Or, just a six year old. Trust me. I know. t On 8/15/06 5:48 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Yep, six year old UPSs will do that to you every time (or a three year old > Belkin UPS) > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >> Sent: Tuesday, August 15, 2006 7:25 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA >> >> Yep - somehow he managed to completely bork his storage. >> We're almost to the point of a complete rebuild <sigh>. >> I'm actually doing a registry compare to see if I can sort >> out what he broke. >> >> ------------------------------------------------------- >> Jim Harrison >> MCP(NT4, W2K), A+, Network+, PCG >> http://isaserver.org/Jim_Harrison/ >> http://isatools.org >> Read the help / books / articles! >> ------------------------------------------------------- >> >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder >> Sent: Tuesday, August 15, 2006 17:20 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA >> >> Is it a real problem, and dealing with jughead the enterprise admin? >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- ISA Firewalls >> >> >> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: Tuesday, August 15, 2006 6:58 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> Not yet - been critsitting between postings. >>> ..or the other way 'round... >>> >>> ------------------------------------------------------- >>> Jim Harrison >>> MCP(NT4, W2K), A+, Network+, PCG >>> http://isaserver.org/Jim_Harrison/ >>> http://isatools.org >>> Read the help / books / articles! >>> ------------------------------------------------------- >>> >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>> Sent: Tuesday, August 15, 2006 14:44 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> Jim, >>> >>> Any luck with this? >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: 14 August 2006 00:52 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> Absotively. >>> Send it on. >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>> Sent: Sunday, August 13, 2006 3:08 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> Yeah I know, have the same issues when looking at closed betas with >>> cool features which could really help out some of my >> customers. Shame >>> the NDA doesn't extend to MS partners though... >>> >>> PSS dude said that all KB articles related to a RPC problems where >>> based upon using a large number of clients. He also said >> that as this >>> issue was happening before the DR problems I couldn't include it >>> within the DR call and I would have to log another call...great! :-( >>> >>> If I give you the SRQ number, is there any chance you could >> point him >>> in the right direction? Pretty please :-) >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: 13 August 2006 22:47 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> I wish I could say more, but I'm bound by NDA... >>> The KB is on its way out the door and your PSS dewd need >> only do a bit >>> of research. >>> >>> ------------------------------------------------------- >>> Jim Harrison >>> MCP(NT4, W2K), A+, Network+, PCG >>> http://isaserver.org/Jim_Harrison/ >>> http://isatools.org >>> Read the help / books / articles! >>> ------------------------------------------------------- >>> >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>> Sent: Sunday, August 13, 2006 14:41 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> Whilst PSS logging a call to get some feedback on the DR >> issues I've >>> had with ISA, I mentioned this "new KB artilce" >>> and the chap i was dealing with was pretty clueless about >> it (amongst >>> other things!). >>> >>> You are really starting to become a tease with this artitcle, as it >>> may solve two problems now! :-P >>> >>> ________________________________ >>> >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: 13 August 2006 19:15 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> >>> >>> Not insinuating anything of the sort... >>> >>> Keep your eyes open for that KB that deals in Outlook MAPI >>> connections; I bet it'll help you out here, too. >>> >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>> Sent: Sunday, August 13, 2006 2:22 AM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> >>> >>> All relationships are route = I know intradomain is only supported >>> this way - I'm not a complete newb at this ;-) >>> >>> >>> >>> Complicated setup I know, but pretty much 99% working apart >> from this >>> issue and teh RPC filter failings (other post) >>> >>> >>> >>> Tried with and without strict RPC - no dice, same issues... >>> >>> >>> >>> Internet FW is hardware appliance (dumb packet filter) >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: 13 August 2006 01:43 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> Ah, yes. >>> >>> While this is a desirable design, it's also a very difficult one. >>> >>> What are the network relationships between the networks? >>> >>> For instance: >>> >>> ExchFE ßà Exch BE == Route >>> >>> ...? >>> >>> Have you disabled Strict RPC on the relevant rules? >>> >>> >>> >>> NAT ain't happenin' FWIW... >>> >>> What's the "Internet FW"? >>> >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>> Sent: Saturday, August 12, 2006 3:18 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: 12 August 2006 22:41 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> Maybe a napkin drawing, then? >>> >>> I don't understand how your BE needs specific rules unless its >>> separated from the DC by ISA? >>> >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>> Sent: Saturday, August 12, 2006 2:19 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> >>> >>> No, not confused, and realise the difference between RPC/HTTP and >>> MAPI. I guess I am obviously not explaining myself very well with a >>> complex environment and the problem very specific. >>> >>> >>> >>>>> AS such, any NSPI connections are strictly the problem of >>> the BE server. >>> >>> >>> >>> Not in this scenario, as the BE is in an ISA protected network >>> seperated from the DCs and FEs. The rule that allows access from >>> BE=>DCs is using RPC (All interfaces) and yet ISA is >> blocking traffic >>> from the NSPI proxy when using RPC/HTTP. >>> All other RPC traffic from BE=>DCs is working as expected >> and ISA is >>> detecting the RPC dynamic ports correctly. >>> >>> >>> >>> If I allow All outbound protocols from BE=>DCs the NSPI proxy works >>> and I see ports 1025. 1026 etc being used. It seems as if ISA is >>> missing the intitial RPC negations between the NSPI proxy >> and DCs and >>> hence blocks all dynamic ports after 135 is contacted. >>> >>> >>> >>> Maybe I need to provide some diagrams and/or better desacirptions... >>> >>> >>> >>> JJ >>> >>> >>> >>> ________________________________ >>> >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >>> Sent: 12 August 2006 16:55 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC >> Communications and ISA >>> >>> I think you're confused; RPC/HTTP doesn't use MAPI; it's >> "just" HTTP >>> traffic. >>> >>> AS such, any NSPI connections are strictly the problem of the BE >>> server. >>> >>> >>> >>> The only way ISA handles RPC traffic is via Exchange RPC or >> RPC (All >>> interfaces) rules. >>> >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones >>> Sent: Friday, August 11, 2006 5:13 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Exchange NSPI Proxy RPC Communications and ISA >>> >>> >>> >>> Hi, >>> >>> Bit of a shot in the dark, as this is a strange issue, but hoping >>> someone can confirm what I am seeing. >>> >>> Basically, I have a pretty secure Exchange environment whereby both >>> Exchange FE's and BE's are on ISA protected perimeter networks with >>> the external network connected to the 'traditional LAN' >> e.g., ISA is >>> acting as a multinetwork internal firewall to specifically protect >>> Exchange from the internal network (all routed >> relationships). In this >>> scenario, ISA is controlling all communications to and from >> Exchange >>> and all email client access is published using web publishing or >>> secure RPC publishing. >>> >>> Up until now everything has been working pretty well (apart >> from the >>> other RPC filter issues in my other posts!) but we have >> come across a >>> specific issue when using RPC/HTTP as follows: >>> >>> The problem seems to lie with the fact that the back-end Exchange >>> server is talking to the GCs and ISA is seeing these connections as >>> newly initiated connections (e.g. non RPC) as opposed to detecting >>> them as dynamic ports which have been defined as part of the RPC >>> handshake process. Therefore, ISA is dropping these connections and >>> prevents the back-end server from communicating with the GCs, >>> specifically for RPC/HTTP (e.g. when using the NSPI proxy). >> All other >>> communications which relate to RPC and ISA's ability to >> detect dynamic >>> RPC ports is being done successfully (e.g. >>> MAPI communications from Outlook to Exchange). It looks to me as if >>> the back-end Exchange server is initiating it own connections which >>> ISA sees as communications independent of RPC. The issue >> only appears >>> to arise when the back-end servers proxy the client AD >> communication >>> (e.g. when using the NSPI proxy), as is the case with RPC/HTTP, >>> because Outlook clients have no access to the GCs from the Internet. >>> For standard MAPI clients, they are simply given a referral to the >>> actual GCs which they communicate with directly, independent of >>> Exchange (e.g. not using NSPI proxy). >>> >>> Does this sounds familiar? Is Exchange doing something >> weird here or >>> is ISA missing the RPC dynamic port negotiations? >>> >>> Looking at the ISA logs, I see ports 1025, 1027, 1030 etc. >>> being used by the NSPI proxy which I am pretty sure are going to be >>> the kind of ports dynamic RPC would use. If I add the >> ephemeral ports >>> (1024-65535) to the existing BE=>GC rule everything work >> just fine. If >>> I limit ports to standard intradomain protocols including RPC then >>> everything works apart from RPC/HTTP and I start seeing ports 1025, >>> 1027 etc. >>> being denied by ISA as unidentified traffic. >>> >>> Answers on a postcard! ;-) >>> >>> Cheers >>> >>> JJ >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> >>> >>> >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> >>> >>> >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> >>> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> > > >