I recall a KB out there somewhere (I¹ll research when I have some time) where the circumstances dictated ³static² assignment of a fixed RPC port range for DC communications just as you have done here- this very well may be that circumstance. Jim¹s later post regarding ³the only way ISA can handle RPC is via Exchange RPC or RPC (All Interfaces) may support that theory. Hat¹s off to you for being committed to deploying security-in-depth with least-privilege and not acquiescing to the ³whatever works² mentality. I know it¹s a hard thing to deploy and support. While I have a similar topology, I only separate the clients from the servers with an infrastructure ISA box? not the BE¹s from the DC¹s; they¹re on the same ³protected² network. That being said, I think the explicit range assignment might actually be a more reliable method of ensuring proper RPC communications between your DC and BE given ISA in the middle? as long as you only allow that range between just those boxes, I think you¹ve still adhered to the principles of SiD and LP. If Jim is correct (and there is no reason for me to think otherwise) then you really don¹t have a choice. But it is odd that is only happens for RDP/HTTP. My ³FE in the Perimeter² setup that I gleaned off of Tom does not exhibit this behavior, but again, my BE¹s talk directly to my DC¹s. If you figga it out, please post back I for one would be interested in what the cause is. t On 8/12/06 3:22 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to all: > From some testing, if I configure the DCs to use a fixed RPC range > (50000-50100 say) and then configure ISA to allow allow these ports in addtion > to RPC (All Interfaces) and other intradomain prorotocls then the NSPI proxy > connects properly. Surely I shouldn't need to do this though, as ISA should > allow for dynamic RPC port allocation?? > > As I have said, ISA correctly performing inspection of dynamic RPC port > allocations for other communications, just not the NSPI proxy process it would > appear. > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jim Harrison > Sent: 12 August 2006 22:41 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA > > Maybe a napkin drawing, then? > I don¹t understand how your BE needs specific rules unless its separated from > the DC by ISA? > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jason Jones > Sent: Saturday, August 12, 2006 2:19 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA > > No, not confused, and realise the difference between RPC/HTTP and MAPI. I > guess I am obviously not explaining myself very well with a complex > environment and the problem very specific. > >>> >>AS such, any NSPI connections are strictly the problem of the BE server. > > Not in this scenario, as the BE is in an ISA protected network seperated from > the DCs and FEs. The rule that allows access from BE=>DCs is using RPC (All > interfaces) and yet ISA is blocking traffic from the NSPI proxy when using > RPC/HTTP. All other RPC traffic from BE=>DCs is working as expected and ISA is > detecting the RPC dynamic ports correctly. > > If I allow All outbound protocols from BE=>DCs the NSPI proxy works and I see > ports 1025. 1026 etc being used. It seems as if ISA is missing the intitial > RPC negations between the NSPI proxy and DCs and hence blocks all dynamic > ports after 135 is contacted. > > Maybe I need to provide some diagrams and/or better desacirptions... > > JJ > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jim Harrison > Sent: 12 August 2006 16:55 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA > I think you¹re confused; RPC/HTTP doesn¹t use MAPI; it¹s ³just² HTTP traffic. > AS such, any NSPI connections are strictly the problem of the BE server. > > The only way ISA handles RPC traffic is via Exchange RPC or RPC (All > interfaces) rules. > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jason Jones > Sent: Friday, August 11, 2006 5:13 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Exchange NSPI Proxy RPC Communications and ISA > > Hi, > > Bit of a shot in the dark, as this is a strange issue, but hoping someone can > confirm what I am seeing. > > Basically, I have a pretty secure Exchange environment whereby both Exchange > FE's and BE's are on ISA protected perimeter networks with the external > network connected to the 'traditional LAN' e.g., ISA is acting as a > multinetwork internal firewall to specifically protect Exchange from the > internal network (all routed relationships). In this scenario, ISA is > controlling all communications to and from Exchange and all email client > access is published using web publishing or secure RPC publishing. > > Up until now everything has been working pretty well (apart from the other RPC > filter issues in my other posts!) but we have come across a specific issue > when using RPC/HTTP as follows: > > The problem seems to lie with the fact that the back-end Exchange server is > talking to the GCs and ISA is seeing these connections as newly initiated > connections (e.g. non RPC) as opposed to detecting them as dynamic ports which > have been defined as part of the RPC handshake process. Therefore, ISA is > dropping these connections and prevents the back-end server from communicating > with the GCs, specifically for RPC/HTTP (e.g. when using the NSPI proxy). All > other communications which relate to RPC and ISA's ability to detect dynamic > RPC ports is being done successfully (e.g. MAPI communications from Outlook to > Exchange). It looks to me as if the back-end Exchange server is initiating it > own connections which ISA sees as communications independent of RPC. The issue > only appears to arise when the back-end servers proxy the client AD > communication (e.g. when using the NSPI proxy), as is the case with RPC/HTTP, > because Outlook clients have no access to the GCs from the Internet. For > standard MAPI clients, they are simply given a referral to the actual GCs > which they communicate with directly, independent of Exchange (e.g. not using > NSPI proxy). > > Does this sounds familiar? Is Exchange doing something weird here or is ISA > missing the RPC dynamic port negotiations? > > Looking at the ISA logs, I see ports 1025, 1027, 1030 etc. being used by the > NSPI proxy which I am pretty sure are going to be the kind of ports dynamic > RPC would use. If I add the ephemeral ports (1024-65535) to the existing > BE=>GC rule everything work just fine. If I limit ports to standard > intradomain protocols including RPC then everything works apart from RPC/HTTP > and I start seeing ports 1025, 1027 etc. being denied by ISA as unidentified > traffic. > > Answers on a postcard! ;-) > > Cheers > > JJ > > All mail to and from this domain is GFI-scanned. > All mail to and from this domain is GFI-scanned. >