?? I don't see how they *can't* be related... :-p ..gotta re-engage with these guys... ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, August 15, 2006 18:53 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA I like how all of the borked references are either to computers or a would be supreme court justice. Don't really see how the two can be related. Amy -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, August 15, 2006 9:53 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA Aha, OK, borking is quite different from horking: http://www.urbandictionary.com/define.php?term=borked Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Tuesday, August 15, 2006 8:41 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA > > There is - this was a clear case of borking. > That's a much more complex (and effective) form of f#$%$ing up your > system. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Tuesday, August 15, 2006 18:45 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA > > I figured there was an "anti-hork" feature in the ISA CSS replication > engine ;) > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Tuesday, August 15, 2006 8:34 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > Communications and ISA > > > > Replication is a wonderful thing... > > > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Tuesday, August 15, 2006 18:10 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > Communications and ISA > > > > Hey, wait a minute. There should be multiple CSSs, so did > the storage > > get horked on all of them? > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: Tuesday, August 15, 2006 7:25 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > Communications and ISA > > > > > > Yep - somehow he managed to completely bork his storage. > > > We're almost to the point of a complete rebuild <sigh>. > > > I'm actually doing a registry compare to see if I can sort > > out what he > > > broke. > > > > > > ------------------------------------------------------- > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://isaserver.org/Jim_Harrison/ > > > http://isatools.org > > > Read the help / books / articles! > > > ------------------------------------------------------- > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas > W Shinder > > > Sent: Tuesday, August 15, 2006 17:20 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > Communications and ISA > > > > > > Is it a real problem, and dealing with jughead the > enterprise admin? > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: Tuesday, August 15, 2006 6:58 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > Not yet - been critsitting between postings. > > > > ..or the other way 'round... > > > > > > > > ------------------------------------------------------- > > > > Jim Harrison > > > > MCP(NT4, W2K), A+, Network+, PCG > > > > http://isaserver.org/Jim_Harrison/ > > > > http://isatools.org > > > > Read the help / books / articles! > > > > ------------------------------------------------------- > > > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > > Sent: Tuesday, August 15, 2006 14:44 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > Jim, > > > > > > > > Any luck with this? > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: 14 August 2006 00:52 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > Absotively. > > > > Send it on. > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > > Sent: Sunday, August 13, 2006 3:08 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > Yeah I know, have the same issues when looking at closed > > betas with > > > > cool features which could really help out some of my > > > customers. Shame > > > > the NDA doesn't extend to MS partners though... > > > > > > > > PSS dude said that all KB articles related to a RPC > > problems where > > > > based upon using a large number of clients. He also said > > > that as this > > > > issue was happening before the DR problems I couldn't > include it > > > > within the DR call and I would have to log another > > call...great! :-( > > > > > > > > If I give you the SRQ number, is there any chance you could > > > point him > > > > in the right direction? Pretty please :-) > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: 13 August 2006 22:47 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > I wish I could say more, but I'm bound by NDA... > > > > The KB is on its way out the door and your PSS dewd need > > > only do a bit > > > > of research. > > > > > > > > ------------------------------------------------------- > > > > Jim Harrison > > > > MCP(NT4, W2K), A+, Network+, PCG > > > > http://isaserver.org/Jim_Harrison/ > > > > http://isatools.org > > > > Read the help / books / articles! > > > > ------------------------------------------------------- > > > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > > Sent: Sunday, August 13, 2006 14:41 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > Whilst PSS logging a call to get some feedback on the DR > > > issues I've > > > > had with ISA, I mentioned this "new KB artilce" > > > > and the chap i was dealing with was pretty clueless about > > > it (amongst > > > > other things!). > > > > > > > > You are really starting to become a tease with this > > artitcle, as it > > > > may solve two problems now! :-P > > > > > > > > ________________________________ > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: 13 August 2006 19:15 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > > > > > > > > > Not insinuating anything of the sort... > > > > > > > > Keep your eyes open for that KB that deals in Outlook MAPI > > > > connections; I bet it'll help you out here, too. > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > > Sent: Sunday, August 13, 2006 2:22 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > > > > > > > > > All relationships are route = I know intradomain is only > > supported > > > > this way - I'm not a complete newb at this ;-) > > > > > > > > > > > > > > > > Complicated setup I know, but pretty much 99% working apart > > > from this > > > > issue and teh RPC filter failings (other post) > > > > > > > > > > > > > > > > Tried with and without strict RPC - no dice, same issues... > > > > > > > > > > > > > > > > Internet FW is hardware appliance (dumb packet filter) > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: 13 August 2006 01:43 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > Ah, yes. > > > > > > > > While this is a desirable design, it's also a very > difficult one. > > > > > > > > What are the network relationships between the networks? > > > > > > > > For instance: > > > > > > > > ExchFE ßà Exch BE == Route > > > > > > > > ...? > > > > > > > > Have you disabled Strict RPC on the relevant rules? > > > > > > > > > > > > > > > > NAT ain't happenin' FWIW... > > > > > > > > What's the "Internet FW"? > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > > Sent: Saturday, August 12, 2006 3:18 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: 12 August 2006 22:41 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > Maybe a napkin drawing, then? > > > > > > > > I don't understand how your BE needs specific rules unless its > > > > separated from the DC by ISA? > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > > Sent: Saturday, August 12, 2006 2:19 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > > > > > > > > > No, not confused, and realise the difference between > RPC/HTTP and > > > > MAPI. I guess I am obviously not explaining myself very > > well with a > > > > complex environment and the problem very specific. > > > > > > > > > > > > > > > > >>AS such, any NSPI connections are strictly the problem of > > > > the BE server. > > > > > > > > > > > > > > > > Not in this scenario, as the BE is in an ISA protected network > > > > seperated from the DCs and FEs. The rule that allows > access from > > > > BE=>DCs is using RPC (All interfaces) and yet ISA is > > > blocking traffic > > > > from the NSPI proxy when using RPC/HTTP. > > > > All other RPC traffic from BE=>DCs is working as expected > > > and ISA is > > > > detecting the RPC dynamic ports correctly. > > > > > > > > > > > > > > > > If I allow All outbound protocols from BE=>DCs the NSPI > > proxy works > > > > and I see ports 1025. 1026 etc being used. It seems as > if ISA is > > > > missing the intitial RPC negations between the NSPI proxy > > > and DCs and > > > > hence blocks all dynamic ports after 135 is contacted. > > > > > > > > > > > > > > > > Maybe I need to provide some diagrams and/or better > > desacirptions... > > > > > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: 12 August 2006 16:55 > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: Exchange NSPI Proxy RPC > > > Communications and ISA > > > > > > > > I think you're confused; RPC/HTTP doesn't use MAPI; it's > > > "just" HTTP > > > > traffic. > > > > > > > > AS such, any NSPI connections are strictly the problem > of the BE > > > > server. > > > > > > > > > > > > > > > > The only way ISA handles RPC traffic is via Exchange RPC or > > > RPC (All > > > > interfaces) rules. > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > > Sent: Friday, August 11, 2006 5:13 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Exchange NSPI Proxy RPC > Communications and ISA > > > > > > > > > > > > > > > > Hi, > > > > > > > > Bit of a shot in the dark, as this is a strange issue, > but hoping > > > > someone can confirm what I am seeing. > > > > > > > > Basically, I have a pretty secure Exchange environment > > whereby both > > > > Exchange FE's and BE's are on ISA protected perimeter > > networks with > > > > the external network connected to the 'traditional LAN' > > > e.g., ISA is > > > > acting as a multinetwork internal firewall to > > specifically protect > > > > Exchange from the internal network (all routed > > > relationships). In this > > > > scenario, ISA is controlling all communications to and from > > > Exchange > > > > and all email client access is published using web > publishing or > > > > secure RPC publishing. > > > > > > > > Up until now everything has been working pretty well (apart > > > from the > > > > other RPC filter issues in my other posts!) but we have > > > come across a > > > > specific issue when using RPC/HTTP as follows: > > > > > > > > The problem seems to lie with the fact that the > back-end Exchange > > > > server is talking to the GCs and ISA is seeing these > > connections as > > > > newly initiated connections (e.g. non RPC) as opposed to > > detecting > > > > them as dynamic ports which have been defined as part > of the RPC > > > > handshake process. Therefore, ISA is dropping these > > connections and > > > > prevents the back-end server from communicating with the GCs, > > > > specifically for RPC/HTTP (e.g. when using the NSPI proxy). > > > All other > > > > communications which relate to RPC and ISA's ability to > > > detect dynamic > > > > RPC ports is being done successfully (e.g. > > > > MAPI communications from Outlook to Exchange). It looks > > to me as if > > > > the back-end Exchange server is initiating it own > > connections which > > > > ISA sees as communications independent of RPC. The issue > > > only appears > > > > to arise when the back-end servers proxy the client AD > > > communication > > > > (e.g. when using the NSPI proxy), as is the case with RPC/HTTP, > > > > because Outlook clients have no access to the GCs from > > the Internet. > > > > For standard MAPI clients, they are simply given a > > referral to the > > > > actual GCs which they communicate with directly, independent of > > > > Exchange (e.g. not using NSPI proxy). > > > > > > > > Does this sounds familiar? Is Exchange doing something > > > weird here or > > > > is ISA missing the RPC dynamic port negotiations? > > > > > > > > Looking at the ISA logs, I see ports 1025, 1027, 1030 etc. > > > > being used by the NSPI proxy which I am pretty sure are > > going to be > > > > the kind of ports dynamic RPC would use. If I add the > > > ephemeral ports > > > > (1024-65535) to the existing BE=>GC rule everything work > > > just fine. If > > > > I limit ports to standard intradomain protocols including > > RPC then > > > > everything works apart from RPC/HTTP and I start seeing > > ports 1025, > > > > 1027 etc. > > > > being denied by ISA as unidentified traffic. > > > > > > > > Answers on a postcard! ;-) > > > > > > > > Cheers > > > > > > > > JJ > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > All mail to and from this domain is GFI-scanned.