[isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Tue, 15 Aug 2006 21:27:38 -0500
One half point.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Tuesday, August 15, 2006 9:15 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Exchange NSPI Proxy RPC Communications and ISA
>
> I don't think there is enough evidence to support "bork" and
> "hork" being in
> a homonymistic relationship. I think they're just
> misunderstood friends.
>
> t
>
>
> On 8/15/06 7:18 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> spoketh to
> all:
>
> > There are acutally two separate and distinct etymoloiges here.
> >
> > The "borked" in reference to Robert Bork's nomination is
> related to how you
> > can get fsked by calumny and twisting of the facts
> >
> > The computer "borked" is connected to "borked" being a
> homonym to horked. The
> > homonymistic relationship to "horked" makes it a natural
> term of contrast.
> >
> > Horkage is a more or less natural phenomenum related to all
> electronic devices
> > (computer related or not) while Borkage is a non-natural
> phenomum related to
> > willing acts of borkage by the likes of TSu and certain SBS MVPs ;))
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> >> Sent: Tuesday, August 15, 2006 8:53 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >>
> >> I like how all of the borked references are either to
> >> computers or a would be supreme court justice. Don't really
> >> see how the two can be related.
> >>
> >> Amy
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> >> Sent: Tuesday, August 15, 2006 9:53 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> Communications and ISA
> >>
> >> Aha, OK, borking is quite different from horking:
> >>
> >> http://www.urbandictionary.com/define.php?term=borked
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://blogs.isaserver.org/shinder/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: isapros-bounce@xxxxxxxxxxxxx
> >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> >>> Sent: Tuesday, August 15, 2006 8:41 PM
> >>> To: isapros@xxxxxxxxxxxxx
> >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >> Communications and ISA
> >>>
> >>> There is - this was a clear case of borking.
> >>> That's a much more complex (and effective) form of f#$%$ing
> >>> up your system.
> >>>
> >>> -------------------------------------------------------
> >>> Jim Harrison
> >>> MCP(NT4, W2K), A+, Network+, PCG
> >>> http://isaserver.org/Jim_Harrison/
> >>> http://isatools.org
> >>> Read the help / books / articles!
> >>> -------------------------------------------------------
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: isapros-bounce@xxxxxxxxxxxxx
> >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> W Shinder
> >>> Sent: Tuesday, August 15, 2006 18:45
> >>> To: isapros@xxxxxxxxxxxxx
> >>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >> Communications and ISA
> >>>
> >>> I figured there was an "anti-hork" feature in the ISA CSS
> >>> replication engine ;)
> >>>
> >>> Thomas W Shinder, M.D.
> >>> Site: www.isaserver.org
> >>> Blog: http://blogs.isaserver.org/shinder/
> >>> Book: http://tinyurl.com/3xqb7
> >>> MVP -- ISA Firewalls
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> >>>> Sent: Tuesday, August 15, 2006 8:34 PM
> >>>> To: isapros@xxxxxxxxxxxxx
> >>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>> Communications and ISA
> >>>>
> >>>> Replication is a wonderful thing...
> >>>>
> >>>>
> >>>> -------------------------------------------------------
> >>>> Jim Harrison
> >>>> MCP(NT4, W2K), A+, Network+, PCG
> >>>> http://isaserver.org/Jim_Harrison/
> >>>> http://isatools.org
> >>>> Read the help / books / articles!
> >>>> -------------------------------------------------------
> >>>>
> >>>>
> >>>> -----Original Message-----
> >>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> >> W Shinder
> >>>> Sent: Tuesday, August 15, 2006 18:10
> >>>> To: isapros@xxxxxxxxxxxxx
> >>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>> Communications and ISA
> >>>>
> >>>> Hey, wait a minute. There should be multiple CSSs, so did
> >>> the storage
> >>>> get horked on all of them?
> >>>>
> >>>> Thomas W Shinder, M.D.
> >>>> Site: www.isaserver.org
> >>>> Blog: http://blogs.isaserver.org/shinder/
> >>>> Book: http://tinyurl.com/3xqb7
> >>>> MVP -- ISA Firewalls
> >>>>
> >>>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> >>>>> Sent: Tuesday, August 15, 2006 7:25 PM
> >>>>> To: isapros@xxxxxxxxxxxxx
> >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>> Communications and ISA
> >>>>>
> >>>>> Yep - somehow he managed to completely bork his storage.
> >>>>> We're almost to the point of a complete rebuild <sigh>.
> >>>>> I'm actually doing a registry compare to see if I can sort
> >>>> out what he
> >>>>> broke.
> >>>>>
> >>>>> -------------------------------------------------------
> >>>>> Jim Harrison
> >>>>> MCP(NT4, W2K), A+, Network+, PCG
> >>>>> http://isaserver.org/Jim_Harrison/
> >>>>> http://isatools.org
> >>>>> Read the help / books / articles!
> >>>>> -------------------------------------------------------
> >>>>>
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> >>> W Shinder
> >>>>> Sent: Tuesday, August 15, 2006 17:20
> >>>>> To: isapros@xxxxxxxxxxxxx
> >>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>> Communications and ISA
> >>>>>
> >>>>> Is it a real problem, and dealing with jughead the
> >>> enterprise admin?
> >>>>>
> >>>>> Thomas W Shinder, M.D.
> >>>>> Site: www.isaserver.org
> >>>>> Blog: http://blogs.isaserver.org/shinder/
> >>>>> Book: http://tinyurl.com/3xqb7
> >>>>> MVP -- ISA Firewalls
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> >> Jim Harrison
> >>>>>> Sent: Tuesday, August 15, 2006 6:58 PM
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>> Not yet - been critsitting between postings.
> >>>>>> ..or the other way 'round...
> >>>>>>
> >>>>>> -------------------------------------------------------
> >>>>>> Jim Harrison
> >>>>>> MCP(NT4, W2K), A+, Network+, PCG
> >>>>>> http://isaserver.org/Jim_Harrison/
> >>>>>> http://isatools.org
> >>>>>> Read the help / books / articles!
> >>>>>> -------------------------------------------------------
> >>>>>>
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> >>>>>> Sent: Tuesday, August 15, 2006 14:44
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>> Jim,
> >>>>>>
> >>>>>> Any luck with this?
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> >> Jim Harrison
> >>>>>> Sent: 14 August 2006 00:52
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>> Absotively.
> >>>>>> Send it on.
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> >>>>>> Sent: Sunday, August 13, 2006 3:08 PM
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>> Yeah I know, have the same issues when looking at closed
> >>>> betas with
> >>>>>> cool features which could really help out some of my
> >>>>> customers. Shame
> >>>>>> the NDA doesn't extend to MS partners though...
> >>>>>>
> >>>>>> PSS dude said that all KB articles related to a RPC
> >>>> problems where
> >>>>>> based upon using a large number of clients. He also said
> >>>>> that as this
> >>>>>> issue was happening before the DR problems I couldn't
> >>> include it
> >>>>>> within the DR call and I would have to log another
> >>>> call...great! :-(
> >>>>>>
> >>>>>> If I give you the SRQ number, is there any chance you could
> >>>>> point him
> >>>>>> in the right direction? Pretty please :-)
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> >> Jim Harrison
> >>>>>> Sent: 13 August 2006 22:47
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>> I wish I could say more, but I'm bound by NDA...
> >>>>>> The KB is on its way out the door and your PSS dewd need
> >>>>> only do a bit
> >>>>>> of research.
> >>>>>>
> >>>>>> -------------------------------------------------------
> >>>>>> Jim Harrison
> >>>>>> MCP(NT4, W2K), A+, Network+, PCG
> >>>>>> http://isaserver.org/Jim_Harrison/
> >>>>>> http://isatools.org
> >>>>>> Read the help / books / articles!
> >>>>>> -------------------------------------------------------
> >>>>>>
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> >>>>>> Sent: Sunday, August 13, 2006 14:41
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>> Whilst PSS logging a call to get some feedback on the DR
> >>>>> issues I've
> >>>>>> had with ISA, I mentioned this "new KB artilce"
> >>>>>> and the chap i was dealing with was pretty clueless about
> >>>>> it (amongst
> >>>>>> other things!).
> >>>>>>
> >>>>>> You are really starting to become a tease with this
> >>>> artitcle, as it
> >>>>>> may solve two problems now! :-P
> >>>>>>
> >>>>>> ________________________________
> >>>>>>
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> >> Jim Harrison
> >>>>>> Sent: 13 August 2006 19:15
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Not insinuating anything of the sort...
> >>>>>>
> >>>>>> Keep your eyes open for that KB that deals in Outlook MAPI
> >>>>>> connections; I bet it'll help you out here, too.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> >>>>>> Sent: Sunday, August 13, 2006 2:22 AM
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> All relationships are route = I know intradomain is only
> >>>> supported
> >>>>>> this way - I'm not a complete newb at this ;-)
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Complicated setup I know, but pretty much 99% working apart
> >>>>> from this
> >>>>>> issue and teh RPC filter failings (other post)
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Tried with and without strict RPC - no dice, same issues...
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Internet FW is hardware appliance (dumb packet filter)
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ________________________________
> >>>>>>
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> >> Jim Harrison
> >>>>>> Sent: 13 August 2006 01:43
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>> Ah, yes.
> >>>>>>
> >>>>>> While this is a desirable design, it's also a very
> >>> difficult one.
> >>>>>>
> >>>>>> What are the network relationships between the networks?
> >>>>>>
> >>>>>> For instance:
> >>>>>>
> >>>>>> ExchFE ßà Exch BE == Route
> >>>>>>
> >>>>>> ...?
> >>>>>>
> >>>>>> Have you disabled Strict RPC on the relevant rules?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> NAT ain't happenin' FWIW...
> >>>>>>
> >>>>>> What's the "Internet FW"?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> >>>>>> Sent: Saturday, August 12, 2006 3:18 PM
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ________________________________
> >>>>>>
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> >> Jim Harrison
> >>>>>> Sent: 12 August 2006 22:41
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>> Maybe a napkin drawing, then?
> >>>>>>
> >>>>>> I don't understand how your BE needs specific rules
> >> unless its
> >>>>>> separated from the DC by ISA?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> >>>>>> Sent: Saturday, August 12, 2006 2:19 PM
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> No, not confused, and realise the difference between
> >>> RPC/HTTP and
> >>>>>> MAPI. I guess I am obviously not explaining myself very
> >>>> well with a
> >>>>>> complex environment and the problem very specific.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>> AS such, any NSPI connections are strictly the problem of
> >>>>>> the BE server.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Not in this scenario, as the BE is in an ISA
> >> protected network
> >>>>>> seperated from the DCs and FEs. The rule that allows
> >>> access from
> >>>>>> BE=>DCs is using RPC (All interfaces) and yet ISA is
> >>>>> blocking traffic
> >>>>>> from the NSPI proxy when using RPC/HTTP.
> >>>>>> All other RPC traffic from BE=>DCs is working as expected
> >>>>> and ISA is
> >>>>>> detecting the RPC dynamic ports correctly.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> If I allow All outbound protocols from BE=>DCs the NSPI
> >>>> proxy works
> >>>>>> and I see ports 1025. 1026 etc being used. It seems as
> >>> if ISA is
> >>>>>> missing the intitial RPC negations between the NSPI proxy
> >>>>> and DCs and
> >>>>>> hence blocks all dynamic ports after 135 is contacted.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Maybe I need to provide some diagrams and/or better
> >>>> desacirptions...
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> JJ
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ________________________________
> >>>>>>
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> >> Jim Harrison
> >>>>>> Sent: 12 August 2006 16:55
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: Exchange NSPI Proxy RPC
> >>>>> Communications and ISA
> >>>>>>
> >>>>>> I think you're confused; RPC/HTTP doesn't use MAPI; it's
> >>>>> "just" HTTP
> >>>>>> traffic.
> >>>>>>
> >>>>>> AS such, any NSPI connections are strictly the problem
> >>> of the BE
> >>>>>> server.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> The only way ISA handles RPC traffic is via Exchange RPC or
> >>>>> RPC (All
> >>>>>> interfaces) rules.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> >>>>>> Sent: Friday, August 11, 2006 5:13 PM
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Exchange NSPI Proxy RPC
> >>> Communications and ISA
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> Bit of a shot in the dark, as this is a strange issue,
> >>> but hoping
> >>>>>> someone can confirm what I am seeing.
> >>>>>>
> >>>>>> Basically, I have a pretty secure Exchange environment
> >>>> whereby both
> >>>>>> Exchange FE's and BE's are on ISA protected perimeter
> >>>> networks with
> >>>>>> the external network connected to the 'traditional LAN'
> >>>>> e.g., ISA is
> >>>>>> acting as a multinetwork internal firewall to
> >>>> specifically protect
> >>>>>> Exchange from the internal network (all routed
> >>>>> relationships). In this
> >>>>>> scenario, ISA is controlling all communications to and from
> >>>>> Exchange
> >>>>>> and all email client access is published using web
> >>> publishing or
> >>>>>> secure RPC publishing.
> >>>>>>
> >>>>>> Up until now everything has been working pretty well (apart
> >>>>> from the
> >>>>>> other RPC filter issues in my other posts!) but we have
> >>>>> come across a
> >>>>>> specific issue when using RPC/HTTP as follows:
> >>>>>>
> >>>>>> The problem seems to lie with the fact that the
> >>> back-end Exchange
> >>>>>> server is talking to the GCs and ISA is seeing these
> >>>> connections as
> >>>>>> newly initiated connections (e.g. non RPC) as opposed to
> >>>> detecting
> >>>>>> them as dynamic ports which have been defined as part
> >>> of the RPC
> >>>>>> handshake process. Therefore, ISA is dropping these
> >>>> connections and
> >>>>>> prevents the back-end server from communicating with the GCs,
> >>>>>> specifically for RPC/HTTP (e.g. when using the NSPI proxy).
> >>>>> All other
> >>>>>> communications which relate to RPC and ISA's ability to
> >>>>> detect dynamic
> >>>>>> RPC ports is being done successfully (e.g.
> >>>>>> MAPI communications from Outlook to Exchange). It looks
> >>>> to me as if
> >>>>>> the back-end Exchange server is initiating it own
> >>>> connections which
> >>>>>> ISA sees as communications independent of RPC. The issue
> >>>>> only appears
> >>>>>> to arise when the back-end servers proxy the client AD
> >>>>> communication
> >>>>>> (e.g. when using the NSPI proxy), as is the case with
> >> RPC/HTTP,
> >>>>>> because Outlook clients have no access to the GCs from
> >>>> the Internet.
> >>>>>> For standard MAPI clients, they are simply given a
> >>>> referral to the
> >>>>>> actual GCs which they communicate with directly,
> >> independent of
> >>>>>> Exchange (e.g. not using NSPI proxy).
> >>>>>>
> >>>>>> Does this sounds familiar? Is Exchange doing something
> >>>>> weird here or
> >>>>>> is ISA missing the RPC dynamic port negotiations?
> >>>>>>
> >>>>>> Looking at the ISA logs, I see ports 1025, 1027, 1030 etc.
> >>>>>> being used by the NSPI proxy which I am pretty sure are
> >>>> going to be
> >>>>>> the kind of ports dynamic RPC would use. If I add the
> >>>>> ephemeral ports
> >>>>>> (1024-65535) to the existing BE=>GC rule everything work
> >>>>> just fine. If
> >>>>>> I limit ports to standard intradomain protocols including
> >>>> RPC then
> >>>>>> everything works apart from RPC/HTTP and I start seeing
> >>>> ports 1025,
> >>>>>> 1027 etc.
> >>>>>> being denied by ISA as unidentified traffic.
> >>>>>>
> >>>>>> Answers on a postcard! ;-)
> >>>>>>
> >>>>>> Cheers
> >>>>>>
> >>>>>> JJ
> >>>>>>
> >>>>>> All mail to and from this domain is GFI-scanned.
> >>>>>>
> >>>>>> All mail to and from this domain is GFI-scanned.
> >>>>>>
> >>>>>> All mail to and from this domain is GFI-scanned.
> >>>>>>
> >>>>>> All mail to and from this domain is GFI-scanned.
> >>>>>>
> >>>>>>
> >>>>>> All mail to and from this domain is GFI-scanned.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> All mail to and from this domain is GFI-scanned.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> All mail to and from this domain is GFI-scanned.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>> All mail to and from this domain is GFI-scanned.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> All mail to and from this domain is GFI-scanned.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> All mail to and from this domain is GFI-scanned.
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>
>
>
Other related posts:
