Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Exchange and Outlook through PIX

0 views
Skip to first unread message

dcz

unread,
Sep 6, 2002, 9:25:59 PM9/6/02
to
Does anybody know of any issues regarding Outlook clients access Exchange
Servers through a PIX firewall. We are having extreme slow responses since
moving behind the firewall. Even with opening up traffic to selected
Exchange servers.

Thanks in advance.


Walter Roberson

unread,
Sep 6, 2002, 10:56:57 PM9/6/02
to
In article <albkjb$nc6$1...@bob.news.rcn.net>, dcz <dczit...@yahoo.com> wrote:
:Does anybody know of any issues regarding Outlook clients access Exchange

:Servers through a PIX firewall. We are having extreme slow responses since
:moving behind the firewall. Even with opening up traffic to selected
:Exchange servers.

The combination of Outlook and remote Exchange servers is very messy.
I'm not sure there *is* a way to get it to work without problems,
short of turning off security between the two sites (via a 'sysopt connect'
command.)

Seriously. Every time I look in our logs, I find a new Exchange
related problem. Some of them are undoubtly due to the fact that
we have local Exchange servers as well, but some of the problems
are clearly inherent in any remote Exchange server setup.

The major players in the equation are the Exchange Servers
and *all* the PDCs and BDCs in the entire organization. And all
the Windows 2000 machines across your entire distributed organization
will probably want to be able to talk freely to your local PDCs
and BDCs. And the remote Exchange servers are going to try to connect
back through to local machines using the RPC port negotiated *days*
ago -- the TCP connnection was probably torn down 3 seconds later but the
Exchange servers assume that it is valid for at least a 9 days :(

If you are using NAT, then you had better make sure that each remote
location NAT's to a different internal address range, and that the Exchange
servers can connect to those private addresses even if the local
machines are NAT'd to public IPs when they connect to the remote server.
That's because the PDCs and BDCs leak the private addresses to
each other, and the Exchange servers try to use that private
information instead of doing DNS lookups or going through the WINS
server. We see -lots- of attempts to talk via those private IPs... this
isn't just one of those theoretical problems.


I don't have any ideas on why you find the connection slow: mostly it
just subtly doesn't work properly unless you have the right incense
and know how to read the entrails. The one thing I can think of
that tends to lead to slowness is if you are using POP3 and SMTP to
make the remote connections instead of the Exchange protocols: if you
are using these much cleaner interfaces and you are using NAT or PAT,
watch out for IDENT problems, and make triple-sure that all your
public addresses have a well-defined reverse IP lookup -- you can
get into problems if the remote end can't convert the IP address to
a host name on POP3 or SMTP connections.
--
100% of all human deaths occur within 10 miles of Earth.

0 new messages