georgecooldude
asked on
Windows 2003 AD + Exchange 2003 over Cisco VPN Concentrator - Email don't work
Hello,
We have recently migrated some remote users to our 2003 AD domain however we are now experiencing problems where the users cannot connect to Outlook 2003 via VPN.
We are using Cisco VPN client 3.6 and 4.05 - Its probably a 50-50 mixture.
Users used to be able to connect fine when we were using out Windows NT domain, Exchange 5.5 and Outlook 2003.
Users dial in via the Cisco VPN client and go into our Cisco VPN Concentrator, then they are authenticated against the concentrator and routed through out Cisco PIX depending on their user permissions. At this point they are inside our network. When they try and load up Outlook 2003 and do a send/receive it tries for ages and just sits at 50%. Never goes further.
When we route the users via the German VPN they can connect to email fine. The only difference is the Germany network is not yet on AD and they are using BIND DNS servers not Microsoft ones.
Any ideas, has anyone experienced this before is there a change we need to make to the PIX or to the Exchange server?
I did some packet sniffing via ethereal and it seems that our clients are trying to access our domain controller via kerboros using port 88 however the SYNs are sent but no ACKs are recevied. Could this be a problem?
Look forward to solutions ;-)
We have recently migrated some remote users to our 2003 AD domain however we are now experiencing problems where the users cannot connect to Outlook 2003 via VPN.
We are using Cisco VPN client 3.6 and 4.05 - Its probably a 50-50 mixture.
Users used to be able to connect fine when we were using out Windows NT domain, Exchange 5.5 and Outlook 2003.
Users dial in via the Cisco VPN client and go into our Cisco VPN Concentrator, then they are authenticated against the concentrator and routed through out Cisco PIX depending on their user permissions. At this point they are inside our network. When they try and load up Outlook 2003 and do a send/receive it tries for ages and just sits at 50%. Never goes further.
When we route the users via the German VPN they can connect to email fine. The only difference is the Germany network is not yet on AD and they are using BIND DNS servers not Microsoft ones.
Any ideas, has anyone experienced this before is there a change we need to make to the PIX or to the Exchange server?
I did some packet sniffing via ethereal and it seems that our clients are trying to access our domain controller via kerboros using port 88 however the SYNs are sent but no ACKs are recevied. Could this be a problem?
Look forward to solutions ;-)
http://www.petri.co.il/ports_used_by_exchange.htm
Firewall wise, these are the ports that Exchange uses. Do the clients going through the German VPN filter through the PIX also?
JK
Firewall wise, these are the ports that Exchange uses. Do the clients going through the German VPN filter through the PIX also?
JK
Sorry for the multiple posts....I keep thinking of things.....Something else you can do is to turn on all the logging for dropped and received packets on the 2003 server, as this will give you a pretty good indication of the traffic being dropped, what port etc. Windows firewall settings>advanced>security Logging
ASKER
Hi Janakel2,
Were using Exchange client on the machines with Outlook 2003. Have checked all the ports on the petri.co.il link and they all look good. Most are added.
The german VPN is the same Cisco VPN Concentrator (slightly older IOS) however they are routed through a Checkpoint firewall. The servers dont have windows firewall turned on so we cant enable logging that way.
Were using Exchange client on the machines with Outlook 2003. Have checked all the ports on the petri.co.il link and they all look good. Most are added.
The german VPN is the same Cisco VPN Concentrator (slightly older IOS) however they are routed through a Checkpoint firewall. The servers dont have windows firewall turned on so we cant enable logging that way.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
solved the problem using ethereal. looks like ad dns is going to the wrong places. changed some things on the firewall and all working ok
JK