[isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Tue, 15 Aug 2006 19:48:26 -0500
Yep, six year old UPSs will do that to you every time (or a three year old
Belkin UPS)
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Tuesday, August 15, 2006 7:25 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>
> Yep - somehow he managed to completely bork his storage.
> We're almost to the point of a complete rebuild <sigh>.
> I'm actually doing a registry compare to see if I can sort
> out what he broke.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Tuesday, August 15, 2006 17:20
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>
> Is it a real problem, and dealing with jughead the enterprise admin?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Tuesday, August 15, 2006 6:58 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > Not yet - been critsitting between postings.
> > ..or the other way 'round...
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Tuesday, August 15, 2006 14:44
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > Jim,
> >
> > Any luck with this?
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: 14 August 2006 00:52
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > Absotively.
> > Send it on.
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Sunday, August 13, 2006 3:08 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > Yeah I know, have the same issues when looking at closed betas with
> > cool features which could really help out some of my
> customers. Shame
> > the NDA doesn't extend to MS partners though...
> >
> > PSS dude said that all KB articles related to a RPC problems where
> > based upon using a large number of clients. He also said
> that as this
> > issue was happening before the DR problems I couldn't include it
> > within the DR call and I would have to log another call...great! :-(
> >
> > If I give you the SRQ number, is there any chance you could
> point him
> > in the right direction? Pretty please :-)
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: 13 August 2006 22:47
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > I wish I could say more, but I'm bound by NDA...
> > The KB is on its way out the door and your PSS dewd need
> only do a bit
> > of research.
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Sunday, August 13, 2006 14:41
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > Whilst PSS logging a call to get some feedback on the DR
> issues I've
> > had with ISA, I mentioned this "new KB artilce"
> > and the chap i was dealing with was pretty clueless about
> it (amongst
> > other things!).
> >
> > You are really starting to become a tease with this artitcle, as it
> > may solve two problems now! :-P
> >
> > ________________________________
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: 13 August 2006 19:15
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> >
> >
> > Not insinuating anything of the sort...
> >
> > Keep your eyes open for that KB that deals in Outlook MAPI
> > connections; I bet it'll help you out here, too.
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Sunday, August 13, 2006 2:22 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> >
> >
> > All relationships are route = I know intradomain is only supported
> > this way - I'm not a complete newb at this ;-)
> >
> >
> >
> > Complicated setup I know, but pretty much 99% working apart
> from this
> > issue and teh RPC filter failings (other post)
> >
> >
> >
> > Tried with and without strict RPC - no dice, same issues...
> >
> >
> >
> > Internet FW is hardware appliance (dumb packet filter)
> >
> >
> >
> >
> >
> > ________________________________
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: 13 August 2006 01:43
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > Ah, yes.
> >
> > While this is a desirable design, it's also a very difficult one.
> >
> > What are the network relationships between the networks?
> >
> > For instance:
> >
> > ExchFE ßà Exch BE == Route
> >
> > ...?
> >
> > Have you disabled Strict RPC on the relevant rules?
> >
> >
> >
> > NAT ain't happenin' FWIW...
> >
> > What's the "Internet FW"?
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Saturday, August 12, 2006 3:18 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: 12 August 2006 22:41
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > Maybe a napkin drawing, then?
> >
> > I don't understand how your BE needs specific rules unless its
> > separated from the DC by ISA?
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Saturday, August 12, 2006 2:19 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> >
> >
> > No, not confused, and realise the difference between RPC/HTTP and
> > MAPI. I guess I am obviously not explaining myself very well with a
> > complex environment and the problem very specific.
> >
> >
> >
> > >>AS such, any NSPI connections are strictly the problem of
> > the BE server.
> >
> >
> >
> > Not in this scenario, as the BE is in an ISA protected network
> > seperated from the DCs and FEs. The rule that allows access from
> > BE=>DCs is using RPC (All interfaces) and yet ISA is
> blocking traffic
> > from the NSPI proxy when using RPC/HTTP.
> > All other RPC traffic from BE=>DCs is working as expected
> and ISA is
> > detecting the RPC dynamic ports correctly.
> >
> >
> >
> > If I allow All outbound protocols from BE=>DCs the NSPI proxy works
> > and I see ports 1025. 1026 etc being used. It seems as if ISA is
> > missing the intitial RPC negations between the NSPI proxy
> and DCs and
> > hence blocks all dynamic ports after 135 is contacted.
> >
> >
> >
> > Maybe I need to provide some diagrams and/or better desacirptions...
> >
> >
> >
> > JJ
> >
> >
> >
> > ________________________________
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: 12 August 2006 16:55
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >
> > I think you're confused; RPC/HTTP doesn't use MAPI; it's
> "just" HTTP
> > traffic.
> >
> > AS such, any NSPI connections are strictly the problem of the BE
> > server.
> >
> >
> >
> > The only way ISA handles RPC traffic is via Exchange RPC or
> RPC (All
> > interfaces) rules.
> >
> >
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Friday, August 11, 2006 5:13 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Exchange NSPI Proxy RPC Communications and ISA
> >
> >
> >
> > Hi,
> >
> > Bit of a shot in the dark, as this is a strange issue, but hoping
> > someone can confirm what I am seeing.
> >
> > Basically, I have a pretty secure Exchange environment whereby both
> > Exchange FE's and BE's are on ISA protected perimeter networks with
> > the external network connected to the 'traditional LAN'
> e.g., ISA is
> > acting as a multinetwork internal firewall to specifically protect
> > Exchange from the internal network (all routed
> relationships). In this
> > scenario, ISA is controlling all communications to and from
> Exchange
> > and all email client access is published using web publishing or
> > secure RPC publishing.
> >
> > Up until now everything has been working pretty well (apart
> from the
> > other RPC filter issues in my other posts!) but we have
> come across a
> > specific issue when using RPC/HTTP as follows:
> >
> > The problem seems to lie with the fact that the back-end Exchange
> > server is talking to the GCs and ISA is seeing these connections as
> > newly initiated connections (e.g. non RPC) as opposed to detecting
> > them as dynamic ports which have been defined as part of the RPC
> > handshake process. Therefore, ISA is dropping these connections and
> > prevents the back-end server from communicating with the GCs,
> > specifically for RPC/HTTP (e.g. when using the NSPI proxy).
> All other
> > communications which relate to RPC and ISA's ability to
> detect dynamic
> > RPC ports is being done successfully (e.g.
> > MAPI communications from Outlook to Exchange). It looks to me as if
> > the back-end Exchange server is initiating it own connections which
> > ISA sees as communications independent of RPC. The issue
> only appears
> > to arise when the back-end servers proxy the client AD
> communication
> > (e.g. when using the NSPI proxy), as is the case with RPC/HTTP,
> > because Outlook clients have no access to the GCs from the Internet.
> > For standard MAPI clients, they are simply given a referral to the
> > actual GCs which they communicate with directly, independent of
> > Exchange (e.g. not using NSPI proxy).
> >
> > Does this sounds familiar? Is Exchange doing something
> weird here or
> > is ISA missing the RPC dynamic port negotiations?
> >
> > Looking at the ISA logs, I see ports 1025, 1027, 1030 etc.
> > being used by the NSPI proxy which I am pretty sure are going to be
> > the kind of ports dynamic RPC would use. If I add the
> ephemeral ports
> > (1024-65535) to the existing BE=>GC rule everything work
> just fine. If
> > I limit ports to standard intradomain protocols including RPC then
> > everything works apart from RPC/HTTP and I start seeing ports 1025,
> > 1027 etc.
> > being denied by ISA as unidentified traffic.
> >
> > Answers on a postcard! ;-)
> >
> > Cheers
> >
> > JJ
> >
> > All mail to and from this domain is GFI-scanned.
> >
> > All mail to and from this domain is GFI-scanned.
> >
> > All mail to and from this domain is GFI-scanned.
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
>
Other related posts:
