Unable synchronize Outlook 2007 2003 with Exchange 2003 over VPN, error 0x8004011D

I have big trouble with outlook 2003 or 2007 that want to communicate with exchange 2003 over VPN. I have read many pages about it on internet and also on EE but noone leads me to solve my problem.
Mabye I found one diference than is described in other problems of "0x8004011D": we use fortinet products for making VPN connection. And problem is on clients side which use forticlient IPSec or SSL VPN tunel. If the client gets IP address from VPN DHCP server connection between client's outlook and exchange isnt estabilished. But if I set IP address manualy to out of range of VPN DHCP the connection is estabilished but only once. If I close outlook and disconnet VPN connection and connect client to VPN again with the same manual IP address Outlook doesnt connect with exchange.

On client side I can always ping the exchange server its IP or domain name. There is no firewall activated on client side, router, exchange. Exchange on local network works correctly. OWA works correctly.

I tried reset or flash with newest firmware the router but without effect.

Thank you for your help.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
I would personally go down to setup https over rpc in order to solve this problem.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
How is the name space setup?     Is your AD namespace the same as the public DNS?    for instance like domain.com for both?    If so I have the fix.

This is a common issue that I have seen...when the name space is the same and your doing split dns then your workstations can query either the public dns or the AD dns...when it queries the public dns it will fail.

You need to setup a script or process that places the \Device\NdisWanIp entry on the top in the ' registry value Bind (multi-string) that is found under the key ' HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage\
If the entry already is at the top, no registry update is done.


' KB311218 - Cannot Change the Binding Order for Remote Access Connections
' ========================================================================
' VBScript that places the \Device\NdisWanIp entry on the top in the
' registry value Bind (multi-string) that is found under the key
' HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage\.
' If the entry already is at the top, no registry update is done.

Const HKLM = &H80000002

sComputer = "."   ' use "." for local computer

' Connect to WMI's StdRegProv class
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
         & sComputer & "\root\default:StdRegProv")

' Define registry location
sKeyPath = "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"
sValueName = "Bind"

oReg.GetMultiStringValue HKLM, sKeyPath, sValueName, arValues

arValuesNew = Array()

For i = 0 To UBound(arValues)
   If i = 0 Then
      If LCase(arValues(i)) = "\device\ndiswanip" Then
         ' Entry is already first in the list, no point in continuing
         Exit For
         ' Put NdisWanIp in the first element in the new array
         ReDim Preserve arValuesNew(0)
         arValuesNew(0) = "\Device\NdisWanIp"
      End If
   End If

   ' Continue adding the rest of the elements to the new array
   If LCase(arValues(i)) <> "\device\ndiswanip" Then
      iCountNew = UBound(arValuesNew) + 1
      ReDim Preserve arValuesNew(iCountNew)
      arValuesNew(iCountNew) = arValues(i)
   End If

' If there are elements to be found in the array, update the
' registry value
If UBound(arValuesNew) > -1 Then
   oReg.SetMultiStringValue HKLM, sKeyPath, sValueName, arValuesNew
End If

csystemnetAuthor Commented:
Hallo EndureKona, thank you for your advice. We use different name space...
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

csystemnetAuthor Commented:
Hallo limjianan,
I know about RPC over HTTP/S, but I would like to know why was the described problem appeared? Becouse this problem isnt only in one company, but it starts to appear in another. And strange is that VPN clients have been using outlook over VPN for more then 2 years and there was no problem.
Jian An LimSolutions ArchitectCommented:

what kind of vpn connection u used?

i have tested my vpn (microsoft) connection to oulook and it seems working fine.

after the vpn connected, do you see other issues than exchange 2003?
like file browsing and etc?
csystemnetAuthor Commented:
limjianan: I use software VPN client (FortiClient). When Iam connected to VPN i can see everything (ping to IP, name, network sharing, ...) to excahnge or another PC/servers in local network. But using outlook with exchange over VPN doesnt work.
Jian An LimSolutions ArchitectCommented:
under your outlook 2003/2007

can you paste the error logs about the sync issue?
csystemnetAuthor Commented:
Hallo, sorry for later reply. Error message is atteched files
Jian An LimSolutions ArchitectCommented:
i have a thought about the issues..
the only thing i can think on is the name

after you connect to vpn, the dns server IP address change.

so when you query to exchange server.
it can be <servername> or <servername>.domain.local or <servername>.<domain-netbiosname> or <externalwebmaildomain>

i would try to ping all possible name and see issit all of them able to resolve a internal IP address
csystemnetAuthor Commented:
I also consulted this problem with Fortinet support. And they told me, that it is known bug: 0121039

"As per this scenario , We have a noticed a bug on this issue id is 0121039, .It's still not at fix our Engineers are working on it to get fix on the next release.i.e V4.2.0"

Thank you for our help

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
csystemnetAuthor Commented:
limjianan: I can ping excahnge server with its full domain name (<servername>.domain.local). The same is setted in outlook configuration.
Jian An LimSolutions ArchitectCommented:
well apparently it is a fortinet issue, so we will leave the question as it.

i would recommend instead of closing of your question,

choose your answer as the accepted answer. at least that give you a conclusion of this question.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.