Cannot configure access to Exchange Server between two routed networks in ISA Server 2004 (838366)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

SYMPTOMS

When you configure an access rule between two routed networks in Microsoft Internet Security and Acceleration (ISA) Server 2004 to provide access to Microsoft Exchange Server, users can communicate with the Exchange Server computer successfully. However, you cannot enforce encryption policies or limit client communication based on universally unique identifiers (UUIDs).

CAUSE

This issue occurs because ISA Server 2004 does not currently support the following features in an access rule:
  • The limitation of remote procedure call (RPC) communications based on UUIDs.
  • The enforcement of encryption.

WORKAROUND

To work around this issue, use one of the following methods:

Method 1: Limit the RPC interfaces that clients can use

Configure the RPC interfaces that can be used by clients. For example, you can limit the use of RPC to Exchange Server only. In this scenario, you have the option to allow all RPC traffic or to deny all RPC traffic.

Method 2: Use the Enforce Encryption option

Create a server publishing rule for the Exchange Server computer, right-click that new rule, click Configure Exchange RPC, and then click to select the Enforce Encryption check box.

To create a server publishing rule, follow these steps:
  1. Right-click Firewall Policy, and then click New Server Publishing Rule.
  2. Specify a server publishing rule name.
  3. Specify the internal IP address of the server you are publishing, and then click Next.
  4. In Select Protocol, select the protocol to be used by the new rule, and then click Next.
  5. Select the Listener IP address that will listening to the request. Click External, click Next, and then click Finish.

MORE INFORMATION

In certain routing relationships, an access rule and a server publishing rule are interchangeable. In both scenarios, the permitted traffic passes from the client directly to the destination computer. A server publishing rule that you configure between two routed networks does not mean that the client connects to the IP address of the ISA Server computer. It means that the client connects directly to the destination server computer. Because RPC server publishing supports the UUID specification, you must use a server publishing rule to provide access to Exchange Server.

For additional information about network relationships in ISA Server 2004, search on "Multi-networking overview" in ISA Server Help.
Modification Type:MinorLast Reviewed:1/15/2005
Keywords:kbprb kbFirewall KB838366 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.