locked
VPN client having Exchange Connectivity Issues RRS feed

  • Question

  • Forum

    I am working at a client site today. The client has tasked me with resolving an issue with a Remote user whom uses Cisco VPN client to connect to the network. 

    The issue at hand based on information that the client has discussed with me is as follows:

    1.  The remote user will launch his Cisco VPN client and it will connect successfully.  Once he is through this, he is logged into the Single Domain at the client site, and has his drive mappings.

    2.  The client will launch Outlook.  For some reason, he gets error messages and his emai does not flow.  I had placed a sniffer on the client computer and captured the traffic.  What i saw in the traffic was an ephemeral port 1127 that was trying to connect in to the Exchange server. 

    NOTE:  In this customers topology, there is a Front End Exchange Server in our DMZ, and then the Back End Server is inside.  So the client in this case WOULD NOT connect to the Front End Server 1st, but rather straight thru the tunnel to the Back End server.

     

    I ended up opening port 1127 on our inside Firewall so that it could make it in to our Back End server, and this attempt was successful.  What I do not understand is why that port was being used, and why it was not changing (it is supposed to be ephemeral).

    One thing I cannot have happening is me having to be reactive for this client, and constantly have to change ports on the FW to allow him in.

    Please help.

    KMNRUser


    Kevin Melton
    Monday, April 11, 2011 7:41 PM

Answers

  • Hi KMNR_user,

    Which version of exchange do you use?
    I would not suggest that you use VPN to connect to the exchange server.
    Because when we connect to the domain through VPN, and the client would act as a internal client to connect to the exchange server, that means the RPC and MAPI protocols would be used, and they do not using the static port.
    Some information for you:
    http://support.microsoft.com/kb/270836
    http://technet.microsoft.com/en-us/library/bb331973.aspx

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com 
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by KMNR_user Thursday, April 14, 2011 4:59 AM
    Wednesday, April 13, 2011 2:27 AM

All replies

  • You don't mention the version of Exchange... excluding Exchange 2010 for a second, MAPI clients connect directly to the Exchange server for mailbox... unless they're connected using RPC/HTTPS in which case they'd connect to a FE potentially over 443.. but 443 <> 1127 so it's likely that he's not using RPC/HTTPS, so connection directly to the mailbox server would be expected.
    Monday, April 11, 2011 7:48 PM
  • Once you are inside the domain & access the resources(successfull drive mapping etc) then there shouldn't be any need to open any additional port(s).

    Is this an issue with just one user or more..?

    Are you able to ping exchange server in question?

    What is typical error message you get when outlook doesn't work?

    I would suggest reproducing the problem telneting on port 25 from the VPN client and check the mailflow using telnet and see if that is successfull..


    Regards, Pushkal MishrA
    Monday, April 11, 2011 8:15 PM
  • I agree with your first statement entirely.  That is what makes this issue unorthodox.

    It is an issue with just one user.

    We can ping the exchange server from the client once he is connected.

    I am not certain whether the user does get any error message, or whether he just doesnt get mail.  I think it is that he cannot connect to Exchange.... (disconnected message).  I need to verify this.

    I will try telnetting to 25.

    thanks Pushkal


    Kevin Melton
    Monday, April 11, 2011 8:39 PM
  • Hi KMNR_User,

    Any update for your issue?

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, April 12, 2011 9:58 AM
  • No Update yet, Gavin.  I will be back onsite at that client tomorrow and will be able to test the recommended solutions then.
    Kevin Melton
    Tuesday, April 12, 2011 1:09 PM
  • To test connection using telnet please use this link

    http://support.microsoft.com/kb/153119

     

    Also If you see you can successfully submit emails using telnet & OWA(outlook Web Access) works fine then I recommand recreating outlook profile and see if that makes a different Kevin.

     


    Regards, Pushkal MishrA
    Tuesday, April 12, 2011 3:39 PM
  • Hi KMNR_user,

    Which version of exchange do you use?
    I would not suggest that you use VPN to connect to the exchange server.
    Because when we connect to the domain through VPN, and the client would act as a internal client to connect to the exchange server, that means the RPC and MAPI protocols would be used, and they do not using the static port.
    Some information for you:
    http://support.microsoft.com/kb/270836
    http://technet.microsoft.com/en-us/library/bb331973.aspx

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com 
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by KMNR_user Thursday, April 14, 2011 4:59 AM
    Wednesday, April 13, 2011 2:27 AM
  • thanks for the response. 
    Kevin Melton
    Thursday, April 14, 2011 5:00 AM