[isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Sun, 13 Aug 2006 12:13:23 -0700
I recall a KB out there somewhere (I¹ll research when I have some time)
where the circumstances dictated ³static² assignment of a fixed RPC port
range for DC communications just as you have done here- this very well may
be that circumstance. Jim¹s later post regarding ³the only way ISA can
handle RPC is via Exchange RPC or RPC (All Interfaces) may support that
theory.
Hat¹s off to you for being committed to deploying security-in-depth with
least-privilege and not acquiescing to the ³whatever works² mentality. I
know it¹s a hard thing to deploy and support. While I have a similar
topology, I only separate the clients from the servers with an
infrastructure ISA box? not the BE¹s from the DC¹s; they¹re on the same
³protected² network.
That being said, I think the explicit range assignment might actually be a
more reliable method of ensuring proper RPC communications between your DC
and BE given ISA in the middle? as long as you only allow that range between
just those boxes, I think you¹ve still adhered to the principles of SiD and
LP. If Jim is correct (and there is no reason for me to think otherwise)
then you really don¹t have a choice. But it is odd that is only happens for
RDP/HTTP.
My ³FE in the Perimeter² setup that I gleaned off of Tom does not exhibit
this behavior, but again, my BE¹s talk directly to my DC¹s.
If you figga it out, please post back I for one would be interested in
what the cause is.
t
On 8/12/06 3:22 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to
all:
> From some testing, if I configure the DCs to use a fixed RPC range
> (50000-50100 say) and then configure ISA to allow allow these ports in addtion
> to RPC (All Interfaces) and other intradomain prorotocls then the NSPI proxy
> connects properly. Surely I shouldn't need to do this though, as ISA should
> allow for dynamic RPC port allocation??
>
> As I have said, ISA correctly performing inspection of dynamic RPC port
> allocations for other communications, just not the NSPI proxy process it would
> appear.
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison
> Sent: 12 August 2006 22:41
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>
> Maybe a napkin drawing, then?
> I don¹t understand how your BE needs specific rules unless its separated from
> the DC by ISA?
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: Saturday, August 12, 2006 2:19 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>
> No, not confused, and realise the difference between RPC/HTTP and MAPI. I
> guess I am obviously not explaining myself very well with a complex
> environment and the problem very specific.
>
>>> >>AS such, any NSPI connections are strictly the problem of the BE server.
>
> Not in this scenario, as the BE is in an ISA protected network seperated from
> the DCs and FEs. The rule that allows access from BE=>DCs is using RPC (All
> interfaces) and yet ISA is blocking traffic from the NSPI proxy when using
> RPC/HTTP. All other RPC traffic from BE=>DCs is working as expected and ISA is
> detecting the RPC dynamic ports correctly.
>
> If I allow All outbound protocols from BE=>DCs the NSPI proxy works and I see
> ports 1025. 1026 etc being used. It seems as if ISA is missing the intitial
> RPC negations between the NSPI proxy and DCs and hence blocks all dynamic
> ports after 135 is contacted.
>
> Maybe I need to provide some diagrams and/or better desacirptions...
>
> JJ
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison
> Sent: 12 August 2006 16:55
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
> I think you¹re confused; RPC/HTTP doesn¹t use MAPI; it¹s ³just² HTTP traffic.
> AS such, any NSPI connections are strictly the problem of the BE server.
>
> The only way ISA handles RPC traffic is via Exchange RPC or RPC (All
> interfaces) rules.
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: Friday, August 11, 2006 5:13 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Exchange NSPI Proxy RPC Communications and ISA
>
> Hi,
>
> Bit of a shot in the dark, as this is a strange issue, but hoping someone can
> confirm what I am seeing.
>
> Basically, I have a pretty secure Exchange environment whereby both Exchange
> FE's and BE's are on ISA protected perimeter networks with the external
> network connected to the 'traditional LAN' e.g., ISA is acting as a
> multinetwork internal firewall to specifically protect Exchange from the
> internal network (all routed relationships). In this scenario, ISA is
> controlling all communications to and from Exchange and all email client
> access is published using web publishing or secure RPC publishing.
>
> Up until now everything has been working pretty well (apart from the other RPC
> filter issues in my other posts!) but we have come across a specific issue
> when using RPC/HTTP as follows:
>
> The problem seems to lie with the fact that the back-end Exchange server is
> talking to the GCs and ISA is seeing these connections as newly initiated
> connections (e.g. non RPC) as opposed to detecting them as dynamic ports which
> have been defined as part of the RPC handshake process. Therefore, ISA is
> dropping these connections and prevents the back-end server from communicating
> with the GCs, specifically for RPC/HTTP (e.g. when using the NSPI proxy). All
> other communications which relate to RPC and ISA's ability to detect dynamic
> RPC ports is being done successfully (e.g. MAPI communications from Outlook to
> Exchange). It looks to me as if the back-end Exchange server is initiating it
> own connections which ISA sees as communications independent of RPC. The issue
> only appears to arise when the back-end servers proxy the client AD
> communication (e.g. when using the NSPI proxy), as is the case with RPC/HTTP,
> because Outlook clients have no access to the GCs from the Internet. For
> standard MAPI clients, they are simply given a referral to the actual GCs
> which they communicate with directly, independent of Exchange (e.g. not using
> NSPI proxy).
>
> Does this sounds familiar? Is Exchange doing something weird here or is ISA
> missing the RPC dynamic port negotiations?
>
> Looking at the ISA logs, I see ports 1025, 1027, 1030 etc. being used by the
> NSPI proxy which I am pretty sure are going to be the kind of ports dynamic
> RPC would use. If I add the ephemeral ports (1024-65535) to the existing
> BE=>GC rule everything work just fine. If I limit ports to standard
> intradomain protocols including RPC then everything works apart from RPC/HTTP
> and I start seeing ports 1025, 1027 etc. being denied by ISA as unidentified
> traffic.
>
> Answers on a postcard! ;-)
>
> Cheers
>
> JJ
>
> All mail to and from this domain is GFI-scanned.
> All mail to and from this domain is GFI-scanned.
>
Other related posts:
