[isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Tue, 15 Aug 2006 17:56:02 -0700
Or, just a six year old. Trust me. I know.
t
On 8/15/06 5:48 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:
> Yep, six year old UPSs will do that to you every time (or a three year old
> Belkin UPS)
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>> Sent: Tuesday, August 15, 2006 7:25 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>>
>> Yep - somehow he managed to completely bork his storage.
>> We're almost to the point of a complete rebuild <sigh>.
>> I'm actually doing a registry compare to see if I can sort
>> out what he broke.
>>
>> -------------------------------------------------------
>> Jim Harrison
>> MCP(NT4, W2K), A+, Network+, PCG
>> http://isaserver.org/Jim_Harrison/
>> http://isatools.org
>> Read the help / books / articles!
>> -------------------------------------------------------
>>
>>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>> Sent: Tuesday, August 15, 2006 17:20
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>>
>> Is it a real problem, and dealing with jughead the enterprise admin?
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://blogs.isaserver.org/shinder/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- ISA Firewalls
>>
>>
>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: Tuesday, August 15, 2006 6:58 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> Not yet - been critsitting between postings.
>>> ..or the other way 'round...
>>>
>>> -------------------------------------------------------
>>> Jim Harrison
>>> MCP(NT4, W2K), A+, Network+, PCG
>>> http://isaserver.org/Jim_Harrison/
>>> http://isatools.org
>>> Read the help / books / articles!
>>> -------------------------------------------------------
>>>
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>> Sent: Tuesday, August 15, 2006 14:44
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> Jim,
>>>
>>> Any luck with this?
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: 14 August 2006 00:52
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> Absotively.
>>> Send it on.
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>> Sent: Sunday, August 13, 2006 3:08 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> Yeah I know, have the same issues when looking at closed betas with
>>> cool features which could really help out some of my
>> customers. Shame
>>> the NDA doesn't extend to MS partners though...
>>>
>>> PSS dude said that all KB articles related to a RPC problems where
>>> based upon using a large number of clients. He also said
>> that as this
>>> issue was happening before the DR problems I couldn't include it
>>> within the DR call and I would have to log another call...great! :-(
>>>
>>> If I give you the SRQ number, is there any chance you could
>> point him
>>> in the right direction? Pretty please :-)
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: 13 August 2006 22:47
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> I wish I could say more, but I'm bound by NDA...
>>> The KB is on its way out the door and your PSS dewd need
>> only do a bit
>>> of research.
>>>
>>> -------------------------------------------------------
>>> Jim Harrison
>>> MCP(NT4, W2K), A+, Network+, PCG
>>> http://isaserver.org/Jim_Harrison/
>>> http://isatools.org
>>> Read the help / books / articles!
>>> -------------------------------------------------------
>>>
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>> Sent: Sunday, August 13, 2006 14:41
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> Whilst PSS logging a call to get some feedback on the DR
>> issues I've
>>> had with ISA, I mentioned this "new KB artilce"
>>> and the chap i was dealing with was pretty clueless about
>> it (amongst
>>> other things!).
>>>
>>> You are really starting to become a tease with this artitcle, as it
>>> may solve two problems now! :-P
>>>
>>> ________________________________
>>>
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: 13 August 2006 19:15
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>>
>>>
>>> Not insinuating anything of the sort...
>>>
>>> Keep your eyes open for that KB that deals in Outlook MAPI
>>> connections; I bet it'll help you out here, too.
>>>
>>>
>>>
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>> Sent: Sunday, August 13, 2006 2:22 AM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>>
>>>
>>> All relationships are route = I know intradomain is only supported
>>> this way - I'm not a complete newb at this ;-)
>>>
>>>
>>>
>>> Complicated setup I know, but pretty much 99% working apart
>> from this
>>> issue and teh RPC filter failings (other post)
>>>
>>>
>>>
>>> Tried with and without strict RPC - no dice, same issues...
>>>
>>>
>>>
>>> Internet FW is hardware appliance (dumb packet filter)
>>>
>>>
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: 13 August 2006 01:43
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> Ah, yes.
>>>
>>> While this is a desirable design, it's also a very difficult one.
>>>
>>> What are the network relationships between the networks?
>>>
>>> For instance:
>>>
>>> ExchFE ßà Exch BE == Route
>>>
>>> ...?
>>>
>>> Have you disabled Strict RPC on the relevant rules?
>>>
>>>
>>>
>>> NAT ain't happenin' FWIW...
>>>
>>> What's the "Internet FW"?
>>>
>>>
>>>
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>> Sent: Saturday, August 12, 2006 3:18 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: 12 August 2006 22:41
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> Maybe a napkin drawing, then?
>>>
>>> I don't understand how your BE needs specific rules unless its
>>> separated from the DC by ISA?
>>>
>>>
>>>
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>> Sent: Saturday, August 12, 2006 2:19 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>>
>>>
>>> No, not confused, and realise the difference between RPC/HTTP and
>>> MAPI. I guess I am obviously not explaining myself very well with a
>>> complex environment and the problem very specific.
>>>
>>>
>>>
>>>>> AS such, any NSPI connections are strictly the problem of
>>> the BE server.
>>>
>>>
>>>
>>> Not in this scenario, as the BE is in an ISA protected network
>>> seperated from the DCs and FEs. The rule that allows access from
>>> BE=>DCs is using RPC (All interfaces) and yet ISA is
>> blocking traffic
>>> from the NSPI proxy when using RPC/HTTP.
>>> All other RPC traffic from BE=>DCs is working as expected
>> and ISA is
>>> detecting the RPC dynamic ports correctly.
>>>
>>>
>>>
>>> If I allow All outbound protocols from BE=>DCs the NSPI proxy works
>>> and I see ports 1025. 1026 etc being used. It seems as if ISA is
>>> missing the intitial RPC negations between the NSPI proxy
>> and DCs and
>>> hence blocks all dynamic ports after 135 is contacted.
>>>
>>>
>>>
>>> Maybe I need to provide some diagrams and/or better desacirptions...
>>>
>>>
>>>
>>> JJ
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: 12 August 2006 16:55
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> I think you're confused; RPC/HTTP doesn't use MAPI; it's
>> "just" HTTP
>>> traffic.
>>>
>>> AS such, any NSPI connections are strictly the problem of the BE
>>> server.
>>>
>>>
>>>
>>> The only way ISA handles RPC traffic is via Exchange RPC or
>> RPC (All
>>> interfaces) rules.
>>>
>>>
>>>
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>> Sent: Friday, August 11, 2006 5:13 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Exchange NSPI Proxy RPC Communications and ISA
>>>
>>>
>>>
>>> Hi,
>>>
>>> Bit of a shot in the dark, as this is a strange issue, but hoping
>>> someone can confirm what I am seeing.
>>>
>>> Basically, I have a pretty secure Exchange environment whereby both
>>> Exchange FE's and BE's are on ISA protected perimeter networks with
>>> the external network connected to the 'traditional LAN'
>> e.g., ISA is
>>> acting as a multinetwork internal firewall to specifically protect
>>> Exchange from the internal network (all routed
>> relationships). In this
>>> scenario, ISA is controlling all communications to and from
>> Exchange
>>> and all email client access is published using web publishing or
>>> secure RPC publishing.
>>>
>>> Up until now everything has been working pretty well (apart
>> from the
>>> other RPC filter issues in my other posts!) but we have
>> come across a
>>> specific issue when using RPC/HTTP as follows:
>>>
>>> The problem seems to lie with the fact that the back-end Exchange
>>> server is talking to the GCs and ISA is seeing these connections as
>>> newly initiated connections (e.g. non RPC) as opposed to detecting
>>> them as dynamic ports which have been defined as part of the RPC
>>> handshake process. Therefore, ISA is dropping these connections and
>>> prevents the back-end server from communicating with the GCs,
>>> specifically for RPC/HTTP (e.g. when using the NSPI proxy).
>> All other
>>> communications which relate to RPC and ISA's ability to
>> detect dynamic
>>> RPC ports is being done successfully (e.g.
>>> MAPI communications from Outlook to Exchange). It looks to me as if
>>> the back-end Exchange server is initiating it own connections which
>>> ISA sees as communications independent of RPC. The issue
>> only appears
>>> to arise when the back-end servers proxy the client AD
>> communication
>>> (e.g. when using the NSPI proxy), as is the case with RPC/HTTP,
>>> because Outlook clients have no access to the GCs from the Internet.
>>> For standard MAPI clients, they are simply given a referral to the
>>> actual GCs which they communicate with directly, independent of
>>> Exchange (e.g. not using NSPI proxy).
>>>
>>> Does this sounds familiar? Is Exchange doing something
>> weird here or
>>> is ISA missing the RPC dynamic port negotiations?
>>>
>>> Looking at the ISA logs, I see ports 1025, 1027, 1030 etc.
>>> being used by the NSPI proxy which I am pretty sure are going to be
>>> the kind of ports dynamic RPC would use. If I add the
>> ephemeral ports
>>> (1024-65535) to the existing BE=>GC rule everything work
>> just fine. If
>>> I limit ports to standard intradomain protocols including RPC then
>>> everything works apart from RPC/HTTP and I start seeing ports 1025,
>>> 1027 etc.
>>> being denied by ISA as unidentified traffic.
>>>
>>> Answers on a postcard! ;-)
>>>
>>> Cheers
>>>
>>> JJ
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>>
>>>
>>>
>>>
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>>
>>>
>>>
>>>
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>>
>>>
>>>
>>
>>
>> All mail to and from this domain is GFI-scanned.
>>
>>
>>
>>
>
>
>
Other related posts:
