• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Allow RPC over VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Allow RPC over VPN Page: [1]
Login
Message << Older Topic   Newer Topic >>
Allow RPC over VPN - 11.Apr.2007 6:33:53 AM   
philcollins99

 

Posts: 60
Joined: 27.Sep.2006
Status: offline
Hi there,

At the moment I have a VPN using L2TP and IPSec, a private key and user authentication. I have not allowed any protocols as yet because there hasn't been a requirement.

There is now a requirement to allow a user to connect his Outlook client so that he can retrieve his mail. I am hopefully correct in stating that in order to do this I need to allow RPC over the VPN connection. I know that I could allow RPC over HTTP but this would require a change to the Exchange server and I would need to go through a lot of bureaucracy to implement this change. I have therefore decided that I want to achieve this solution using RPC over the VPN.

My questions are these...

If I allow RPC over the VPN, are there other applications, interfaces or processes that I will be allowing and thus promoting a risk from?

Are there any articles that I can look at for this?
Any help at all would be very much appreciated.

I have also noticed that there is a facility to create a new RPC Protocol. Is this the answer? I'm not familiar with this and I stumbled upon it by accident. Again, are there any articles I can read in order to achieve my aim. My aim being, to allow a single user (Probably AD group) the ability to use their Outlook client across an established IPSec VPN.

Thanks in advance.

Phil.
Post #: 1
RE: Allow RPC over VPN - 11.Apr.2007 2:19:03 PM   
philcollins99

 

Posts: 60
Joined: 27.Sep.2006
Status: offline
Hi there,

Is anyone around to help me please?

Thank you.

Phil.

(in reply to philcollins99)
Post #: 2
RE: Allow RPC over VPN - 2.May2007 11:02:44 AM   
philcollins99

 

Posts: 60
Joined: 27.Sep.2006
Status: offline
Hello again,

I'm really struggling with this and I really need some help.

I have made further progress and created a new RPC Protocol. I have also used NETMON 3 to scan the traffic on my PC. From this output I have checked, many times, all the MSRPC entries and added those UUID's to my new RPC protocol.

I have also attempted to ADD all of the UUID's from the Exchange server that are automatically available when attempting to configure the new RPC protocol via adding a server.

Both of the above have failed and the log on ISA reports:

DENIED CONNECTION ------- RPC (All interfaces)

When I allow RPC (All Interfaces) the connections are fine but I need to restrict this to just Outlook.

As a reminder: I am attempting to configure Outlook 2003 so that each and every user on the VPN can access their mailbox.

SURELY I AM NOT THE FIRST PERSON TO ATTEMPT THIS?????

Is there an ISA log that will list the UUID's that it is stopping????

PLEASE COULD SOMEONE OFFER ME SOME HELP?

Phil.


(in reply to philcollins99)
Post #: 3
RE: Allow RPC over VPN - 2.May2007 11:04:07 AM   
philcollins99

 

Posts: 60
Joined: 27.Sep.2006
Status: offline
P.S. I have run RPCDump on the Exchange server which gives me over 60 UUID's. I have not yet added these individually, but if I have to, I will (I would expect that all of these aren't required).

(in reply to philcollins99)
Post #: 4
RE: Allow RPC over VPN - 19.Jun.2007 11:02:01 AM   
philcollins99

 

Posts: 60
Joined: 27.Sep.2006
Status: offline
Hello,

Please could someone help me with this. I am still BANGING my head against the wall and I really cannot get any where with this.

I've tried NetMON looking for UUID's.
I've added a server publishing rule using Outlook RPC.
I've created my own RPC protocol with specific UUID's.

But no to avail.

There MUST be someone out there that can help me configure my VPN to allow Outlook 2003 and only Outlook 2003 so that my users can open their mailbox directly.

THE ONLY WAY I HAVE SUCCESSFULLY DONE THIS IS TO ALLOW RPC OVER THE VPN. THIS IS NOT SOMETHING WE WANT TO DO AS THIS WILL LEAVE US OPEN TO ALL RPC APPLICATIONS.

Please can someone point me in the direction of how to do this? Please. I am actually begging for help this time.

Please.

Phil.

(in reply to philcollins99)
Post #: 5
RE: Allow RPC over VPN - 10.Jul.2007 9:29:59 AM   
philcollins99

 

Posts: 60
Joined: 27.Sep.2006
Status: offline
Seen as how I've received an abundance of replies for this post (NOT!), I thought it best to update people on my findings. As you can see above, I've spent quite a bit of time trying to get this to work (Outlook over the VPN by restricting RPC calls using UUID). I eventually resorted to speaking to Microsoft and they have told me it is not possible to restrict RPC calls for Outlook across the VPN in this manner. This is because Outlook needs RPC (All interfaces) available to function.

As I'm sure most people know, Microsoft have recommended the use of RPC over HTTP as the most secure way of achieving this solution. It has also been advised that this can be set up over a VPN This means there is no need to allow this via the Internet (I think we knew this bit anyway).

I thought I would share this information as this is what it is all about, isn't it? ;)

Phil.

(in reply to philcollins99)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Allow RPC over VPN Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts