Outlook clients connect to Exchange Server through RPC. ISA Server's RPC application filter protects the RPC communication, as described in this section. In this way, ISA Server protects not only POP3 and SMTP communication, but also uniquely secures RPC communication.
ISA Server's RPC application filter enables secure communication between Outlook clients and an Exchange Server, over the Internet. The RPC application filter protects RPC communication over the Internet, by identifying which specific RPC interface is requested, and allowing only calls to those interfaces. Furthermore, the RPC application filter opens ports dynamically, meaning that the communication is allowed only when it is specifically requested.

In addition, Exchange Server communicates with Outlook clients using a lightweight UDP-based protocol. The RPC application filter also processes new mail notification, as follows: when an Outlook client logs on to an Exchange Server, it registers to receive new mail notifications, by passing through RPC a port number on which it will listen. When new mail arrives, the Exchange Server sends a single UDP packet to the port.

To allow this type of notification, standard firewalls must typically open a wide range of ports. With the RPC application filter enabled, ISA Server intercepts registration for new mail, and dynamically opens only the necessary ports.
Thus, Exchange Server publishing is more secure with the ISA Server firewall.

In an Exchange Server/Outlook client scenario, the RPC application filter works as follows:

1. The Outlook client issues request over Port 135 (TCP) through ISA Server to the Exchange Server, to find the service port number associated with the Exchange RPC UUID.
2. The Exchange Server sends a response back, through the ISA Server, to the Outlook client, with a port number on which the client can communicate. The connection to Port 135/tcp is then closed.
3. ISA Server uses the RPC application filter to capture this information, and maintains it in a table.
4. ISA Server allocates a new port on the ISA Server itself, and changes the response that it sends to the Outlook client, to reflect this change. This information is also maintained in the table.
5. The Outlook client issues a request seemingly to the Exchange Server, but actually to the new port on the ISA Server. The ISA Server then sends the packet to the Exchange Server. Only communication over this port is allowed.

When the Outlook client connects to an Exchange Server, the Exchange Server instructs the Outlook client to communicate directly with an Active Directory domain controller for authentication. In the normal publishing scenarios, this direct communication will not function properly if the Outlook client is on the Internet, while the domain controller is on the corporate Intranet. Because ISA Server does not publish the server running Microsoft Active Directory directory service, the Outlook client cannot contact the domain controller for authentication.

To allow this type of communication between the Internet-based Outlook client and the Intranet-based Exchange Server, set the value of this registry key on the Exchange Server:
HKLM\System\CurrentControlSet\Services\MSExchangeSA\Parameters to:

• Value name: No RFR Service
• Value type: DWORD
• Value data: 0x1