Outlook 2003 NOT connecting over VPN

[RAM]

I have been getting reports from various users that their Outlook 2003
suddenly (as of around January 6) cannot connect to our Exchange 2003
system over our VPN. These users were previously able to connect to
Exchange with no problems.

Additionally, some of these reports indicate that they can connect one
day, but not the next. Connectivity is not consistent.

(And before anyone says "Use RPC over HTTP," that's all well and good
if they user doesn't need the VPN access for other applications - but
if they're on the VPN, RPC over HTTP doesn't connect and Outlook is
still useless.)

I'm currently tallying these users and their configurations, but I'm
baffled since this DID work at one time. The VPN is a "tunnel," so it's
not like an ISP could suddenly block RPC traffic over the VPN - they'd
have to block VPN altogether. I've scanned the newsgroups and MS
Knowledgebase for a couple of days now, and can't find any help. I've
asked if there have been any changes made to the VPN system lately, but
have been told there have been none. I also asked about how to change
MTU settings on the VPN client, but was told that wasn't applicable.

Has anyone else run into this same issue, or better yet, found the
cause and a resolution?

- RAM

 

[neo [mvp outlook]]

Have you tried changing Outlook 2003's authentication method from
Kerberos/NTLM to just good ol' NTLM? (Right click on "mailbox - <username>"
and select properties > advanced > security tab) The reason that I ask is
that some VPN solutions drop Kerberos (UDP) packets.

If the above works, it is possible to force Kerberos over TCP but requires
pushing a registry key out to all of your workstations.

 

[RAM]

Thanks, Neo. I will check that with users who are still experiencing
the problem. We did have one situation with a site-to-site VPN where
this was the case.

Incidentally, the majority of my users with this problem have been
fixed since we move the Cluster IP resource back to the node where it
normally resides. The only ones that appear to still be having the
problem are those whos mailbox is one Node 2 - I will check the
Kerberos authentication with those users.

Thanks again!

- RAM
@'>

 

[RAM]

I think I have figured out the whole issue with this - it's related to
DNS. Outlook with Exchange looks for the Exchange Virtual Server that
houses the user's mailbox - only one of the nodes in the cluster have
an outside address (NAT'd by the firewall), and that is actually the
CLUSTER IP. The Cluster IP normally resides on Node 1 of the cluster,
so anyone whose mailbox resides on Node 1 shouldn't have a problem
connecting. When the Cluster IP was left on Node 2 back on Jan. 6,
that's when those user's had a problem. Moved it back and they were
fine.

Now, it's the users whose mailboxes reside on Node 2 that can't get
their Outlook 2003 to connect to Exchange - makes sense to me now,
since the IP in DNS resolves to an IP that is pointing at Node 1,
because their mailboxes aren't ON that node.

I think what I need to do is get EACH Exchange Virtual Server its own
external IP address and get them into DNS. That should resolve the
whole issue.

- RAM
@'>