain (politically impossible) or use a split dns. I went through split dns and couldn't get it to get following Jim's article on website (my bad) So it put me back to this point that let them VPN in and use the mail.domain.local as their server so they are happy and I think that is the safe way. There are 2 domain controllers inside apps.domain.local and pdc.domain.local. Email server is mail.domain.local. I used the dhcp for VPN so when I VPN in, I will get a computer.domain.local based ip address which is the same range as internal network. ISA is setup as a 3 legged one, internal has the mail server and domain controllers, and 3rd one is used for wireless access point. This might sound crazy as mail is inside but that is my next plan to move it out. I was reading chapter 5 of the document which title says Creating Access Policy for VPN Clients If you do a favor and tell me what ports and protocols have to be forwarded from vpn clients to inside network (exhcnage,dns,ldap) or a document that matches this scenario, that would be appreciated ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Sun 3/13/2005 5:32 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: exchange rpc filter http://www.ISAserver.org Hi Ara, 1. Yes, its correct in the context of the scenario used in the document. The Exchange Server is on a DC and the DNS is on the DC and the DNS is configured to resolve both internal and external host names. 2. Yes, there should be a DNS allow rule allows members of the VPN clients network access to the DNS server they need to a resolve internal and external names 3. There is no need for TCP 445 from the VPN clients network to the Exchange Server if all they need is secure Exchange RPC via a Server Publishing Rule. It sounds like you're reading the doc that shows how to control Exchange RPC access in a site to site VPN scenario and use user/group based auth, which is sort of tricky :) 4. If this is a site to site VPN configuration, and you want to allow all users at the branch office to the Exchange Server using Secure Exchange RPC (or even if this is a remote access VPN connection and you want to allow all users), then just create the Server Publishing Rule and don't mess with the fancy stuff. 5. Remind me of your design goal and I'll send you the doc that applies to your config. Unfortunately, they required that all the docs be put in one humongous doc, which is not what I wanted and it was not designed to be presented that way. I have all the separate docs here, so I can send you the one that applies to your design goals. HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Ara [mailto:ara@xxxxxxxxxxxxx] Sent: Saturday, March 12, 2005 5:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] exchange rpc filter http://www.ISAserver.org Tom, I have followed your vpn deployment kit for giving vpn users a full outlook experience. Reading the instruction, there some confusion I am facing with * On page 137, you have a screen shot of rules order and basically any required protocol to do this, but you are pointing the dns to exchanger server it self. Is that that case when exchange is on same domain controller? * Would you clear me on a simple requirements that 1. there should be a dns allow rule from vpn clients to dns servers inside ( domain controllers in most cases like mine) 2. There should be a rule created for tcp 445 and from vpn to exchange itself? Is this correct? 3. There should be an exchange rpc filter rule from vpn to exchange itself? I followed those instructions but I am unable to create profiles from outlook and get the message that mail server is unavailable. Then I tracked on log file and found there are some requests for NetBIOS 137. So I created an allow rule for it and worked but I believe that is not the right way of doing it Would you be so kind and give me a simple list of required protocols and directions for outlook to work on vpn Help is much appreciated ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ara@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ara@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx