RE: VPN and XP $5 Question - a little off topic?
- From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 24 Feb 2003 10:01:31 -0500
Maybe I am just being dense... but why would my personal firewall allow me to
map a drive to my machine at home (from work when my machine is still vpn'd)
but exchange gets unsolicited inbound requests denied?
-----Original Message-----
From: Friese, Casey [mailto:cfriese@xxxxxxxxxxxxx]
Sent: Sunday, February 23, 2003 7:04 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off topic?
http://www.ISAserver.org
Tom, You're right on. The UDP packest are "seen" by the firewall but dropped.
THe starvation occurs at the client end though, not the firewall. UDP
Starvation is most prominate in misconfigured switches and the loss or block
often happens there.
The exchange server send scheduled notifications to it's clients. Those
messages are UDP packets. This isn't the same type of traffic that is caused
by the client clicking the "send/receive" button - That is RPC. The problem
that I had was that local winXP clients all plugged into the same switch as my
servers were not getting new notifications. I could send a message to myself,
from myself and the message nor the notification would appear until I clicked
on another folder in my mailbox.
Clicking on another folder in your mailbox is the reverse and equilivealnt to
the exchange sending the UDP update - This time the client sends the UDP packet
to the exchange server...the starvation doesn't occur in this direction because
the packet originated from the client. (At least, that my take on it)
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Sunday, February 23, 2003 12:32 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off topic?
http://www.ISAserver.org
Hi Casey,
That's an interesting concept, "UDP starvation". I've never run into
that term before. Is that different from the issue that the new mail
notification packets are seen by the firewall as unsolicited inbound
connections? That is to say, that these connections are not in response
to a sent UDP packet?
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
-----Original Message-----
From: Friese, Casey [mailto:cfriese@xxxxxxxxxxxxx]
Sent: Friday, February 21, 2003 7:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off topic?
http://www.ISAserver.org
Simply put Bryan, new mail notifications are udp packets. Not getting
the notification indicated udp starvation which is caused by your XP
client's firewall. Yes, it is true that the ISA doesn't inspect tunnel
traffic but the revers isn't true for the client machine. The XP
Firewall is still going to inspect traffic coming to it.
Make sure that your client's are including your domain name when they
are connecting via vpn. Properties -> Options ->
Include Windows Logon Domain.
Then, check your LDT to make sure that your domainname.com (or .org,
.net) is listed in there.
I had this same issue in house but even if the ICF was disabled on the
XP machines.
Alternatively you could stop E2K from sending udp packets for
notifications and switch it to use RPC but that gets messy.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, February 20, 2003 11:19 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off topic?
http://www.ISAserver.org
Hi Bryan,
Its because the new mail notfiications are unsolicited inbound requests.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, February 20, 2003 7:37 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off topic?
http://www.ISAserver.org
Well I need to keep a firewall in place (and this issue does go away
when disabling it).
At the end of the day here - I am just trying to figure out why I can
map a drive from my office to my home (that is connected via vpn), yet
Exchange cannot alert the same client that a new email has come in.
Seems to me RPC is allowed since I can ping and map drives to it.
My Config:
VPN adapter - no firewall
Network adapter - Firewall enabled.
Thanks All!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, February 19, 2003 8:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off
topic?
http://www.ISAserver.org
Hi Bryan,
Disable ICF and see if that helps.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, February 19, 2003 7:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off topic?
http://www.ISAserver.org
Sorry to drag this on... what about the XP firewall... shouldn't the
tunnel bypass that as well?
Again I can map a drive to my home pc (from work) when the vpn is still
in place (I leave my vpn on pretty much all the time - even when I leave
and go to work).
This would indicate to me that exchange should be able to get to it...
unless it's a matter of exchange not knowing where it is. Do VPN clients
register dynamically in the dns? Does this perhaps have something to do
with this?
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, February 18, 2003 9:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off
topic?
http://www.ISAserver.org
Hi Bryan,
That is correct. Anything going through the tunnel is not inspected by
ISA Server.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, February 18, 2003 7:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off topic?
http://www.ISAserver.org
Alas outlook 2002 is imo a pig that takes twice as long to communicate
with E2K giving those horrible messages about delays, etc.
So, maybe this is a stupid question, but is my firewall blocking any
traffic between my client and ISA? I was under the impression that a
tunnel precluded any firewall rules...
Thanks for the response!
-----Original Message-----
From: Tom Mendelboim [mailto:tomerm1@xxxxxxx]
Sent: Tuesday, February 18, 2003 1:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN and XP $5 Question - a little off
topic?
http://www.ISAserver.org
It's not your ISA VPN connection. Outlook 2K requires a few ports to be
open. You will need to research which port controls the mail
notification. You can run a sniffer to see which ports Exchange is
trying to communicate with at the client interface. This problem was
resolved with Outlook 2002.
Tom
-----Original Message-----
From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: Monday, February 17, 2003 8:25 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN and XP $5 Question - a little off topic?
http://www.ISAserver.org
We have users that connect via XP Pro at their home with the built in
firewall running. They use their Outlook 2000 client to connect to
exchange over vpn. Their outlook will not see a new message unless they
click around... If we turn off the xp firewall, they see messages
immediately as they come in as Exchange and mapi normally do.
Is there something we can do here? Its not that big of a deal but still
a nuisance...
I know that this may not be directly related - but I thought perhaps
someone has ran into this with their ISA VPN trials of life...
Thanks for any thoughts!
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cfriese@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cfriese@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
