Outlook 2003 over VPN to Exchange 2003

[Digitus]

Hi
I've got some strange connectivety issues that I can't seem to work out and
that I'm desperate to resolve.

Background:
We are in the middle of migrating user from Exchange 5.5 (running on W2K) to
Exchange 2003 (running on W2K3). We have some clients that are on Outlook
2000 and some that are on Outlook 2003, but everything is mixed. I.e. we
have Outlook 2000 users on both Exchange 5.5 and 2003 as well as Outlook
2003 users on both Exchange 5.5 and 2003.
We have a mixture of Windows 2000 Profeesional and Windows XP.
We are NOT using RPC over HTTP.

Problem:
Outlook 2000 always work fine both on the local LAN and over VPN to both
Exchange 5.5 and Exchange 2003.

Outlook 2003 however is giving me some headache. For a user that resides on
Exchange 5.5, Outlook 2003 (cached mode) works brilliantly, but after I've
moved a user from Exchange 5.5 to Exchange 2003 that user has difficulties
connecting to the Exchange 2003 server over VPN. In the office on the local
LAN everything works fine, but when connected over VPN the Outlook 2003
client shows the status as "Trying to connect...". The Outlook 2003 will
stay in this status for a long time (normally about 8 minutes from my
observations) and during this period the Outlook 2003 client seems "frozen".
In the end it will finally connect (at least for me, but some of my users
say it never connects) and everything will seem OK.

Here is what I've tried so far:
Creating a new Outlook profile.
Changing the RPC binding order.
(http://support.microsoft.com/default.aspx?scid=kb;en-us;325930)
Reinstalling TCP/IP on XP to make sure that everything binds correctly.
Reinstalling Office 2003
Changing the DNS settings according to the newsgroup posting "Outlook 2003
over VPN on XP client delay" on the 10th of March by JDTHREE [MVP].
Any combination of the above.

I'm not sure it is Outlook 2003 that is the problem, but rather a
combination of Outlook 2003 and Exchange 2003.

Does anyone have any idea how I can fix this as it has stopped the migration
to Exchange 2003?

Thanks

Best regards,

Jan.

PS. This is is posted on:
microsoft.public.outlook.general
microsoft.public.exchange.clients
microsoft.public.exchange.connectivety

 

[neo [mvp outlook]]

Assuming that DNS and WINS resolution is working correctly over the VPN
connection, you might consider dropping the MTU on the VPN's virtual
adapter.

You also might want to start Outlook with the /rpcdiag command line switch
to see where Outlook is hanging. Would be interested in seeing if it is
hanging on the connection to the Global Catalog server(s) or Exchange
Information Store.

 

[Digitus]

Thanks Neo for your reply. Well the problem is narrowing down, but getting
stranger. On Sunday I managed to get the connection working after waiting
for over 8 minutes, wheras yesterday it wouldn't connect at all. I did the
/rpcdiag when on the VPN, and that was all just stuck on connecting. It
would however cycle through and use FQDN, fail and then try the NETBIOS
name.

However I've narrowed down the problem further still, and found that it just
the combination Windows XP, Outlook 2003, Exchange 2003 that gives this
problem (i.e. all the latest MS technologies). Swap any of these for an
older version and it works fine over VPN. I've also tested it over dialup
and that works fine too (albeit slow).

The moment the VPN connection is introduced it fails. Now if you think that
is strange then listen to this. All our offices uses a VPN box from Extended
Systems, except for one office which uses MS Windows VPN solution in their
domain. If I make a VPN connection to this office then it works fine (all
offices have IPSEC tunnels between them)!!!

Isn't a VPN connection very much the same no matter which vendor has made
it?
What have changed in the way Outlook 2003 and Windows XP communicates with
Exchange 2003 (sitting on Windows 2003 server), thus causing problems for a
VPN tunnel??

I'm also dealing with the vendor off the solution on this, but anything to
speed this up as it has halted our AD rollout...

Thanks for any insight anyone can sched on this...

Best regards,

Digitus.

 

[neo [mvp outlook]]

Is the cycling between FQDN/NetBIOS on the DC/GC or Exchange server name.
(Outlook 2003 needs to establish a connection to each. It goes to the DC/GC
first and then Exchange. Exchange 5.5 is a different breed because the
directory and information store is supplied by the Exchange 5.5 box.)

As for VPN connections all being the same.... heck no. The place I work at
uses Nortel as its vendor of choice and the client VPN software disables
Microsoft's IPSec services because it collides with their implementation.
If I ever needed to establish a connection that required Microsoft's IPSec
services, it would never happen.

This makes me wonder if there is some weirdness in authentication. On the
Exchange account property sheets, if you go to the security tab, is it set
to kerberos/ntlm or just ntlm? (I'm wondering if the VPN solution jacks
with kerberos authentication and it might be better to set it to NTLM.
AFAIK, earlier versions of Outlook don't know or can't do kerberos
authentication.)

 

[Digitus]

Well after a lot of investigating and packet sniffing we have finally found
the cause of this problem. It turned out that our VPN solution was the cause
of the problem and it was dropping Kerberos packets. Outlook 2003 obviously
utilises Kerberos as the preferred method, whereas Outlook 2000 used NTLM.
I've now built up a Windows 2000 VPN server and it works fine over that.
There also seems to be some discrepency in the implementation of the
Kerberos RFC protocol causing different behaviour over different VPN
solutions. In general if you have problems with connecting to internal
resources over VPN, I would recommend that you try the same over W2K VPN,
and see if that works..

Best regards

Digitus