Tom, You're right on. The UDP packest are "seen" by the firewall but dropped. THe starvation occurs at the client end though, not the firewall. UDP Starvation is most prominate in misconfigured switches and the loss or block often happens there. The exchange server send scheduled notifications to it's clients. Those messages are UDP packets. This isn't the same type of traffic that is caused by the client clicking the "send/receive" button - That is RPC. The problem that I had was that local winXP clients all plugged into the same switch as my servers were not getting new notifications. I could send a message to myself, from myself and the message nor the notification would appear until I clicked on another folder in my mailbox. Clicking on another folder in your mailbox is the reverse and equilivealnt to the exchange sending the UDP update - This time the client sends the UDP packet to the exchange server...the starvation doesn't occur in this direction because the packet originated from the client. (At least, that my take on it) -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Sunday, February 23, 2003 12:32 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN and XP $5 Question - a little off topic? http://www.ISAserver.org Hi Casey, That's an interesting concept, "UDP starvation". I've never run into that term before. Is that different from the issue that the new mail notification packets are seen by the firewall as unsolicited inbound connections? That is to say, that these connections are not in response to a sent UDP packet? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder -----Original Message----- From: Friese, Casey [mailto:cfriese@xxxxxxxxxxxxx] Sent: Friday, February 21, 2003 7:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN and XP $5 Question - a little off topic? http://www.ISAserver.org Simply put Bryan, new mail notifications are udp packets. Not getting the notification indicated udp starvation which is caused by your XP client's firewall. Yes, it is true that the ISA doesn't inspect tunnel traffic but the revers isn't true for the client machine. The XP Firewall is still going to inspect traffic coming to it. Make sure that your client's are including your domain name when they are connecting via vpn. Properties -> Options -> Include Windows Logon Domain. Then, check your LDT to make sure that your domainname.com (or .org, .net) is listed in there. I had this same issue in house but even if the ICF was disabled on the XP machines. Alternatively you could stop E2K from sending udp packets for notifications and switch it to use RPC but that gets messy. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, February 20, 2003 11:19 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN and XP $5 Question - a little off topic? http://www.ISAserver.org Hi Bryan, Its because the new mail notfiications are unsolicited inbound requests. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: Thursday, February 20, 2003 7:37 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN and XP $5 Question - a little off topic? http://www.ISAserver.org Well I need to keep a firewall in place (and this issue does go away when disabling it). At the end of the day here - I am just trying to figure out why I can map a drive from my office to my home (that is connected via vpn), yet Exchange cannot alert the same client that a new email has come in. Seems to me RPC is allowed since I can ping and map drives to it. My Config: VPN adapter - no firewall Network adapter - Firewall enabled. Thanks All! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, February 19, 2003 8:09 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN and XP $5 Question - a little off topic? http://www.ISAserver.org Hi Bryan, Disable ICF and see if that helps. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, February 19, 2003 7:40 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN and XP $5 Question - a little off topic? http://www.ISAserver.org Sorry to drag this on... what about the XP firewall... shouldn't the tunnel bypass that as well? Again I can map a drive to my home pc (from work) when the vpn is still in place (I leave my vpn on pretty much all the time - even when I leave and go to work). This would indicate to me that exchange should be able to get to it... unless it's a matter of exchange not knowing where it is. Do VPN clients register dynamically in the dns? Does this perhaps have something to do with this? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, February 18, 2003 9:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN and XP $5 Question - a little off topic? http://www.ISAserver.org Hi Bryan, That is correct. Anything going through the tunnel is not inspected by ISA Server. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, February 18, 2003 7:08 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN and XP $5 Question - a little off topic? http://www.ISAserver.org Alas outlook 2002 is imo a pig that takes twice as long to communicate with E2K giving those horrible messages about delays, etc. So, maybe this is a stupid question, but is my firewall blocking any traffic between my client and ISA? I was under the impression that a tunnel precluded any firewall rules... Thanks for the response! -----Original Message----- From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] Sent: Tuesday, February 18, 2003 1:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN and XP $5 Question - a little off topic? http://www.ISAserver.org It's not your ISA VPN connection. Outlook 2K requires a few ports to be open. You will need to research which port controls the mail notification. You can run a sniffer to see which ports Exchange is trying to communicate with at the client interface. This problem was resolved with Outlook 2002. Tom -----Original Message----- From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: Monday, February 17, 2003 8:25 PM To: [ISAserver.org Discussion List] Subject: [isalist] VPN and XP $5 Question - a little off topic? http://www.ISAserver.org We have users that connect via XP Pro at their home with the built in firewall running. They use their Outlook 2000 client to connect to exchange over vpn. Their outlook will not see a new message unless they click around... If we turn off the xp firewall, they see messages immediately as they come in as Exchange and mapi normally do. Is there something we can do here? Its not that big of a deal but still a nuisance... I know that this may not be directly related - but I thought perhaps someone has ran into this with their ISA VPN trials of life... Thanks for any thoughts! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cfriese@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cfriese@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')