[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Outlook 2003 RPC over HTTP extremely slow on Cisco PIX 501 VPN

Posted on 2004-11-13
11
Medium Priority
?
2,370 Views
Last Modified: 2008-01-09
Hello all
I've been reading several message threads on this subject but couldn't get to a solution that helped me.  So, here it goes:

laptop at home:
 Windows XP service pack 2, firewall turned off, Cisco VPN client 4.0.5(C), cable modem - client connects to PIX, logon is successful. Local router is configured as a separate subnet from the PIX as well as the office domain

 PIX is managed by an outside network service co, full T1 going into the office

 Exchange 2003 server, all a GC server/DC, single server option for RPC over HTTP, Verisign certificate loaded
   - internal name mail01.panda.local
   - external name mail.p-and-a.cc

 Windows 2003 Domain Controller

Outlook /rpcdiag option indicates that we are successfully connecting to Exchange Server via HTTPS after ~10 mins.  
Outlook slows down laptop or freezes it completely whenever it attempts a Send/Receive.

can successfully ping mail01 server with excellent ping times
can access OWA with excellent response

Recently upgraded laptop to XP service pack 2

When I am on vpn, pinging mail01.panda.local is going to the external IP address of the server.  Not sure why it isn't going to the server's internal address.

I used to be able to access server mail01 via remote desktop connection by simply typing in the name at the connect prompt.  Now I have to enter the IP address.

Any thoughts on how to further diagnose the slow performance problem or correct this issue?

Thanks, in advance, for any assitance.



0
Comment
Question by:jboggs326
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 2

Expert Comment

by:tabush
ID: 12579220
Try creating a hosts entry for mail01 with the internal IP of the server, which will force traffic for it to run through the VPN tunnel. This is a quick and easy solution to try.
To do it, browse to c:\windows\system32\drivers\etc, open the "hosts" file in notepad, and add a line at the bottom that reads

mail01.panda.local     192.168.1.15 (or whatever it's LAN IP is)
mail01                      192.168.1.15

Save the file, then try pinging mail01 and mail01.panda.local and it should resolve to the internal IP.

That should work.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12579224
Sound like a name resolution issue. Your DNS is getting the public IP instead of the private IP.
A very simple fix would be to put your own entries into your local hosts file:

# hosts file in %SYSTEMROOT%/system32/drivers/etc
172.19.29.29    mail01    mail01.panda.local


0
 

Author Comment

by:jboggs326
ID: 12579706
Thanks for the feedback. Yes, the addition to the hosts file allows Outlook to quickly connect to the Exchange Server (over TCP/IP).  Unfortunately, this precludes me from using RPC over HTTP when I'm not connected via VPN.  

I seems this is now narrowed this down to a firewall issue.  btw, we have a Cisco PIX501 firewall.

My T1 provider (and firewall manager) is telling me that they don't think there is a way for the firewall to make the laptop use the internal ip address of the mail server when connected via VPN.  Is this really the case?

I have a call into their technical assistance center.  I will get a printout of the configuration and post it up to here.

Thoughts?

Thanks - jb


0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12583340
> they don't think there is a way for the firewall to make the laptop use the internal ip address of the mail server when connected via VPN.  Is this really the case?
  No - if you are using the Cisco client to VPN to the PIX, there is a configuration to give your client the appropriate IP address of the local (inside) DNS server. As long as that DNS server resolves to the private IP address, then when connected via VPN you should resolve to private IP, when not connected via VPN, you should resolve to the Public IP..
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1500 total points
ID: 12583575
The whole point of RPC/HTTPS is to connect to Exchange without the VPN. If you are going to always use VPN then you may as well just use Outlook offline folders - you aren't getting any of the benefits of RPC/HTTP.
You should also be using the same address both internally and externally - this makes moving between on network and off network very easy.

You shouldn't need hosts files. I have a large installation of users with the Cisco VPN and there isn't a host file to be seen on any of their machines. The usual reason with PIX VPN for the traffic going out instead of over the VPN is the split DNS hasn't been set correctly in the VPN configuration on the firewall. Therefore as long as the DNS settings in the VPN config have been set correctly then all DNS requests should go over the VPN, with your servers responding to the external requests as well.
Have you got split tunnelling enable as well?

Simon.
0
 
LVL 8

Expert Comment

by:kain21
ID: 12583982
What sembee said is correct... to whole purpose of rpc over https is to allow internal exchange functionality from a remote location without a VPN having to be established (preventing possible security holes)... split dns does sound like the problem as well.. you should be able to configure firewall client to assign the internal dns servers to the laptop when using the firewall...
0
 

Author Comment

by:jboggs326
ID: 12588294

I've had trouble getting a VPN connection in the past when we have been traveling.  That's why we had RPC/https on board, as well.

The configuration of the PIX is below.  

Is it really possible to have all of my sites on the same subnet?  If I have two sites with 192.168.0.x, don't overlap the ip addresses and I ping, for example,  192.168.0.5 that's on the site I'm tunneling to, will it be able to handle that?  I read on other posts that this shouldn't be done.  (sorry, over my head on this topic!)

Are changes required to the PIX or the client?

pallc# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pallc
domain-name pallc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list MS permit ip host 146.145.165.106 169.254.200.0 255.255.255.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list CVPN permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging on
logging trap informational
logging history informational
logging facility 23
logging host outside 169.254.200.3
logging host outside 169.254.200.8
mtu outside 1500
mtu inside 1500
ip address outside 146.145.165.106 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit name attacking attack action alarm drop reset
ip audit interface outside attacking
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2001 disable
ip audit signature 2004 disable
ip local pool remotes 10.0.0.1-10.0.0.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 146.145.165.107
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
alias (inside) 192.168.0.16 146.145.165.108 255.255.255.255
static (inside,outside) 146.145.165.108 192.168.0.16 netmask 255.255.255.255 0 0
static (inside,outside) 146.145.165.109 192.168.0.19 netmask 255.255.255.255 0 0
static (inside,outside) 146.145.165.110 192.168.0.5 netmask 255.255.255.255 0 0
static (inside,outside) 146.145.101.65 192.168.0.7 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 146.145.165.108 eq smtp any
conduit permit tcp host 146.145.165.108 eq www any
conduit permit tcp host 146.145.165.108 eq imap4 any
conduit permit tcp host 146.145.165.108 eq pop3 any
conduit permit tcp host 146.145.165.108 eq nntp any
conduit permit tcp host 146.145.165.108 eq https any
conduit permit tcp host 146.145.165.108 eq 993 any
conduit permit tcp host 146.145.165.108 eq 995 any
conduit permit tcp host 146.145.165.108 eq 563 any
conduit permit tcp host 146.145.165.109 eq ftp any
conduit permit tcp host 146.145.165.109 eq www any
conduit permit tcp host 146.145.165.110 eq 475 any
conduit permit tcp host 146.145.101.65 eq www any
route outside 0.0.0.0 0.0.0.0 146.145.165.105 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 146.145.65.0 255.255.255.0 outside
http 146.145.36.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community ATXNet
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set NORMAL esp-des esp-md5-hmac
crypto dynamic-map 20 11 set transform-set NORMAL
crypto map MANAGED 10 ipsec-isakmp
crypto map MANAGED 10 match address MS
crypto map MANAGED 10 set peer 146.145.8.75
crypto map MANAGED 10 set transform-set NORMAL
crypto map MANAGED 20 ipsec-isakmp dynamic 20
crypto map MANAGED interface outside
isakmp enable outside
isakmp key ******** address 146.145.8.75 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 5
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup jboggs address-pool remotes
vpngroup jboggs dns-server 192.168.0.3 192.168.0.16
vpngroup jboggs default-domain panda.local
vpngroup jboggs split-tunnel CVPN
vpngroup jboggs idle-time 1800
vpngroup jboggs password ********
vpngroup jboogs idle-time 1800
vpngroup panda address-pool remotes
vpngroup panda dns-server 192.168.0.3 192.168.0.16
vpngroup panda default-domain panda.local
vpngroup panda split-tunnel CVPN
vpngroup panda idle-time 1800
vpngroup panda password ********
telnet 169.254.200.0 255.255.255.0 outside
telnet 146.145.8.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 30
ssh 146.145.36.0 255.255.255.0 outside
ssh 146.145.64.0 255.255.255.0 outside
ssh 146.145.65.0 255.255.255.0 outside
ssh timeout 30
console timeout 0
terminal width 80
: end
0
 

Author Comment

by:jboggs326
ID: 12588447

I've had the firewall provider remove the alias.  This has eliminated the need for the host entry and seems to have solved the performance issue in Outlook.


Thanks for your help!!!
0
 

Author Comment

by:jboggs326
ID: 12588469
How do I close the ticket?
0
 
LVL 8

Expert Comment

by:kain21
ID: 12588471
vpn's are designed to provide connectivity between two different subnets... they don't support connecting the same subnet together as the local computer wouldn't know when to route through the vpn or just simply go across the LAN....
0
 
LVL 8

Expert Comment

by:kain21
ID: 12588485
click accept next to the answer that helped you the most
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question