Dear Tom or anyone else who can help me on this May I ask for help on minimal ports and protocols required to allow outlook access for VPN clients? They are getting IP from DHCP inside the network, something like 192.168.0.* . There are 2 DNS servers which are also domain controllers inside and one exchange 2003 server. I haven't setup RPC as looks to be impossible for domain.local scenarios. Any help is appreciated so I can get this project done. I have setup dns allow rules from vpn to servers, also exchange rpc filter is published to vpn client, but still I can't create profiles Thank you ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Sunday, March 13, 2005 5:32 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: exchange rpc filter http://www.ISAserver.org Hi Ara, 1. Yes, its correct in the context of the scenario used in the document. The Exchange Server is on a DC and the DNS is on the DC and the DNS is configured to resolve both internal and external host names. 2. Yes, there should be a DNS allow rule allows members of the VPN clients network access to the DNS server they need to a resolve internal and external names 3. There is no need for TCP 445 from the VPN clients network to the Exchange Server if all they need is secure Exchange RPC via a Server Publishing Rule. It sounds like you're reading the doc that shows how to control Exchange RPC access in a site to site VPN scenario and use user/group based auth, which is sort of tricky :) 4. If this is a site to site VPN configuration, and you want to allow all users at the branch office to the Exchange Server using Secure Exchange RPC (or even if this is a remote access VPN connection and you want to allow all users), then just create the Server Publishing Rule and don't mess with the fancy stuff. 5. Remind me of your design goal and I'll send you the doc that applies to your config. Unfortunately, they required that all the docs be put in one humongous doc, which is not what I wanted and it was not designed to be presented that way. I have all the separate docs here, so I can send you the one that applies to your design goals. HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Ara [mailto:ara@xxxxxxxxxxxxx] Sent: Saturday, March 12, 2005 5:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] exchange rpc filter http://www.ISAserver.org Tom, I have followed your vpn deployment kit for giving vpn users a full outlook experience. Reading the instruction, there some confusion I am facing with * On page 137, you have a screen shot of rules order and basically any required protocol to do this, but you are pointing the dns to exchanger server it self. Is that that case when exchange is on same domain controller? * Would you clear me on a simple requirements that 1. there should be a dns allow rule from vpn clients to dns servers inside ( domain controllers in most cases like mine) 2. There should be a rule created for tcp 445 and from vpn to exchange itself? Is this correct? 3. There should be an exchange rpc filter rule from vpn to exchange itself? I followed those instructions but I am unable to create profiles from outlook and get the message that mail server is unavailable. Then I tracked on log file and found there are some requests for NetBIOS 137. So I created an allow rule for it and worked but I believe that is not the right way of doing it Would you be so kind and give me a simple list of required protocols and directions for outlook to work on vpn Help is much appreciated ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ara@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx