Screen OS

Hi

 

My work stations are on one subnet and the servers on another subnet .

every thing works fine , except Outlook.

 

when i try to send mail ( when pressing the send button) some times it hang for about 10-40 sec.

i run outlook /rpcdiag and i notice that when this problem occure there is one error in the connection to the DC server .

 

I configured exchange 2003 to use static ports .

I Opend Any-Any in the fire wall .

I tried to change the Time out of some services on the fire wall

 

All of this didnt solve the problem.

 

Need your help . 

 

#Outlook
#exchange

I know there have been issues in some screenos releases with service timeouts. Maybethis is related to your issue.

 

Check this KB article

 http://kb-beta.juniper.net/index?page=content&id=KB9230&actp=search&searchid=1225919749739

1. Modify the service timeouts as shown below:

  set service MS-EXCHANGE-DATABASE timeout 60
  set service MS-EXCHANGE-DIRECTORY timeout 60
  set service MS-EXCHANGE-INFO-STORE timeout 60
  set service MS-EXCHANGE-MTA timeout 60
  set service MS-EXCHANGE-STORE timeout 60
  set service MS-EXCHANGE-SYSATD timeout 60
  set service MS-RPC-EPM timeout 60

 

2. Create a new 'trust to untrust' policy at top and include service group ms-exchange and ms-rpc-epm as shown below (this assumes you do not already have a policy id 100):

  set policy id 100 top from trust to untrust any any ms-exchange permit
  set policy id 100
  set service MS-RPC-EPM
  exit
  save

 

 

I dont understand what section 2 mean ?

 

On my fire wall there are 2 networks Lan-Users , Lan-Servers

 

so do i need to put a policy on top of the Lan-users policies whith this configuration :  lan users to exchange server Ms-Exchange services group , MS-RPC-EPM

 

 

 

The meaning of the policy entry is to make sure the traffic hits on the customized services. So a policy on top of the list from user zone to server zone with these services is indeed what you need.

 

Dennis

I put the Lan-users to Exchange rule on Top.

and i also upgraded the Firmware to the latest version

 

Still Outlook Hang when press Send or list for users.

 

 

 

We saw a similar case, where timeouts were occurring on TCP port 1025 and 1026.  That was matching the msnetlogon service, and after increasing the timeout on that, it seemed to resolve the problem.  See if modifying the timeout on ms-netlogon helps.

I changed the Timeout for MsNetlogon and also for all exchange , AD services

i set the time out  to 120 Minutes.

 

after some time working with outlook we get the yellow message that outlook lost connection from the DC.

 

is there any one out there who having ssg firewall between the  Servers and the clients ,

and doesn't having problem with Outlook ?

 

Solved 

 

we disabled the ms rpc alg on the firewall

and created a custom service for MsRPC port 1025 tcp and use it instead of the predefine Rpc service.

 

to disable the ms rpc ALG  you need to unchek the "microsoft RPC" at   Security > ALG  menu.

 

 

Hmm that explains why itsnot bothering me... We're not using that ALG.

 

Thanks for the solution!

What version of code are you guys using that experiencing this issue?