Disable ICMP ping on PIX will disable SMTP Virtual Connector ??

Due to security reason, I have disabled the ICMP ping on my PIX. Afterwards, I find that the Exchange server couldn't route my domain users's e-mail to other Exchange server (hosted in other country). I then review the queue in the Exchange and find that the connector to the other Exchange server is not available. According to my memory, it normally use this queue to route my internal e-mail. However, when I enable the icmp ping on PIX, everything work fine after few minutes.

Two sites are connected through VPN through PIX. In fact, only ICMP is blocked. Other than that, two Exchange could be pinged each other and POP3, SMTP is working fine through the PIX.

Why does this happen ?
AXISHKAsked:
Who is Participating?
 
TheCleanerConnect With a Mentor Commented:
Just disable the ICMP check in Exchange.

See here for a better explanation:

http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TechRef/e0163427-dd90-4761-8f14-8cb41f15939c.mspx?mfr=true

Reachability   DSAccess uses Internet Control Message Protocol (ICMP) to ping each server to verify that the server is available. DSAccess also verifies that the directory server is reachable over port 389 (for domain controllers) and port 3268 (for global catalog servers).

If you use ICMP to determine if a server is available, you might create a problem if all connections in your network do not support ICMP. For example, an Exchange server might reside in a perimeter network, which has no ICMP connectivity between the Exchange server and the domain controllers. In this situation, you should disable the ICMP check and set the following registry parameter to zero.

 
Location
 HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\MSExchangeDSAccess
 
Value
 LdapKeepAliveSecs
 
Type
 REG_DWORD
 
Value Data
 0x0
 
Description
 DSAccess uses the ping protocol if there is no registry key does or it is not set to 0,
 
0
 
ganongjCommented:
A simple answer would be to just enable ping on that vpn.  Disable ping for all other locations, but allow it for the vpn.

Jim
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.