Outlook 2003 RPC over HTTP extremely slow on Cisco PIX 501 VPN

Hello all
I've been reading several message threads on this subject but couldn't get to a solution that helped me.  So, here it goes:

laptop at home:
 Windows XP service pack 2, firewall turned off, Cisco VPN client 4.0.5(C), cable modem - client connects to PIX, logon is successful. Local router is configured as a separate subnet from the PIX as well as the office domain

 PIX is managed by an outside network service co, full T1 going into the office

 Exchange 2003 server, all a GC server/DC, single server option for RPC over HTTP, Verisign certificate loaded
   - internal name mail01.panda.local
   - external name mail.p-and-a.cc

 Windows 2003 Domain Controller

Outlook /rpcdiag option indicates that we are successfully connecting to Exchange Server via HTTPS after ~10 mins.  
Outlook slows down laptop or freezes it completely whenever it attempts a Send/Receive.

can successfully ping mail01 server with excellent ping times
can access OWA with excellent response

Recently upgraded laptop to XP service pack 2

When I am on vpn, pinging mail01.panda.local is going to the external IP address of the server.  Not sure why it isn't going to the server's internal address.

I used to be able to access server mail01 via remote desktop connection by simply typing in the name at the connect prompt.  Now I have to enter the IP address.

Any thoughts on how to further diagnose the slow performance problem or correct this issue?

Thanks, in advance, for any assitance.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try creating a hosts entry for mail01 with the internal IP of the server, which will force traffic for it to run through the VPN tunnel. This is a quick and easy solution to try.
To do it, browse to c:\windows\system32\drivers\etc, open the "hosts" file in notepad, and add a line at the bottom that reads

mail01.panda.local (or whatever it's LAN IP is)

Save the file, then try pinging mail01 and mail01.panda.local and it should resolve to the internal IP.

That should work.
Sound like a name resolution issue. Your DNS is getting the public IP instead of the private IP.
A very simple fix would be to put your own entries into your local hosts file:

# hosts file in %SYSTEMROOT%/system32/drivers/etc    mail01    mail01.panda.local

jboggs326Author Commented:
Thanks for the feedback. Yes, the addition to the hosts file allows Outlook to quickly connect to the Exchange Server (over TCP/IP).  Unfortunately, this precludes me from using RPC over HTTP when I'm not connected via VPN.  

I seems this is now narrowed this down to a firewall issue.  btw, we have a Cisco PIX501 firewall.

My T1 provider (and firewall manager) is telling me that they don't think there is a way for the firewall to make the laptop use the internal ip address of the mail server when connected via VPN.  Is this really the case?

I have a call into their technical assistance center.  I will get a printout of the configuration and post it up to here.


Thanks - jb

ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

> they don't think there is a way for the firewall to make the laptop use the internal ip address of the mail server when connected via VPN.  Is this really the case?
  No - if you are using the Cisco client to VPN to the PIX, there is a configuration to give your client the appropriate IP address of the local (inside) DNS server. As long as that DNS server resolves to the private IP address, then when connected via VPN you should resolve to private IP, when not connected via VPN, you should resolve to the Public IP..
The whole point of RPC/HTTPS is to connect to Exchange without the VPN. If you are going to always use VPN then you may as well just use Outlook offline folders - you aren't getting any of the benefits of RPC/HTTP.
You should also be using the same address both internally and externally - this makes moving between on network and off network very easy.

You shouldn't need hosts files. I have a large installation of users with the Cisco VPN and there isn't a host file to be seen on any of their machines. The usual reason with PIX VPN for the traffic going out instead of over the VPN is the split DNS hasn't been set correctly in the VPN configuration on the firewall. Therefore as long as the DNS settings in the VPN config have been set correctly then all DNS requests should go over the VPN, with your servers responding to the external requests as well.
Have you got split tunnelling enable as well?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What sembee said is correct... to whole purpose of rpc over https is to allow internal exchange functionality from a remote location without a VPN having to be established (preventing possible security holes)... split dns does sound like the problem as well.. you should be able to configure firewall client to assign the internal dns servers to the laptop when using the firewall...
jboggs326Author Commented:

I've had trouble getting a VPN connection in the past when we have been traveling.  That's why we had RPC/https on board, as well.

The configuration of the PIX is below.  

Is it really possible to have all of my sites on the same subnet?  If I have two sites with 192.168.0.x, don't overlap the ip addresses and I ping, for example, that's on the site I'm tunneling to, will it be able to handle that?  I read on other posts that this shouldn't be done.  (sorry, over my head on this topic!)

Are changes required to the PIX or the client?

pallc# sh run
: Saved
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pallc
domain-name pallc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list MS permit ip host
access-list NONAT permit ip
access-list CVPN permit ip
pager lines 24
logging on
logging trap informational
logging history informational
logging facility 23
logging host outside
logging host outside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit name attacking attack action alarm drop reset
ip audit interface outside attacking
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2001 disable
ip audit signature 2004 disable
ip local pool remotes
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 0 access-list NONAT
nat (inside) 1 0 0
alias (inside)
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
conduit permit icmp any any
conduit permit tcp host eq smtp any
conduit permit tcp host eq www any
conduit permit tcp host eq imap4 any
conduit permit tcp host eq pop3 any
conduit permit tcp host eq nntp any
conduit permit tcp host eq https any
conduit permit tcp host eq 993 any
conduit permit tcp host eq 995 any
conduit permit tcp host eq 563 any
conduit permit tcp host eq ftp any
conduit permit tcp host eq www any
conduit permit tcp host eq 475 any
conduit permit tcp host eq www any
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http outside
http outside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community ATXNet
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set NORMAL esp-des esp-md5-hmac
crypto dynamic-map 20 11 set transform-set NORMAL
crypto map MANAGED 10 ipsec-isakmp
crypto map MANAGED 10 match address MS
crypto map MANAGED 10 set peer
crypto map MANAGED 10 set transform-set NORMAL
crypto map MANAGED 20 ipsec-isakmp dynamic 20
crypto map MANAGED interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp keepalive 10 5
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup jboggs address-pool remotes
vpngroup jboggs dns-server
vpngroup jboggs default-domain panda.local
vpngroup jboggs split-tunnel CVPN
vpngroup jboggs idle-time 1800
vpngroup jboggs password ********
vpngroup jboogs idle-time 1800
vpngroup panda address-pool remotes
vpngroup panda dns-server
vpngroup panda default-domain panda.local
vpngroup panda split-tunnel CVPN
vpngroup panda idle-time 1800
vpngroup panda password ********
telnet outside
telnet outside
telnet inside
telnet inside
telnet timeout 30
ssh outside
ssh outside
ssh outside
ssh timeout 30
console timeout 0
terminal width 80
: end
jboggs326Author Commented:

I've had the firewall provider remove the alias.  This has eliminated the need for the host entry and seems to have solved the performance issue in Outlook.

Thanks for your help!!!
jboggs326Author Commented:
How do I close the ticket?
vpn's are designed to provide connectivity between two different subnets... they don't support connecting the same subnet together as the local computer wouldn't know when to route through the vpn or just simply go across the LAN....
click accept next to the answer that helped you the most
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.