Shorewall users - May 2002 - Slow Exchange Server connection via PPTP

We''ve just installed Shorewall 1.2.12 (LEAF version).
Everything is working great except that when I connect
to the company''s network via PPTP (our PPTP server is
on the loc side of the firewall), the initial
connection to our exchange server using Outlook is
very slow - often times out. I already have reject net
fw auth in the rules just in case. What else might be
causing this slowness?

Thanks,


__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

On Mon, 13 May 2002, Dragon Wood wrote:
> We''ve just installed Shorewall 1.2.12 (LEAF version).
> Everything is working great except that when I connect
> to the company''s network via PPTP (our PPTP server is
> on the loc side of the firewall), the initial
> connection to our exchange server using Outlook is
> very slow - often times out. I already have reject net
> fw auth in the rules just in case. What else might be
> causing this slowness?
>
>From your post, I''m very unclear about the network topology. Can
you
clarify?   

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Sure Tom. I believe our topology is fairly standard
(similar to your own actually). The LEAF firewall has
3 interfaces. eth0 is connected to our ISP via a DSL
router. eth1 is connected to a switch to which all of
our local LAN computers are connected to. eth2 is the
dmz and is connected to a sever serving www etc.

The exchange server is one of the machines in the LAN
connected to eth1 via the switch. The firewall static
NATs one of the external IPs to the exchange server,
and we have POP and IMAP open to the exchange server
in rules. The Windows machine that runs the exchange
server is also running MS PPTP, and we have rules that
allow PPTP clients to connect to that box from the
internet (i.e., working remotely). The slowness I
observe is when I VPN (PPTP) to the office, and then
use Outlook to connect to the Exchange server via the
PPTP VPN. It takes at least 2-3 minutes to make the
initial connection (I am using a broadband internet
connection at home) and Outlook often times out before
the connection is made. 
Hope that''s clearer.

--- Tom Eastep <teastep@shorewall.net> wrote:
> On Mon, 13 May 2002, Dragon Wood wrote:
> 
> > We''ve just installed Shorewall 1.2.12 (LEAF
> version).
> > Everything is working great except that when I
> connect
> > to the company''s network via PPTP (our PPTP server
> is
> > on the loc side of the firewall), the initial
> > connection to our exchange server using Outlook is
> > very slow - often times out. I already have reject
> net
> > fw auth in the rules just in case. What else might
> be
> > causing this slowness?
> >
> 
> From your post, I''m very unclear about the network
> topology. Can you 
> clarify?   
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
>
http://www.shorewall.net/mailman/listinfo/shorewall-users


__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

On Mon, 13 May 2002, Dragon Wood wrote:
> Sure Tom. I believe our topology is fairly standard
> (similar to your own actually). The LEAF firewall has
> 3 interfaces. eth0 is connected to our ISP via a DSL
> router. eth1 is connected to a switch to which all of
> our local LAN computers are connected to. eth2 is the
> dmz and is connected to a sever serving www etc.
> 
> The exchange server is one of the machines in the LAN
> connected to eth1 via the switch. The firewall static
> NATs one of the external IPs to the exchange server,
> and we have POP and IMAP open to the exchange server
> in rules. The Windows machine that runs the exchange
> server is also running MS PPTP, and we have rules that
> allow PPTP clients to connect to that box from the
> internet (i.e., working remotely). The slowness I
> observe is when I VPN (PPTP) to the office, and then
> use Outlook to connect to the Exchange server via the
> PPTP VPN. It takes at least 2-3 minutes to make the
> initial connection (I am using a broadband internet
> connection at home) and Outlook often times out before
> the connection is made. 
> Hope that''s clearer.
>
Yes, thanks -- first check that the problem isn''t DNS resolution by 
connecting to the PPTP server then trying to ping the Exchange server by 
DNS name.  

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Tuesday, May 14, 2002 8:49 AM
> To: Dragon Wood
> Cc: shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] Slow Exchange Server 
> connection via PPTP
> 
> Yes, thanks -- first check that the problem isn''t DNS resolution
by
> connecting to the PPTP server then trying to ping the Exchange server
> by DNS name.  
>
Just a thought here...

I run a very similar setup here. Exchange, PDC, WINS, etc... Plus I forward
inbound PPTP requests to an NT4.0 system running RAS/PPTP.

Initially when I connected to my Exchange server using Outlook (over the
VPN), I had some delay problems as you described. Surprisingly, I fixed this
delay problem by creating a CNAME on my DNS server for my MS domain name.
Example:

My PDC''s FQDN is defiant.mydomain.com and its a PDC for the MS domain
of
COWLES.

In my DNS zone for mydomain.com, I added a CNAME of

cowles IN CNAME defiant.mydomain.com.

To be honest, this so called fix makes no sense to me. I run a WINS server
which should return the PDC record to the VPN client trying to authenticate.
Especially since all my MS clients (including the PPTP clients) netbios node
types are configured as hybrid (0x8). i.e. First query a WINS server, then
broadcast. But after running ethereal, I discovered the PPTP client was
issuing a DNS request for the MS domain name. Which wasn''t being
answered.

Good Luck
Steve Cowles

Thanks Steve. I will try this and see if it makes a
difference when I get home tonight...

--- "Cowles, Steve" <Steve@SteveCowles.com>
wrote:
> > -----Original Message-----
> > From: Tom Eastep [mailto:teastep@shorewall.net]
> > Sent: Tuesday, May 14, 2002 8:49 AM
> > To: Dragon Wood
> > Cc: shorewall-users@shorewall.net
> > Subject: Re: [Shorewall-users] Slow Exchange
> Server 
> > connection via PPTP
> > 
> > Yes, thanks -- first check that the problem isn''t
> DNS resolution by 
> > connecting to the PPTP server then trying to ping
> the Exchange server
> > by DNS name.  
> >
> 
> Just a thought here...
> 
> I run a very similar setup here. Exchange, PDC,
> WINS, etc... Plus I forward
> inbound PPTP requests to an NT4.0 system running
> RAS/PPTP.
> 
> Initially when I connected to my Exchange server
> using Outlook (over the
> VPN), I had some delay problems as you described.
> Surprisingly, I fixed this
> delay problem by creating a CNAME on my DNS server
> for my MS domain name.
> Example:
> 
> My PDC''s FQDN is defiant.mydomain.com and its a PDC
> for the MS domain of
> COWLES.
> 
> In my DNS zone for mydomain.com, I added a CNAME of
> 
> cowles IN CNAME defiant.mydomain.com.
> 
> To be honest, this so called fix makes no sense to
> me. I run a WINS server
> which should return the PDC record to the VPN client
> trying to authenticate.
> Especially since all my MS clients (including the
> PPTP clients) netbios node
> types are configured as hybrid (0x8). i.e. First
> query a WINS server, then
> broadcast. But after running ethereal, I discovered
> the PPTP client was
> issuing a DNS request for the MS domain name. Which
> wasn''t being answered.
> 
> Good Luck
> Steve Cowles
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
>
http://www.shorewall.net/mailman/listinfo/shorewall-users


__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com