Screen OS

File server: Windows Server 2003 (Public IP)
Mail server: Exchange Server 2003 (Public IP)
Client side: Outlook 2003

Juniper SSG-140.6.1.0r3.0 (Transparent Mode)
Firewall policy: untrust to trust MyDomain to Server AnyService permit

When the two servers are behind the firewall, the Outlook 2003 always disconnects with the servers for a while (then the Outlook is hanged up) and resume again later, especially after clicking the "Send" or "Address List" button.

Thank you for your kindly solutions.

Hi ENTJames,

 There are some know issies with timeout values in the netscreen which can cause this.. even if you have an allow any rule...

The problem is that the server and client still have an active session, but the netscreen drops the session because of an idle timeout.

Therefore outlook has to timeout before it tries a new connection.

Also see this thread:

http://forums.juniper.net/jnet/board/message?board.id=Firewalls&message.id=4157&query.id=1023158#M4157

I hope this resolves your issue!

Kind regards,

Dennis

Name:       MS-EXCHANGE-DATABASE
Category:   other          ID:  0   Flag:  Pre-defined

Transport      UUID                                                              Timeout(min)            Application
MS-RPC       1a190310-bb9c-11cd-90f8-00aa00466520                  30

I had checked the details of these services. The default timeout of these services is 30 minutes. I think the 30-min timeout does not cause the unstable connection. Am I right?

Anyway, I am going to change the services timeout.

Can you try these 2 settings and see how it works for you?

set ser MS-NETLOGON time 2

set service MS-AD-DRSUAPI time 2

Both of these services are usually set to a default of 1 min on the FW. I have had many instances where 1 min is not long enough. 2mins is a good timer but you can extend it if required depending on your network infrastructure.

Let me know if this helps.

I had changed the timeout setting to 30 minutes. It seems OK!!! Thanks.

May I ask some more foundamental questions?

Which ports/services are involved between the clients and Exchange 2003 server?

Which ports/services are involved when the clients using "net use" command to map their remote storage drive to Windows Server 2003?  And how about the ports/services with DHCP server?

The firewall is ssg140.6.1.0r3.0

Thanks in advance !!

Hi ENTJames,

Good to hear that your issue has been resolved!

DHCP/BOOTP goes over UDP 69. Net use/exchange i don't know, but i tend to see a lot of traffic on tcp ports 445/1024/1025 and the netbios ports (135-139) when it comes to microsoft traffic.

Dennis

You might want to consider addressing this from the Microsoft side of this and implement Outlook "RPC over HTTPS", a.k.a. "Outlook Anywhere".  This requires only TCP 443 between the clients and the Exchange server, and works very well.  It's a lot more tolerant of network hiccoughs is also a great solution for mobile workers.

Dennis 

Just a thought but Outlook tends to need a range of ephemeral ports which you can lock down. It might be that you have either got these ports open (Bad thigs will happen) or you have not locked them down correctly. The following link explains how to lock them down:

http://support.microsoft.com/kb/270836

There may also be some other Micro$oft articles on this so have a look on their site.

Hope this helps.

Gavrilo

SSG140-> get service dhcp-relay
Name:       DHCP-Relay
Category:   info seeking   ID:  0   Flag:  Pre-defined

Transport    Src port     Dst port   ICMPtype,code  Timeout(min|10sec*) Application
udp           0/65535        67/67                         5         None
udp           0/65535        68/68                         5         None

I changed the timeout of DHCP service to 5 minutes, but the computers still cannot get IP assigned by DHCP service. What wrong with me?

Thank you and thank you in advance.

So my guess is the SSG is the DHCP Relay agent? You need to make sure you have configured it correctly:

PC --> (eth1) FW (eth3)--> DHCP Server