[isapros] Re: Exchange NSPI Proxy RPC Communications and ISA

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Tue, 15 Aug 2006 19:04:18 -0700

??
I don't see how they *can't* be related...
:-p 


..gotta re-engage with these guys...

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
Sent: Tuesday, August 15, 2006 18:53
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA

I like how all of the borked references are either to computers or a would be 
supreme court justice. Don't really see how the two can be related.

Amy 
 
   
 
 
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Tuesday, August 15, 2006 9:53 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA

Aha, OK, borking is quite different from horking:

http://www.urbandictionary.com/define.php?term=borked

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Tuesday, August 15, 2006 8:41 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
> 
> There is - this was a clear case of borking.
> That's a much more complex (and effective) form of f#$%$ing up your 
> system.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Tuesday, August 15, 2006 18:45
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
> 
> I figured there was an "anti-hork" feature in the ISA CSS replication 
> engine ;)
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Tuesday, August 15, 2006 8:34 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> > 
> > Replication is a wonderful thing... 
> > 
> > 
> > -------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> > -------------------------------------------------------
> >  
> > 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Tuesday, August 15, 2006 18:10
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> > 
> > Hey, wait a minute. There should be multiple CSSs, so did
> the storage
> > get horked on all of them?
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Tuesday, August 15, 2006 7:25 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > > 
> > > Yep - somehow he managed to completely bork his storage. 
> > > We're almost to the point of a complete rebuild <sigh>.
> > > I'm actually doing a registry compare to see if I can sort
> > out what he
> > > broke.
> > > 
> > > -------------------------------------------------------
> > >    Jim Harrison
> > >    MCP(NT4, W2K), A+, Network+, PCG
> > >    http://isaserver.org/Jim_Harrison/
> > >    http://isatools.org
> > >    Read the help / books / articles!
> > > -------------------------------------------------------
> > >  
> > > 
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> W Shinder
> > > Sent: Tuesday, August 15, 2006 17:20
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > Communications and ISA
> > > 
> > > Is it a real problem, and dealing with jughead the
> enterprise admin?
> > > 
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > 
> > >  
> > > 
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: Tuesday, August 15, 2006 6:58 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > Not yet - been critsitting between postings. 
> > > > ..or the other way 'round...
> > > > 
> > > > -------------------------------------------------------
> > > >    Jim Harrison
> > > >    MCP(NT4, W2K), A+, Network+, PCG
> > > >    http://isaserver.org/Jim_Harrison/
> > > >    http://isatools.org
> > > >    Read the help / books / articles!
> > > > -------------------------------------------------------
> > > >  
> > > > 
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > Sent: Tuesday, August 15, 2006 14:44
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > Jim,
> > > > 
> > > > Any luck with this? 
> > > > 
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: 14 August 2006 00:52
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > Absotively.
> > > > Send it on.
> > > > 
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > Sent: Sunday, August 13, 2006 3:08 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > Yeah I know, have the same issues when looking at closed
> > betas with
> > > > cool features which could really help out some of my
> > > customers. Shame
> > > > the NDA doesn't extend to MS partners though...
> > > > 
> > > > PSS dude said that all KB articles related to a RPC
> > problems where
> > > > based upon using a large number of clients. He also said
> > > that as this
> > > > issue was happening before the DR problems I couldn't
> include it
> > > > within the DR call and I would have to log another
> > call...great! :-(
> > > > 
> > > > If I give you the SRQ number, is there any chance you could
> > > point him
> > > > in the right direction? Pretty please :-)
> > > > 
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: 13 August 2006 22:47
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > I wish I could say more, but I'm bound by NDA... 
> > > > The KB is on its way out the door and your PSS dewd need
> > > only do a bit
> > > > of research.
> > > > 
> > > > -------------------------------------------------------
> > > >    Jim Harrison
> > > >    MCP(NT4, W2K), A+, Network+, PCG
> > > >    http://isaserver.org/Jim_Harrison/
> > > >    http://isatools.org
> > > >    Read the help / books / articles!
> > > > -------------------------------------------------------
> > > >  
> > > > 
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > Sent: Sunday, August 13, 2006 14:41
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > Whilst PSS logging a call to get some feedback on the DR
> > > issues I've
> > > > had with ISA, I mentioned this "new KB artilce"
> > > > and the chap i was dealing with was pretty clueless about
> > > it (amongst
> > > > other things!).
> > > >  
> > > > You are really starting to become a tease with this
> > artitcle, as it
> > > > may solve two problems now! :-P
> > > > 
> > > > ________________________________
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: 13 August 2006 19:15
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > 
> > > > 
> > > > Not insinuating anything of the sort...
> > > > 
> > > > Keep your eyes open for that KB that deals in Outlook MAPI 
> > > > connections; I bet it'll help you out here, too.
> > > > 
> > > >  
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > Sent: Sunday, August 13, 2006 2:22 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > >  
> > > > 
> > > > All relationships are route = I know intradomain is only
> > supported
> > > > this way - I'm not a complete newb at this ;-)
> > > > 
> > > >  
> > > > 
> > > > Complicated setup I know, but pretty much 99% working apart
> > > from this
> > > > issue and teh RPC filter failings (other post)
> > > > 
> > > >  
> > > > 
> > > > Tried with and without strict RPC - no dice, same issues...
> > > > 
> > > >  
> > > > 
> > > > Internet FW is hardware appliance (dumb packet filter)
> > > > 
> > > >  
> > > > 
> > > >  
> > > > 
> > > > ________________________________
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: 13 August 2006 01:43
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > Ah, yes.
> > > > 
> > > > While this is a desirable design, it's also a very
> difficult one.
> > > > 
> > > > What are the network relationships between the networks?
> > > > 
> > > > For instance:
> > > > 
> > > > ExchFE ßà Exch BE == Route
> > > > 
> > > > ...?
> > > > 
> > > > Have you disabled Strict RPC on the relevant rules?
> > > > 
> > > >  
> > > > 
> > > > NAT ain't happenin' FWIW...
> > > > 
> > > > What's the "Internet FW"?
> > > > 
> > > >  
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > Sent: Saturday, August 12, 2006 3:18 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > ________________________________
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: 12 August 2006 22:41
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > Maybe a napkin drawing, then?
> > > > 
> > > > I don't understand how your BE needs specific rules unless its 
> > > > separated from the DC by ISA?
> > > > 
> > > >  
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > Sent: Saturday, August 12, 2006 2:19 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > >  
> > > > 
> > > > No, not confused, and realise the difference between
> RPC/HTTP and
> > > > MAPI. I guess I am obviously not explaining myself very
> > well with a
> > > > complex environment and the problem very specific.
> > > > 
> > > >  
> > > > 
> > > > >>AS such, any NSPI connections are strictly the problem of
> > > > the BE server.
> > > > 
> > > >  
> > > > 
> > > > Not in this scenario, as the BE is in an ISA protected network 
> > > > seperated from the DCs and FEs. The rule that allows
> access from
> > > > BE=>DCs is using RPC (All interfaces) and yet ISA is
> > > blocking traffic
> > > > from the NSPI proxy when using RPC/HTTP.
> > > > All other RPC traffic from BE=>DCs is working as expected
> > > and ISA is
> > > > detecting the RPC dynamic ports correctly.
> > > > 
> > > >  
> > > > 
> > > > If I allow All outbound protocols from BE=>DCs the NSPI
> > proxy works
> > > > and I see ports 1025. 1026 etc being used. It seems as
> if ISA is
> > > > missing the intitial RPC negations between the NSPI proxy
> > > and DCs and
> > > > hence blocks all dynamic ports after 135 is contacted.
> > > > 
> > > >  
> > > > 
> > > > Maybe I need to provide some diagrams and/or better
> > desacirptions...
> > > > 
> > > >  
> > > > 
> > > > JJ
> > > > 
> > > >  
> > > > 
> > > > ________________________________
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: 12 August 2006 16:55
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC
> > > Communications and ISA
> > > > 
> > > > I think you're confused; RPC/HTTP doesn't use MAPI; it's
> > > "just" HTTP
> > > > traffic.
> > > > 
> > > > AS such, any NSPI connections are strictly the problem
> of the BE
> > > > server.
> > > > 
> > > >  
> > > > 
> > > > The only way ISA handles RPC traffic is via Exchange RPC or
> > > RPC (All
> > > > interfaces) rules.
> > > > 
> > > >  
> > > > 
> > > > From: isapros-bounce@xxxxxxxxxxxxx 
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > Sent: Friday, August 11, 2006 5:13 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Exchange NSPI Proxy RPC
> Communications and ISA
> > > > 
> > > >  
> > > > 
> > > > Hi,
> > > > 
> > > > Bit of a shot in the dark, as this is a strange issue,
> but hoping
> > > > someone can confirm what I am seeing.
> > > > 
> > > > Basically, I have a pretty secure Exchange environment
> > whereby both
> > > > Exchange FE's and BE's are on ISA protected perimeter
> > networks with
> > > > the external network connected to the 'traditional LAN'
> > > e.g., ISA is
> > > > acting as a multinetwork internal firewall to
> > specifically protect
> > > > Exchange from the internal network (all routed
> > > relationships). In this
> > > > scenario, ISA is controlling all communications to and from
> > > Exchange
> > > > and all email client access is published using web
> publishing or
> > > > secure RPC publishing.
> > > > 
> > > > Up until now everything has been working pretty well (apart
> > > from the
> > > > other RPC filter issues in my other posts!) but we have
> > > come across a
> > > > specific issue when using RPC/HTTP as follows:
> > > > 
> > > > The problem seems to lie with the fact that the
> back-end Exchange
> > > > server is talking to the GCs and ISA is seeing these
> > connections as
> > > > newly initiated connections (e.g. non RPC) as opposed to
> > detecting
> > > > them as dynamic ports which have been defined as part
> of the RPC
> > > > handshake process. Therefore, ISA is dropping these
> > connections and
> > > > prevents the back-end server from communicating with the GCs, 
> > > > specifically for RPC/HTTP (e.g. when using the NSPI proxy).
> > > All other
> > > > communications which relate to RPC and ISA's ability to
> > > detect dynamic
> > > > RPC ports is being done successfully (e.g.
> > > > MAPI communications from Outlook to Exchange). It looks
> > to me as if
> > > > the back-end Exchange server is initiating it own
> > connections which
> > > > ISA sees as communications independent of RPC. The issue
> > > only appears
> > > > to arise when the back-end servers proxy the client AD
> > > communication
> > > > (e.g. when using the NSPI proxy), as is the case with RPC/HTTP, 
> > > > because Outlook clients have no access to the GCs from
> > the Internet.
> > > > For standard MAPI clients, they are simply given a
> > referral to the
> > > > actual GCs which they communicate with directly, independent of 
> > > > Exchange (e.g. not using NSPI proxy).
> > > > 
> > > > Does this sounds familiar? Is Exchange doing something
> > > weird here or
> > > > is ISA missing the RPC dynamic port negotiations?
> > > > 
> > > > Looking at the ISA logs, I see ports 1025, 1027, 1030 etc. 
> > > > being used by the NSPI proxy which I am pretty sure are
> > going to be
> > > > the kind of ports dynamic RPC would use. If I add the
> > > ephemeral ports
> > > > (1024-65535) to the existing BE=>GC rule everything work
> > > just fine. If
> > > > I limit ports to standard intradomain protocols including
> > RPC then
> > > > everything works apart from RPC/HTTP and I start seeing
> > ports 1025,
> > > > 1027 etc.
> > > > being denied by ISA as unidentified traffic.
> > > > 
> > > > Answers on a postcard! ;-)
> > > > 
> > > > Cheers
> > > > 
> > > > JJ
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > 
> > > > 
> > > > 
> > > 
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > 
> > 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
> 



All mail to and from this domain is GFI-scanned.


Other related posts: