Outlook 2003 over VPN on XP client delay

  • Thread starter Thread starter JDTHREE [MVP]
  • Start date Start date
J

JDTHREE [MVP]

Here's the scoop - hopefully someone has suggestions. This is
reproducable on about any hardware platform I've tried it with.

XP client connecting to an exchange server running outlook 2003.
Exchange servers tested has been 5.5SP4 and 2003 - I haven't tried
this with 2000 since I have no 2000 exchange server running anywhere.

The VPN is initiated, and connectivity established prior to opening
any programs.

I've tried this with Sonicwall firewalls using the secure remote
client, as well as Watchguard firewalls using their secure remote
client. The VPN's are configured to give the user full access - using
the "any" rule. That's been tested and verified that indeed no ports
tested are blocked.

So connectivity is established to the internal corporate network -
single subnet, single segment. Nothing fancy. All internal machines
are on a 172.16.x.x network.

Prior to bringing up Outlook, I can map drives to the exchange server,
I can remotely manage it by right clicking the "My Computer" icon on
my XP desktop, select manage, then connect to the exchange server.
Full access. The Exchange server can be pinged by IP, netbios name,
or FQDN. Diagnostics for AD and network all run without errors
between the servers. I've even installed WINS servers and put in
hosts and lmhosts files to ensure name resolution.

As I said, from the time the VPN is established there is immediate and
fast connectivity to the exchange server. Mapping drives, remotely
admining, RDP, PC Anywhere, everything works just great.

However, on the initial connection of Outlook 2003, there's a two
minute or up delay. It takes sometimes up to three or four minutes to
establish the connection to the exchange server and start transferring
mail. If I hit the "send / receive", it'll sit there at zero, no
errors, just waiting for two or three minutes before it can actually
exchange data with the exchange server.

The current client I'm testing is a tablet PC. I have an image of the
tablet in a "pre-office" state. I can install office 2000 or 2002,
and this problem doesn't happen. I can revert back to the pre-office
image, then install 2003, and the problem is there. Back to another
version of office, the problem goes away.

I've had this happen on desktops as well as tablets and notebooks.
But all the searching I've done so far in the exchange and outlook
groups has turned up nothing. Figured I'd try one of the technet
managed groups to see if I can find anything this way.

Thanks for any help.

John
 
Well described. Could you tell me whether this is with Outlook 2003 in
cached mode or not in cached mode?

--
Roady [MVP]
www.sparnaaij.net
Microsoft Office and Microsoft Office related News
Also Outlook FAQ, How To's, Downloads and more...

Tips of the month:
-Create your own fully customized Toolbar
-Creating a Classic View in Outlook 2003
Subscribe to the newsletter to receive news and tips & tricks in your
mailbox!
www.sparnaaij.net

(I changed my reply address; remove all CAPS and _underscores_ from the
address when mailing)
 
Well described. Could you tell me whether this is with Outlook 2003 in
cached mode or not in cached mode?
Click to expand...

Wow, that is about the fastest reply I've ever gotten on a post!

;) I try to save all the inevitable questions that I would ask if
someone else had posted the question. <G> In the tablet group,
there's always that "this doesn't work" with no fleshing out of the
details of the topology. I didn't want to get an initial reply of
"Can you give more information?" like I ask so often over there.

Happens in both cached and uncached mode. (forgot to mention that in
the first post, sorry). Also happens whether or not I am using an OST
file. (should've mentioned that too). I'm sick, so I will fall back
on that as my excuse, rather than the probably more correct reason of
an onset of early senility or something. :)

But when I do it not in cached mode, it takes the full two to three
minutes to just come back with what seems to be just a timeout error -
"Your exchange server is unavailable", with an option to give up or
retry. When I retry, it just goes into a not-responding state. Even
while it's doing this, I can map the drives, telnet to port 25, hit
imap with my PPC. Whereas in cached mode, at least I can see the
contents while waiting for the connection.

It also seems to take longer to make the connection when cached mode
is turned off. More like 4 to 5 minutes, but that could be because of
the error it pops up the first time, and when you try to reconnect, it
does the same thing again. I'm half tempted to install sniffer
software on the tablet here to watch what's actually going in and out,
but I don't know enough about the lower level communication between
the client and the server to know what would be normal and not. :)

Thanks

John
 
As I said, from the time the VPN is established there is immediate and
fast connectivity to the exchange server. Mapping drives, remotely
admining, RDP, PC Anywhere, everything works just great.

However, on the initial connection of Outlook 2003, there's a two
minute or up delay. It takes sometimes up to three or four minutes to
establish the connection to the exchange server and start transferring
mail. If I hit the "send / receive", it'll sit there at zero, no
errors, just waiting for two or three minutes before it can actually
exchange data with the exchange server.
Click to expand...

Redo the Outlook profile and enter the FQDN for the exchange server, not
the NB Name. Also, even though you've pointed out that everything
resolves properly by name, are you sure that you put the DNS server on
the remote side as the first DNS server in the VPN Network setting?
 
Well the ports you mentioned are not being used when you are using an
Exchange account type. Have you looked at the responds Leythos gave?

--
Roady [MVP]
www.sparnaaij.net
Microsoft Office and Microsoft Office related News
Also Outlook FAQ, How To's, Downloads and more...

Tips of the month:
-Create your own fully customized Toolbar
-Creating a Classic View in Outlook 2003
Subscribe to the newsletter to receive news and tips & tricks in your
mailbox!
www.sparnaaij.net

(I changed my reply address; remove all CAPS and _underscores_ from the
address when mailing)
 
I understand those ports are not in use by the client - I simply used
it as an example of the name resolution and connectivity working
instantly for everything else. :)

Yes, saw Leythos' reply, but still no difference.

Thanks

John
 
Redo the Outlook profile and enter the FQDN for the exchange server, not
the NB Name. Also, even though you've pointed out that everything
resolves properly by name, are you sure that you put the DNS server on
the remote side as the first DNS server in the VPN Network setting?

--
Click to expand...

already did the fqdn for a profile, made no difference.

The first DNS server entry, though, is one I hadn't tried yet. I
hadn't thought about that since I had added entries for not only the
lmhosts file but also the hosts file. I had assumed (very likely
incorrectly) that it would look at the hosts file before doing a DNS
query to the named servers.

I'll try the DNS server change, and see what happens.

Thanks for the idea. :)

John
 
already did the fqdn for a profile, made no difference.

The first DNS server entry, though, is one I hadn't tried yet. I
hadn't thought about that since I had added entries for not only the
lmhosts file but also the hosts file. I had assumed (very likely
incorrectly) that it would look at the hosts file before doing a DNS
query to the named servers.

I'll try the DNS server change, and see what happens.

Thanks for the idea. :)

John
Click to expand...

OK, tried that, still no change. I like that idea though - thinking
it through, the nice thing is that if the VPN is open, the DNS queries
will go through the internal server, so if it's an internal machine,
they'll get the internal address, and if it's external, it'll just
forward it as any DNS server would. And if they're not VPN'd in, then
that DNS server isn't reachable, so won't give any internal address
info if they're trying to connect to something with our domain name
that's an external resource. Funny how some things make sense but you
never think of them till someone rubs your nose in it. :)

Only question I'd have is how much of a delay is there when a DNS
query happens and it has to wait to not get a response from that
server it can't reach? I'll have to do some testing when I'm home
tonight.

I've only seen a couple posts about my particular problem, but I've
seen similar posts with similar issues for people trying to set up a
profile from a remote location when connecting to the corporate
network via a VPN. Seems the core issue might be the same - the delay
in the initial connection to the server. I wonder if those people,
when they finally get the profile created, either eventually over the
VPN or by bringing the notebook into the network locally to set it up,
exhibit any of the symptoms I see when they get it back to a remote
location over a VPN?

Oh well, still trying things, so maybe I'll get a resolution yet. :)

John
 
Only question I'd have is how much of a delay is there when a DNS
query happens and it has to wait to not get a response from that
server it can't reach? I'll have to do some testing when I'm home
tonight.

I've only seen a couple posts about my particular problem, but I've
seen similar posts with similar issues for people trying to set up a
profile from a remote location when connecting to the corporate
network via a VPN. Seems the core issue might be the same - the delay
in the initial connection to the server. I wonder if those people,
when they finally get the profile created, either eventually over the
VPN or by bringing the notebook into the network locally to set it up,
exhibit any of the symptoms I see when they get it back to a remote
location over a VPN?
Click to expand...

All indications point to a DNS problem. I've seen in a zillion times. I
setup remote connections every week for new businesses and when I come
into an existing location with problems like you describe it's always
DNS.

If you have the VPN setup with the local companies DNS server, and use
Forwarders on the DNS server, they don't need LMHosts or Hosts anywhere.
In fact, you don't want to use that combination with DNS.

My own company network is setup where I VPN into the Firewall, use an
assigned IP, and then all DNS is pointed from my laptop to my internal
DNS server - no public DNS server is used.

If you do this using tunnels between locations you can even join
computers to the domain (nice to have fixed tunnels between offices).
I've even joined domains remotely through a PPTP VPN tunnel - you have
to have good DNS.

How about doing a scavenge on the DNS zones, clearing the DNS cache,
then do an IPCONFIG /FLUSHDNS on each of the testing remote
workstations. Also, restart the DNS service before you run the test.
 
According to this article you should be lucky you have a connection at all
<http://support.microsoft.com/?id=824123>

I'll post more when I know more :-D

--
Roady [MVP]
www.sparnaaij.net
Microsoft Office and Microsoft Office related News
Also Outlook FAQ, How To's, Downloads and more...

Tips of the month:
-Create your own fully customized Toolbar
-Creating a Classic View in Outlook 2003
Subscribe to the newsletter to receive news and tips & tricks in your
mailbox!
www.sparnaaij.net

(I changed my reply address; remove all CAPS and _underscores_ from the
address when mailing)
 
According to this article you should be lucky you have a connection at all
<http://support.microsoft.com/?id=824123>

I'll post more when I know more :-D

--
Roady [MVP]
www.sparnaaij.net
Microsoft Office and Microsoft Office related News
Also Outlook FAQ, How To's, Downloads and more...

Tips of the month:
-Create your own fully customized Toolbar
-Creating a Classic View in Outlook 2003
Subscribe to the newsletter to receive news and tips & tricks in your
mailbox!
www.sparnaaij.net

(I changed my reply address; remove all CAPS and _underscores_ from the
address when mailing)
-----
 
According to this article you should be lucky you have a connection at all
<http://support.microsoft.com/?id=824123>

I'll post more when I know more :-D
Click to expand...

Actually, the VPN should ne transparent to Outlook. If the VPN is
properly configured then Outlook would not even know there was a VPN.

It's related to DNS, I'm sure of it, I've seen it many times. What we
don't know is how DNS is resolving on his network through the VPN.

I use Outlook in more than 100 locations where the clients VPN into
their networks from Home or Hotel and use Outlook (2000, 2003) without
any problems - it's all about DNS through the VPN.

One quick way to determine the issue would be to enter a HOST entry in
the users system (their local computer) that contains the NB name of the
exchange server, another for the FQDN name of the server, and make sure
they point to the right locations.
 
Actually, the VPN should ne transparent to Outlook. If the VPN is
properly configured then Outlook would not even know there was a VPN.

It's related to DNS, I'm sure of it, I've seen it many times. What we
don't know is how DNS is resolving on his network through the VPN.

I use Outlook in more than 100 locations where the clients VPN into
their networks from Home or Hotel and use Outlook (2000, 2003) without
any problems - it's all about DNS through the VPN.

One quick way to determine the issue would be to enter a HOST entry in
the users system (their local computer) that contains the NB name of the
exchange server, another for the FQDN name of the server, and make sure
they point to the right locations.

--
Click to expand...

Again, I would agree, except if it were this, then why would the exact
same configuration not have any problems with office 2000 or 2002?

Remember, this tablet has a ghost image of it's "pre-office"
existence. If I go to that pre-office state, I can install any
version of office *except* 2003 and it works just fine. Since the
networking is *identical* between them, I would expect to have similar
problems with any other version of office. Unless office 2003's
install is changing networking components behind my back, the network
side of things is all based on the ghost image, and doesn't get
changed at all after installing office. All I do is put the image
back on the tablet, install my office version to try this all out, and
configure a profile.

I also have a couple hundred users over VPN's to various locations and
companies, either branch tunnels or end users at home running the
secure client on their home computers. Nobody has any problems - nor
do I, unless I try it with 2003. I've gone through just about every
combination of host files, lmhost files, DNS settings, etc, that I can
think of. I can't find anything that makes any difference. And
everything, and I mean *everything* I could possibly ever need to do
over the connection works fine - including DNS only things like IE to
all the internal machines, including this 2003 exchange server. I can
open IE and using my internal DNS servers, get at it via it's name
(http://mailsrv/exchange).

I'm thinking I'm just going to have to live with it - and make sure my
users know about the issue before anyone migrates to 2003. Though I
haven't tried it over a MS VPN yet - maybe for the hell of it I'll
drop a test server in the mix, that I can use to access using the
native microsoft VPN rather than using the secure client via the
firebox. Would really irritate me if it turns out to have something
to do with the client software. :) But at this point I'd settle for
any solution.

Thanks for the ideas guys.

john
 
OK, update. Thanks Leythos, because you helped me finally get past
the fact that outlook 2000 or 2002 didn't exhibit this problem. Once
I stopped worrying about that fact, and simply dealt with the fact
that outlook 2003 didn't work, I stopped worrying about what was
different between them, and focused only on why resolution seemed to
hang so much.

It was your comment on DNS that finally pushed me to that point -
because you were right. And I knew you were right - I just kept
getting hung on the fact that "it doesn't do it for any other outlook
version." :)

When I got rid of everything else, and had nothing but the FQDN in a
host file, it worked immediately. So I lost the host file (nothing
but a band-aid anyway), flushed DNS, then I went back to a clean slate
and did your suggestion of having the internal DNS server as my
primary, and an external one as my secondary.

And even though I had done this before and it failed, this time it
worked. But I might have only removed an entry from the host file,
rather than deleting it completely that time.

Evidently I've spent too much time this week migrating my company to
the new exchange 2003 server, and just couldn't get past my hangup
about the other versions. :) Thanks for the shove!

John
 
Sorry to hassle you John but as you've seemed to resolve the problem, I'm wondering if you could explain the "fix" in semi-IT literate terms. ie. I am a lot more literate than the average but certainly don't understand a lot of the techo speak you guys used to resolve this

I have been getting so mad at MS and wasting so much time. I installed Office 2003 on my new home laptop for no other reason than that's what I was sold. Of course, the last thing I expected (perhaps rather naively) was that it wouldn't work the same as 2000!! So I set up my VPN connection which I've done a million times for everyone at work, to connect to Exchange 2000 at work and of course, it doesn't work!! I've been posting here and no-one had solutions but knew of the problem. MS have been so unhelpful it's even surprising for them!! They refuse to send me lic to be able to downgrade to 2000 and of course, it's been opened so their suggestion of returning to the seller is rediculous. They offerd I could spend a few hundred more dollars to speak with a technical expert there or spend yet more money and purchase 2000 from somewhere!

Very frustrating as you understand!! If you were able to explain what you've done in simpler terms, I be so grateful!

jan
(e-mail address removed) (temporary until VPN works!!)
 
One quick way to determine the issue would be to enter a HOST entry in
I have added the server name & IP address to the host file. What is FQDN? And what do you mean by pointing to the right locations

Any help would be greatly received

Jane
 
OK, update. Thanks Leythos, because you helped me finally get past
the fact that outlook 2000 or 2002 didn't exhibit this problem. Once
I stopped worrying about that fact, and simply dealt with the fact
that outlook 2003 didn't work, I stopped worrying about what was
different between them, and focused only on why resolution seemed to
hang so much.

It was your comment on DNS that finally pushed me to that point -
because you were right. And I knew you were right - I just kept
getting hung on the fact that "it doesn't do it for any other outlook
version." :)

When I got rid of everything else, and had nothing but the FQDN in a
host file, it worked immediately. So I lost the host file (nothing
but a band-aid anyway), flushed DNS, then I went back to a clean slate
and did your suggestion of having the internal DNS server as my
primary, and an external one as my secondary.

And even though I had done this before and it failed, this time it
worked. But I might have only removed an entry from the host file,
rather than deleting it completely that time.

Evidently I've spent too much time this week migrating my company to
the new exchange 2003 server, and just couldn't get past my hangup
about the other versions. :) Thanks for the shove!
Click to expand...

John, glad I could "Push" you in the right direction. I've been kicked
so many times by DNS not properly replicating (or not waiting for it to
replicate) or by having bad records cached....

Now, one last thing - remember to set the Scavenge but to true for ALL
DNS ZONES so that it cleans it up every 3 days (default is OFF and 7
days).

If you need anything else, post and we'll help.
 
Sorry to hassle you John but as you've seemed to resolve the problem, I'm wondering if you could explain the "fix" in semi-IT literate terms. ie. I am a lot more literate than the average but certainly don't understand a lot of the techo speak you guys used to resolve this.

I have been getting so mad at MS and wasting so much time. I installed Office 2003 on my new home laptop for no other reason than that's what I was sold. Of course, the last thing I expected (perhaps rather naively) was that it wouldn't work the same as 2000!! So I set up my VPN connection which I've done a million times for everyone at work, to connect to Exchange 2000 at work and of course, it doesn't work!! I've been posting here and no-one had solutions but knew
Click to expand...
of the problem. MS have been so unhelpful it's even surprising for them!! They refuse to send me lic to be able to downgrade to 2000 and of course, it's been opened so their suggestion of returning to the seller is ridiculous. They offerd I could spend a few hundred more dollars to speak with a technical expert there or spend yet more money and purchase 2000 from somewhere!!
Very frustrating as you understand!! If you were able to explain what you've done in simpler terms, I be so grateful!!

jane
(e-mail address removed) (temporary until VPN works!!)
Click to expand...

You need to have your Network settings on the VPN client point to the
INTERNAL LAN DNS SERVER in the COMPANY NETWORK.

If that fails, enter the server name and the servers FQDN in a host file
and enter the INTERNAL IP address on the company network. Make sure that
you resolve using the HOST file first if you use it.

This is a DNS issue, I promise.
 
I have added the server name & IP address to the host file. What is FQDN? And what do you mean by pointing to the right locations?

Any help would be greatly received!

Jane
Click to expand...

Hi Jane. FQDN is Fully Qualified Domain Name. So if you have a mail
server named "mail1" and your active directory domain is, say,
"domain1.com" then the FQDN of your mail server would be
mail1.domain1.com

I had tried this a few times before, but it didn't work. one thing I
did was the ipconfig / flushdns before trying to connect to the mail
server via the VPN after changing my DNS to point to my internal
server. I didn't really do anything new this time that I hadn't done
before, i think it was just the order that I did it this time after
getting irritated. :) Might also be that I hadn't deleted my lmhosts
file the prior times testing. Beat at a computer long enough,
eventually it becomes submissive again.

So for the hosts file - depending on operating system, it's located at
either
c:\windows\system32\drivers\etc (XP client, for example)
or
c:\winnt\system32\drivers\etc (2000 client for example)
or
c:\windows (9x/ME client for example)

the hosts file is a plain text file that has the IP of a machine, and
the name of the machine after it. I use tabs between IP's and names,
to keep the lineup consistent. For example:

216.109.127.60 mail.yahoo.com
131.107.8.43 mail.microsoft.com

You get the idea. As far as "pointing it to the right locations" he
meant to ensure that the entries were correct - that they contained
the correct IP address.

hope this helps.

John
 
John, glad I could "Push" you in the right direction. I've been kicked
so many times by DNS not properly replicating (or not waiting for it to
replicate) or by having bad records cached....

Now, one last thing - remember to set the Scavenge but to true for ALL
DNS ZONES so that it cleans it up every 3 days (default is OFF and 7
days).

If you need anything else, post and we'll help.

--
Click to expand...


Did that. Thanks. One final question then, more a "best practice"
question than troubleshooting.

My AD domain name is the same as our real life domain name, so I have
split DNS. My DC's take care of the internal clients, and resolve the
computers to internal names. I then have my primary and backup DNS
servers in the DMZ that host our external addresses. If I set people
up like this, they will end up having a hard-coded internal address
for a machine they might have to access externally (for example, to
get at outlook web access without being VPN'd in).

I'm guessing the easiest and probably most sensible way to deal with
conflicts like that is to just give my external DNS a different host
name - for example, rather than mailsrv, call it OWA or something
instead. Since even giving it an alias, the final step would still be
to resolve it to the hostname, and if that happened, their hosts file
will still point them to the non-routable 172.16.x.x address.

So is the best practice to simply change host names externally to
alleviate any problems resolving names for machines that have both
internal and external functions?

Thanks! I'll have to dig into outlook 2003 a bit deeper, and it's
communications. I'm guessing that it's relying on DNS in AD rather
than just netbios name resolution, which explains perfectly why I kept
getting hung up that the other versions worked, but 2003 failed, even
though everything else was using DNS just fine to this particular mail
server.

Thanks again! It's amazing how much nicer it is to VPN using 2003 now
that there's no delay. :D

John
 
Back
Top