RE: SSL & win2k3 & E2k3 & comcast

  • From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 20 Oct 2003 15:00:29 -0400

Doesn't have to be but is certainly recommended.  TCP port 443 blocking
would block requests TO tcp 443 so everything SSL would break including the
E2K requests.  That's not it.  But it could be different at the lower layers
of the stack and it may be that the routers don't like it/deal with it well.

As I recall from the description, the problem is not that it doesn't work,
but that it's 20-30 seconds slower via comcast.  If it were blocked, it
wouldn't work at all, right?  If it's another problem, such as packet
fragmentation, then it would manifest as a slowness while the packets are
reassembled etc. and would be especially noticeable with retries.  Would be
expected on some ATM networks.  That's a theory anyway ;-) 

Al

-----Original Message-----
From: Tony Anderson [mailto:tandersn@xxxxxxxxxxxxxxxxx] 
Sent: Monday, October 20, 2003 2:52 PM
To: [ExchangeList]
Subject: [exchangelist] RE: SSL & win2k3 & E2k3 & comcast

http://www.MSExchange.org/

It would be used if IIS is set to use windows authentication though, would
it not?

Tony
----- Original Message -----
From: "Gabrie van Zanten" <gabrie@xxxxxxxxxxxxxxxx>
To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
Sent: Monday, October 20, 2003 11:51 AM
Subject: [exchangelist] RE: SSL & win2k3 & E2k3 & comcast


> http://www.MSExchange.org/
>
> Hi
>
> About the part where you talk about that comcast is blokking port 443.
> To my knowledge, when you connect to port 80 to visit a website, your
> own port nr is NOT 80, but something above 1024. When doing OWA, traffic
> would look like this:
>
> Home port 1099 -----------> request to OWA ------> port 80
> OWA  port 80   -----------> reply to Home -------> port 1099
>
> I don't think SSL is different in this. For each new SSL connection it
> will use a new portnr. Otherwise it would be impossible to visit more
> then one SSL site at the same time.
>
> So COMCAST blocking 443, is not the issue I think. Maybe for incomming
> to COMCAST they block 443, but that is not used in your connection. And
> if they were blocking 443, there was no connection at all, also not
> after 1minute wait.
>
> Gabrie
>
>
> -----Original Message-----
> From: Tony Anderson [mailto:tandersn@xxxxxxxxxxxxxxxxx]
> Sent: Monday, October 20, 2003 8:41 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: SSL & win2k3 & E2k3 & comcast
>
>
> http://www.MSExchange.org/
>
> It's not a dns issue because simply removing SSL from the picture works
> fine. Http://exchsrv2.cs.washington.edu = instant
> https://exchsrv2.cs.washington.edu/exchange = delay. If it was a DNS
> issue, it would be slow for both. Even after you connect, and get a DNS
> cache, it is still slow. Plus, I added an entry directly to my HOST
> file. 3rd, I have done a netmon capture, and you can see where the
> delays occur, and it's not the initial portion of the conversation
>
> I take ISP out of the picture by doing it at work, asking co workers
> with DSL to try. I have comcast cable at home, and so do about 20% of
> the other users on our network. All comcast users report problems,
> everyone else works fine.
>
> I did do a network monitor capture, I just took a deeper look and it
> appears there is some connection trying to happen to destination port
> 443, which I know COMCAST is blocking, so the problem is related to that
> I imagine.
>
> I have 2 exchange servers, one is win2k & echc2k the other is win2k3 &
> ech2k3. Some users on each (planning to move all users to new one, once
> I solve this problem). Connecting to the older exchsrv works fine, even
> with the SSL. Connecting to the new one has delays.
>
> Is it safe to assume I have something misconfigured, that is telling OWA
> to authenticate via port 443, where as the older one is not? I will look
> into it.
>
> Tony
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
> Server Resource Site: http://www.isaserver.org Windows Security Resource
> Site: http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
>
>


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------


Other related posts: