In fact, when secured through ISA, the endpoint mapper releases very little
information about what available services are running, and instead relies on the client
itself to issue requests to specific services. This has the effect of greatly reducing the risk
that RPC services pose because ISA allows only specially formatted requests, often very
benign in nature, as in the case of MAPI.
In addition, at the packet layer, ISA Server 2006??™s RPC filtering does not require the
dynamic ports to remain open. Instead, ISA dynamically negotiates the port between the
client and server and opens that port only after the negotiation. This eliminates the need
to blindly open multiple ports to get RPC to work properly.
FIGURE 15.1 Examining MAPI UUIDs used in an RPC server publishing rule.
Deploying ISA for RPC Filtering
Of course, aside from reverse proxy of web-related (HTTP, HTTPS) traffic, ISA Server can
use server publishing rules, including RPC rules, only if the traffic sent between client and
server flows through ISA Server. This requires ISA Server to have multiple network interfaces,
and for the client traffic to be routed through it, either because ISA is the default
gateway or because the routing traffic is configured to flow through ISA.
Pages:
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667