[isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Tue, 15 Aug 2006 19:06:46 -0700
Unfortunately, they're getting closer and closer. Look at what Kermit did
with the wiretap act. Moron. Deducing legal precedence from the absolute
*absence* of specific language in the law. Let's hope he doesn't get too
much further. We can thank Clinton for him...
t
On 8/15/06 6:52 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> spoketh
to all:
> I like how all of the borked references are either to computers or a would be
> supreme court justice. Don't really see how the two can be related.
>
> Amy
>
>
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thomas W Shinder
> Sent: Tuesday, August 15, 2006 9:53 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>
> Aha, OK, borking is quite different from horking:
>
> http://www.urbandictionary.com/define.php?term=borked
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>> Sent: Tuesday, August 15, 2006 8:41 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>>
>> There is - this was a clear case of borking.
>> That's a much more complex (and effective) form of f#$%$ing
>> up your system.
>>
>> -------------------------------------------------------
>> Jim Harrison
>> MCP(NT4, W2K), A+, Network+, PCG
>> http://isaserver.org/Jim_Harrison/
>> http://isatools.org
>> Read the help / books / articles!
>> -------------------------------------------------------
>>
>>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>> Sent: Tuesday, August 15, 2006 18:45
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>>
>> I figured there was an "anti-hork" feature in the ISA CSS
>> replication engine ;)
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://blogs.isaserver.org/shinder/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- ISA Firewalls
>>
>>
>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>> Sent: Tuesday, August 15, 2006 8:34 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> Replication is a wonderful thing...
>>>
>>>
>>> -------------------------------------------------------
>>> Jim Harrison
>>> MCP(NT4, W2K), A+, Network+, PCG
>>> http://isaserver.org/Jim_Harrison/
>>> http://isatools.org
>>> Read the help / books / articles!
>>> -------------------------------------------------------
>>>
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>>> Sent: Tuesday, August 15, 2006 18:10
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>> Communications and ISA
>>>
>>> Hey, wait a minute. There should be multiple CSSs, so did
>> the storage
>>> get horked on all of them?
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>> Sent: Tuesday, August 15, 2006 7:25 PM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>> Communications and ISA
>>>>
>>>> Yep - somehow he managed to completely bork his storage.
>>>> We're almost to the point of a complete rebuild <sigh>.
>>>> I'm actually doing a registry compare to see if I can sort
>>> out what he
>>>> broke.
>>>>
>>>> -------------------------------------------------------
>>>> Jim Harrison
>>>> MCP(NT4, W2K), A+, Network+, PCG
>>>> http://isaserver.org/Jim_Harrison/
>>>> http://isatools.org
>>>> Read the help / books / articles!
>>>> -------------------------------------------------------
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
>> W Shinder
>>>> Sent: Tuesday, August 15, 2006 17:20
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>> Communications and ISA
>>>>
>>>> Is it a real problem, and dealing with jughead the
>> enterprise admin?
>>>>
>>>> Thomas W Shinder, M.D.
>>>> Site: www.isaserver.org
>>>> Blog: http://blogs.isaserver.org/shinder/
>>>> Book: http://tinyurl.com/3xqb7
>>>> MVP -- ISA Firewalls
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>>> Sent: Tuesday, August 15, 2006 6:58 PM
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>> Not yet - been critsitting between postings.
>>>>> ..or the other way 'round...
>>>>>
>>>>> -------------------------------------------------------
>>>>> Jim Harrison
>>>>> MCP(NT4, W2K), A+, Network+, PCG
>>>>> http://isaserver.org/Jim_Harrison/
>>>>> http://isatools.org
>>>>> Read the help / books / articles!
>>>>> -------------------------------------------------------
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>>>> Sent: Tuesday, August 15, 2006 14:44
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>> Jim,
>>>>>
>>>>> Any luck with this?
>>>>>
>>>>> -----Original Message-----
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>>> Sent: 14 August 2006 00:52
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>> Absotively.
>>>>> Send it on.
>>>>>
>>>>> -----Original Message-----
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>>>> Sent: Sunday, August 13, 2006 3:08 PM
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>> Yeah I know, have the same issues when looking at closed
>>> betas with
>>>>> cool features which could really help out some of my
>>>> customers. Shame
>>>>> the NDA doesn't extend to MS partners though...
>>>>>
>>>>> PSS dude said that all KB articles related to a RPC
>>> problems where
>>>>> based upon using a large number of clients. He also said
>>>> that as this
>>>>> issue was happening before the DR problems I couldn't
>> include it
>>>>> within the DR call and I would have to log another
>>> call...great! :-(
>>>>>
>>>>> If I give you the SRQ number, is there any chance you could
>>>> point him
>>>>> in the right direction? Pretty please :-)
>>>>>
>>>>> -----Original Message-----
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>>> Sent: 13 August 2006 22:47
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>> I wish I could say more, but I'm bound by NDA...
>>>>> The KB is on its way out the door and your PSS dewd need
>>>> only do a bit
>>>>> of research.
>>>>>
>>>>> -------------------------------------------------------
>>>>> Jim Harrison
>>>>> MCP(NT4, W2K), A+, Network+, PCG
>>>>> http://isaserver.org/Jim_Harrison/
>>>>> http://isatools.org
>>>>> Read the help / books / articles!
>>>>> -------------------------------------------------------
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>>>> Sent: Sunday, August 13, 2006 14:41
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>> Whilst PSS logging a call to get some feedback on the DR
>>>> issues I've
>>>>> had with ISA, I mentioned this "new KB artilce"
>>>>> and the chap i was dealing with was pretty clueless about
>>>> it (amongst
>>>>> other things!).
>>>>>
>>>>> You are really starting to become a tease with this
>>> artitcle, as it
>>>>> may solve two problems now! :-P
>>>>>
>>>>> ________________________________
>>>>>
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>>> Sent: 13 August 2006 19:15
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>>
>>>>>
>>>>> Not insinuating anything of the sort...
>>>>>
>>>>> Keep your eyes open for that KB that deals in Outlook MAPI
>>>>> connections; I bet it'll help you out here, too.
>>>>>
>>>>>
>>>>>
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>>>> Sent: Sunday, August 13, 2006 2:22 AM
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>>
>>>>>
>>>>> All relationships are route = I know intradomain is only
>>> supported
>>>>> this way - I'm not a complete newb at this ;-)
>>>>>
>>>>>
>>>>>
>>>>> Complicated setup I know, but pretty much 99% working apart
>>>> from this
>>>>> issue and teh RPC filter failings (other post)
>>>>>
>>>>>
>>>>>
>>>>> Tried with and without strict RPC - no dice, same issues...
>>>>>
>>>>>
>>>>>
>>>>> Internet FW is hardware appliance (dumb packet filter)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ________________________________
>>>>>
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>>> Sent: 13 August 2006 01:43
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>> Ah, yes.
>>>>>
>>>>> While this is a desirable design, it's also a very
>> difficult one.
>>>>>
>>>>> What are the network relationships between the networks?
>>>>>
>>>>> For instance:
>>>>>
>>>>> ExchFE ßà Exch BE == Route
>>>>>
>>>>> ...?
>>>>>
>>>>> Have you disabled Strict RPC on the relevant rules?
>>>>>
>>>>>
>>>>>
>>>>> NAT ain't happenin' FWIW...
>>>>>
>>>>> What's the "Internet FW"?
>>>>>
>>>>>
>>>>>
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>>>> Sent: Saturday, August 12, 2006 3:18 PM
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ________________________________
>>>>>
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>>> Sent: 12 August 2006 22:41
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>> Maybe a napkin drawing, then?
>>>>>
>>>>> I don't understand how your BE needs specific rules unless its
>>>>> separated from the DC by ISA?
>>>>>
>>>>>
>>>>>
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>>>> Sent: Saturday, August 12, 2006 2:19 PM
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>>
>>>>>
>>>>> No, not confused, and realise the difference between
>> RPC/HTTP and
>>>>> MAPI. I guess I am obviously not explaining myself very
>>> well with a
>>>>> complex environment and the problem very specific.
>>>>>
>>>>>
>>>>>
>>>>>>> AS such, any NSPI connections are strictly the problem of
>>>>> the BE server.
>>>>>
>>>>>
>>>>>
>>>>> Not in this scenario, as the BE is in an ISA protected network
>>>>> seperated from the DCs and FEs. The rule that allows
>> access from
>>>>> BE=>DCs is using RPC (All interfaces) and yet ISA is
>>>> blocking traffic
>>>>> from the NSPI proxy when using RPC/HTTP.
>>>>> All other RPC traffic from BE=>DCs is working as expected
>>>> and ISA is
>>>>> detecting the RPC dynamic ports correctly.
>>>>>
>>>>>
>>>>>
>>>>> If I allow All outbound protocols from BE=>DCs the NSPI
>>> proxy works
>>>>> and I see ports 1025. 1026 etc being used. It seems as
>> if ISA is
>>>>> missing the intitial RPC negations between the NSPI proxy
>>>> and DCs and
>>>>> hence blocks all dynamic ports after 135 is contacted.
>>>>>
>>>>>
>>>>>
>>>>> Maybe I need to provide some diagrams and/or better
>>> desacirptions...
>>>>>
>>>>>
>>>>>
>>>>> JJ
>>>>>
>>>>>
>>>>>
>>>>> ________________________________
>>>>>
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>>>>> Sent: 12 August 2006 16:55
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
>>>> Communications and ISA
>>>>>
>>>>> I think you're confused; RPC/HTTP doesn't use MAPI; it's
>>>> "just" HTTP
>>>>> traffic.
>>>>>
>>>>> AS such, any NSPI connections are strictly the problem
>> of the BE
>>>>> server.
>>>>>
>>>>>
>>>>>
>>>>> The only way ISA handles RPC traffic is via Exchange RPC or
>>>> RPC (All
>>>>> interfaces) rules.
>>>>>
>>>>>
>>>>>
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
>>>>> Sent: Friday, August 11, 2006 5:13 PM
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Exchange NSPI Proxy RPC
>> Communications and ISA
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> Bit of a shot in the dark, as this is a strange issue,
>> but hoping
>>>>> someone can confirm what I am seeing.
>>>>>
>>>>> Basically, I have a pretty secure Exchange environment
>>> whereby both
>>>>> Exchange FE's and BE's are on ISA protected perimeter
>>> networks with
>>>>> the external network connected to the 'traditional LAN'
>>>> e.g., ISA is
>>>>> acting as a multinetwork internal firewall to
>>> specifically protect
>>>>> Exchange from the internal network (all routed
>>>> relationships). In this
>>>>> scenario, ISA is controlling all communications to and from
>>>> Exchange
>>>>> and all email client access is published using web
>> publishing or
>>>>> secure RPC publishing.
>>>>>
>>>>> Up until now everything has been working pretty well (apart
>>>> from the
>>>>> other RPC filter issues in my other posts!) but we have
>>>> come across a
>>>>> specific issue when using RPC/HTTP as follows:
>>>>>
>>>>> The problem seems to lie with the fact that the
>> back-end Exchange
>>>>> server is talking to the GCs and ISA is seeing these
>>> connections as
>>>>> newly initiated connections (e.g. non RPC) as opposed to
>>> detecting
>>>>> them as dynamic ports which have been defined as part
>> of the RPC
>>>>> handshake process. Therefore, ISA is dropping these
>>> connections and
>>>>> prevents the back-end server from communicating with the GCs,
>>>>> specifically for RPC/HTTP (e.g. when using the NSPI proxy).
>>>> All other
>>>>> communications which relate to RPC and ISA's ability to
>>>> detect dynamic
>>>>> RPC ports is being done successfully (e.g.
>>>>> MAPI communications from Outlook to Exchange). It looks
>>> to me as if
>>>>> the back-end Exchange server is initiating it own
>>> connections which
>>>>> ISA sees as communications independent of RPC. The issue
>>>> only appears
>>>>> to arise when the back-end servers proxy the client AD
>>>> communication
>>>>> (e.g. when using the NSPI proxy), as is the case with RPC/HTTP,
>>>>> because Outlook clients have no access to the GCs from
>>> the Internet.
>>>>> For standard MAPI clients, they are simply given a
>>> referral to the
>>>>> actual GCs which they communicate with directly, independent of
>>>>> Exchange (e.g. not using NSPI proxy).
>>>>>
>>>>> Does this sounds familiar? Is Exchange doing something
>>>> weird here or
>>>>> is ISA missing the RPC dynamic port negotiations?
>>>>>
>>>>> Looking at the ISA logs, I see ports 1025, 1027, 1030 etc.
>>>>> being used by the NSPI proxy which I am pretty sure are
>>> going to be
>>>>> the kind of ports dynamic RPC would use. If I add the
>>>> ephemeral ports
>>>>> (1024-65535) to the existing BE=>GC rule everything work
>>>> just fine. If
>>>>> I limit ports to standard intradomain protocols including
>>> RPC then
>>>>> everything works apart from RPC/HTTP and I start seeing
>>> ports 1025,
>>>>> 1027 etc.
>>>>> being denied by ISA as unidentified traffic.
>>>>>
>>>>> Answers on a postcard! ;-)
>>>>>
>>>>> Cheers
>>>>>
>>>>> JJ
>>>>>
>>>>> All mail to and from this domain is GFI-scanned.
>>>>>
>>>>> All mail to and from this domain is GFI-scanned.
>>>>>
>>>>> All mail to and from this domain is GFI-scanned.
>>>>>
>>>>> All mail to and from this domain is GFI-scanned.
>>>>>
>>>>>
>>>>> All mail to and from this domain is GFI-scanned.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> All mail to and from this domain is GFI-scanned.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> All mail to and from this domain is GFI-scanned.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> All mail to and from this domain is GFI-scanned.
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>>
>>>
>>>
>>
>>
>> All mail to and from this domain is GFI-scanned.
>>
>>
>>
>>
>
>
>
>
Other related posts:
