Go Premium for a chance to win a PS4. Enter to Win


Outlook 2010 Cached Mode & Gateway-to-Gateway VPN Connection.

Posted on 2013-06-26
Medium Priority
Last Modified: 2013-06-26
I have a dilemma with a client that has multiple office locations connected via dedicated VPN connections (gateway-to-gateway).  When they (approx. 5 people) travel to the remote offices (once or twice a week), they complain of the latency connecting to the main office via Terminal Services.  At the main office there are no latency problems.  The Internet connections at the remote sites are high bandwidth connections 15/5mbps, and the main office has a 50/15mbps connection.  So the Internet connections are adequate to work efficiently regardless of office location.  

The problem arrises when these users travel with their tablets and company issued Android phones at remote office locations.  Each remote location has wireless access to accommodate their phones and tablets.  By doing so it cuts down on the company data plan usage.  So its a cost savings on the plan, but also affecting network bandwidth.

The tablets are configured with Outlook 2010 Cached Mode, and as soon as Outlook is open it automatically starts syncing all items, and then afterwards as mail with attachments is sent and received the traffic seems to continue saturating the VPN connection.  I am basically saying, the users are noticing performance degradation issues while working in remote offices.  

I have setup ActiveSync to download headers to help reduce the syncing of attachments.  However, Outlook 2010 Cached Mode connected to an Exchange Server 2010 does not seem to have a throttle to download headers to cut down bandwidth consumption.

I was going to propose an additional Internet connection with a wireless router so that the phones and tablets can connect to so that ActiveSync and Outlook Cached Mode traffic have a separate dedicated Internet connection and not interfere with the dedicated VPN connection used for Terminal Services, VOIP connections, and at times remote printing.    

The client's laptops and phones work seamlessly when at home or other locations, and they will not like the idea of having to make changes on their phones and/or tablets when traveling to remote office locations.  I am hoping there is another way to skin this cat!  Any suggestions other than disable wireless access at the remote locations so their tablets and phones can't connect?
Question by:cmp119
  • 3
  • 2
LVL 12

Expert Comment

ID: 39277902
You could restrict the port traffic at the remote sites so that ONLY the terminal services traffic is allowed to pass.  It depends on your routing/vpn equipment on how to do that.

Alternatively, if the equipment allows it, you could enable QoS and give the terminal services traffic higher priority than the other traffic.  This could in effect be the bandwidth throttle you are looking for.

Keep in mind that it depends on your equipment, and you have to make sure that you configure in such a way that you're filtering traffic before it enters the VPN tunnel, so that may prove to be challenging.

Author Comment

ID: 39277932
Right now they have LinkSys RV series routers at all locations.  I can't remember the exact models, but they are no too robust.  They will be getting Cisco ISA 570 routers, but I do not know much of those models.  

Right now all traffic is going through the VPN.  I don't think there is a way to force specific traffic to use the Internet directly and not via the VPN connection.  Regardless, the traffic will still consume bandwidth regardless of direction since it must flow through the single Internet connection.  That's why I was leaning toward another separate Internet connection with wireless access, so that these specific devices can connect to.
LVL 12

Expert Comment

ID: 39278448
I believe that the Cisco ISA 570 will allow you to configure QoS and/or ACL rules to control the traffic the way that you wish.  How long before the ASA's be in place, and are you configuring them or is that being handled by someone else?

If someone else, can you make requests regarding the configuration to shape or filter the traffic to meet your needs?
LVL 12

Accepted Solution

mlongoh earned 2000 total points
ID: 39278507
Minimally, the 570 will allow you to set up a Guest wireless internet VLAN which you could make the iOS/Android tablets/smart devices utilize, and then set QoS lower for that traffic versus the VPN traffic.

I'm assuming that right now that nothing at a remote site bypasses the VPN, and so internet bound traffic is going through the VPN to your "main" site and then routed from there.

Until you get the new Cisco equipment, you might look into reconfiguring your site-to-site VPN to allow split tunneling... meaning that if the traffic is destined for one of your corporate internal addresses it goes through the VPN, otherwise it's routed out to the Internet (by passing the VPN and reducing the saturation of the VPN pipe).  It doesn't give you the full traffic control that you are needing, but it might provide some level of relief while waiting for the new stuff to show up.

Author Closing Comment

ID: 39278617
I figured the only solution was going to be new Cisco routers purchased with wireless access for guest networks.  That seems to be the cleanest approach.  Thank you for all your input!!!!

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question