Solved

Exchange 2007 topologie issue

Posted on 2010-09-16
10
557 Views
Last Modified: 2012-05-10
We have a main Microsoft forest with multiple sites around the world.
Each sites are connected to the headquarter in Brussels by VPN tunnelings. In Brussels, we decided to install a few months ago a first exchange 2007 server with 4 roles (Mailboxes server, CAS server, UM server, and hub server) and a second one with the Edge transport server (to filter all Spam).
On each satellite offices, the users are using the microsoft oulook client 2003 / 2007 but configure to use Outlook anywhere (RPC connection through HTTP). We are meeting latency time for these clients to reach the exchange server in Brussels and during the day, by period, the messages are blocked in the outbox a long time (30 minutes). This case is general on all remote offices (with very good Internet connection too) and we suppose that the outlook clients are configured perfectly.
My question is how can I improve this exchange topology? My first idea was to install exchange server too on the remote offices but I would like to leave all mailboxes stored in Brussels (to backup them easily). Do you have better ideas?

I hope I was clear in my explanation with my bad English...

Thanks,
Javier
0
Comment
Question by:Javier Gonzalez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 250 total points
ID: 33692654
You mentioned

SITEX -> brussels - connected through VPN
SiteX Outlook -> brussels exchange > connected using RPC/HTTPS

Can you go to sitex and try this

nslookup yourdomain.com

ping exchangeservername.local

--
Close outlook
then type
outlook /rpcdaig
Post a screenshot of connections monitor here
--

rpcping form outlook to your exchange server

RPCPing.exe -t ncacn_http -o RpcProxy=fqdn.yourdomain.com -P "testuser,yourdomain,testpassword" -I "testuser,yourdomain,testpassword" -H 1 -u 10 -a connect -F 3 -E -v -3 -R none -q
--

My guess > outlook is trying to use the VPN to connect to brussels, unless you specified separate routing in your Router @ these branch locations to use Internet route when Clients are trying to connect to exchange.

0
 

Author Comment

by:Javier Gonzalez
ID: 33694174
From our site in Amsterdam:


C:\>nslookup bvdep.net
Server:  dc-ams1.bvdep.net
Address:  172.29.139.1

Naam:    bvdep.net
Addresses:  172.29.139.1
          172.28.1.2
          172.29.138.17
          172.28.1.1
          172.29.250.179
          172.29.251.27
          172.29.142.13
          172.29.135.9
          172.28.1.21

-----


C:\>ping mail-bxl-a.be.bvdep.net

Pingen naar mail-bxl-a.be.bvdep.net [172.28.1.170] met 32 bytes aan gegevens:
Antwoord van 172.28.1.170: bytes=32 tijd=25 ms TTL=125
Antwoord van 172.28.1.170: bytes=32 tijd=23 ms TTL=125
Antwoord van 172.28.1.170: bytes=32 tijd=38 ms TTL=125
Antwoord van 172.28.1.170: bytes=32 tijd=23 ms TTL=125

Ping-statistieken voor 172.28.1.170:
    Pakketten: verzonden = 4, ontvangen = 4, verloren = 0
    (0% verlies).

De gemiddelde tijd voor het uitvoeren van één bewerking in milliseconden:
    Minimum = 23ms, Maximum = 38ms, Gemiddelde = 27ms

-----

 See attached files

 

"Tot stand gebracht" means "established"

-----

Without the -E and -R arguments:

C:\>RPCPing.exe -t ncacn_http -o RpcProxy=mail-bxl-a.be.bvdep.net -P "user,bvdep.net,password" -I "user,bvdep.net,password" -H 1 -u 10 -a connect -F 3 -v 3 -q

RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
 Activiteits-id RPC-pingset:  {0abe27c9-787e-41a2-b7a5-586751741995}
 Uitzondering 1722 (0x000006BA)
 Aantal records: 3
 Proces-id is 1372
 Systeemtijd is: 9/16/2010 17:0:19:692
 Genererend onderdeel is 13
 Status is 0x6BA, 1722
 Detectielocatie is 1352
 Vlaggen is 0
 Aantal parameters is 1
 Lange waarde: 0xc002100a
 Proces-id is 1372
 Systeemtijd is: 9/16/2010 17:0:19:692
 Genererend onderdeel is 14
 Status is 0xC002100A, -1073606646
 Detectielocatie is 1380
 Vlaggen is 0
 Aantal parameters is 2
 Lange waarde: 0x2f8f
 Unicode-tekenreeks: /rpc/rpcproxy.dll?HP5750SUPPORTPO.nl.bvdep.net:593
 Proces-id is 1372
 Systeemtijd is: 9/16/2010 17:0:19:692
 Genererend onderdeel is 14
 Status is 0x10000, 65536
 Detectielocatie is 1385
 Vlaggen is 0
 Aantal parameters is 2
 Lange waarde: 0x10
 Binaire waarde: lengte 1627 57068230 3F058230 10203A0 2100202

With the -E and -R arguments:

C:\>RPCPing.exe -t ncacn_http -o RpcProxy=mail-bxl-a.be.bvdep.net -P "user,bvdep.net,password" -I "user,bvdep.net,password" -H 1 -u 10 -a connect -F 3 -v 3 -E -R none -q

RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
 Activiteits-id RPC-pingset:  {0f12f853-58af-4cbd-8858-0d37fb120d4e}
 RPCPinging proxyserver mail-bxl-a.be.bvdep.net met Echo Request Packet
 Beleid Automatisch aanmelden instellen op hoog
 WinHttpSetCredentials voor doelserver aangeroepen
 Fout 87 : De parameter is onjuist.
 geretourneerd in WinHttpSetCredentials
 Ping is mislukt (ping failed)


I think you are right, It seems that the RPC connection is made inside the tunnel (I have to verify the routing config to be sure) and not directly to the internet...

Do you know the second test failed(with the -E -R arguments)?

Thanks,
Javier

test.jpg
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33694797
Can you check with your networking guy to configure a different route for RPC requests.

what is the purpose of VPN ?
you can break the VPN and see if your mail flow is restored - for testing.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Javier Gonzalez
ID: 33694988
I cannot break it because the users are using it as their default gateway.
It's Nortel Contivity 1050.
I know that the guy there, had configured a route for HTTP, HTTPS, FTP, etc for external requests and then avoid that users to cross the tunnel to surf on Internet.
But here in that case I don't know... I'm going to sniff the packet transmission tomorrow just to be sure.

Thanks a lot for your suggestions,
Keep you inform,
Javier
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33695436
I cannot break it because the users are using it as their default gateway.
>> why would users in branch office use the VPN as a default gateway, shouldnt they be getting it from the firewall /router over there or a windows server if they have one ?

maybe you can ask this person to include RPC requests to external too.

Please post back how this goes.
0
 

Author Comment

by:Javier Gonzalez
ID: 33695583
The VPN routers in the branch offices are acting likes a firewall too that's why. I have to verify the rules with my colleague there to be sure that RPC requests are routed to the net too.

Don't worry, I'll keep you inform.

Javier
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33695601
Thanks javier
0
 

Author Comment

by:Javier Gonzalez
ID: 33717101
Hi Sunnyc7,

Just a little message to give you a feedback.
Indeed all RPC traffic is passing through the tunnel, I asked to create a new route to force the redirection directly to the net. I'm waiting now a report from the users in Amsterdam if that issue has disappeared.
Keep you in touch,
0
 

Author Closing Comment

by:Javier Gonzalez
ID: 33743907
Hi Sunnyc7,

As promised, I'm back to give you my feedback.
We forced the RPC (HTTPS) connections to outside (creating a new route into the router) and the latency time simply disappear!
Thanks a million man, for your quick intervention and good solution!!

Javier
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33743961
Javier. you are welcome.
Glad to be of help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question