At the moment I have a VPN using L2TP and IPSec, a private key and user authentication. I have not allowed any protocols as yet because there hasn't been a requirement.
There is now a requirement to allow a user to connect his Outlook client so that he can retrieve his mail. I am hopefully correct in stating that in order to do this I need to allow RPC over the VPN connection. I know that I could allow RPC over HTTP but this would require a change to the Exchange server and I would need to go through a lot of bureaucracy to implement this change. I have therefore decided that I want to achieve this solution using RPC over the VPN.
My questions are these...
If I allow RPC over the VPN, are there other applications, interfaces or processes that I will be allowing and thus promoting a risk from?
Are there any articles that I can look at for this? Any help at all would be very much appreciated.
I have also noticed that there is a facility to create a new RPC Protocol. Is this the answer? I'm not familiar with this and I stumbled upon it by accident. Again, are there any articles I can read in order to achieve my aim. My aim being, to allow a single user (Probably AD group) the ability to use their Outlook client across an established IPSec VPN.
I'm really struggling with this and I really need some help.
I have made further progress and created a new RPC Protocol. I have also used NETMON 3 to scan the traffic on my PC. From this output I have checked, many times, all the MSRPC entries and added those UUID's to my new RPC protocol.
I have also attempted to ADD all of the UUID's from the Exchange server that are automatically available when attempting to configure the new RPC protocol via adding a server.
Both of the above have failed and the log on ISA reports:
DENIED CONNECTION ------- RPC (All interfaces)
When I allow RPC (All Interfaces) the connections are fine but I need to restrict this to just Outlook.
As a reminder: I am attempting to configure Outlook 2003 so that each and every user on the VPN can access their mailbox.
SURELY I AM NOT THE FIRST PERSON TO ATTEMPT THIS?????
Is there an ISA log that will list the UUID's that it is stopping????
Seen as how I've received an abundance of replies for this post (NOT!), I thought it best to update people on my findings. As you can see above, I've spent quite a bit of time trying to get this to work (Outlook over the VPN by restricting RPC calls using UUID). I eventually resorted to speaking to Microsoft and they have told me it is not possible to restrict RPC calls for Outlook across the VPN in this manner. This is because Outlook needs RPC (All interfaces) available to function.
As I'm sure most people know, Microsoft have recommended the use of RPC over HTTP as the most secure way of achieving this solution. It has also been advised that this can be set up over a VPN This means there is no need to allow this via the Internet (I think we knew this bit anyway).
I thought I would share this information as this is what it is all about, isn't it? ;)