Questions

ISA 2004 VPN user can not access Exchange server once connected.

+
0 Votes
Locked

ISA 2004 VPN user can not access Exchange server once connected.

alan.atkins
I really hope someone has seen the problem I am about to describe before because I am at my wits end. A couple of weeks ago I had to upgrade a box that ran AD, Exchange 2000, ISA 2000, and Server 2000 that was left over by the previous admin. I know it's a horrible practice which is why I was upgrading and migrating. Long story short I had to move ISA to a new serve r so I just put ISA 2004 on it. I upgrade the Exchange 2000 and server 2000 to Exchange 2003 and Server 2003 on the original "all in one" box. I have one external NIC facing the internet, and one internal NIC to connect to internal servers. I have all web publishing, ftp, and Exchange publishing rules working inside the network. My problem is that all of the sudden once laptop users connect to the VPN outside of the network they cannot connect Exchange through Outlook anymore. As I said I have created all the necessary rules that are working properly. I even have a domain controller that runs an Antivirus database and pushes updates out to clients, and when a VPN user gets connected it finds the DC virus updater and connects with no problems. It is uses some crazy property port. Mapped drives, and all other resources are available, but Outlook just stays disconnected from Exchange. I can create a new mail profile on my home machine, and the name resolves when setting my domain email account so I know it connects to some extent to Exchange. It will even start updating my newly created mail profile from Exchange. However current laptop VPN users who use it to connect o mail stores can not get connected. I have gotten some outside help consulting help, and I am still stuck. I could go ahead and set up OWA, but I just feel that will only compound the problem because something that should already be working is not. I believe that OWA set up may be futile until I can get this problem resolved. Please anybody that has ran into this problem before can you give me some things to look at as I am stuck without my Sales VPN users being able to connect their Exchange.
  • +
    0 Votes
    retro77

    Did the IP address of the exchange server or the name change? If the name changed, then the profiles have to be recreated. There are software solutions out there, but it seems you ahve to buy them.

    +
    0 Votes
    alan.atkins

    The IP and the name of the server for Exchange did not change. The biggest change was that I set up ISA 2004 from scratch on a new server, and then disabled the ISA 2000 server manager on the old box ( I wanted to keep it in tact just in case). However I cannot go back to the ISA 2000 configuration because while Microsoft has patch for ISA 2000 to run a 2003 server, it will not work for what our support staff of our software need. RDP connections kept dropping constantly when running ISA 20000 on the 2003 server even with the MS patch. So I had to scramble to set up ISA 2004 quickly so the Support staff could remote in and support our software on client machines. It does however no longer have the external IP or NIC enabled from when ISA 2000 was running on it. What?s stranger is that nslookups resolve from anywhere on the network, but ISA cannot ping the Exchange box. I am not sure if it could before as I said everything was on one box and there was no need to ping from ISA to Exchange because the services reside all on one connection... There has to be something I am missing, but I have no idea what. Like I said everything else internally, and through the VPN for that matter, work with no issues. I am stumped and have no answers.

    +
    0 Votes
    retro77

    Even if the name and IP didnt change on the Exchange server, I think you still have to recreate the Outlook profiles. Also did the AD accounts have to be created from scratch on the new DC? You may have a permissions issue. I would call those laptops into the office to have them rejoin the domain again and recreate the Outlook profiles.

    +
    0 Votes
    alan.atkins

    Actually I meant the mail profiles created on the XP machines. I am crating a new mail profile to test VPN connections to Exchange from my home PC. It does connect when I set up the initial mail box to Exchange while connected to the VPN, but it is very flakey. I am rating my own profile with the email store of my email at work. I am using cached Exchange mode from the PC, and when it tries to retrieve the inbox settings it at least connects. But again it is very flakey. I don?t have a new DC, the Exchange server was just upgraded to 2003 with AD on it. I actually have two 2003 DC's that run the 5 FSMO roles already. So no I did not have to re-create any users in Active Directory. Also as long as the users are on the physical network there are no connection issues to Exchange.

    +
    0 Votes
    alan.atkins

    So you think creating the mail profile over again on the laptops could resolve it. Anything is worth a shot, but it may be risky in the situation I am in now at home. If I re-create the mail profile from my laptop while connected to the VPN I could risk losing my mail store until I get back in the office if it can not connect to Exchange. I am using my own laptop to simulate the situation with my Sales VPN users. I am basically doing everything they were accustomed to. I log on laptop under cached domain log on, connect to work VPN, and then open Exchange. It just does not connect at all. It may be worth a shot though as I have tried everything.

    +
    0 Votes
    CG IT

    VPN is remote access where you connect to the network and obtain a LAN address [or you should get a LAN address]. Once the connection is made and you have a LAN address through RRAS, you computer is like any other computer on the LAN network. Only difference is traffic traverses the VPN tunnel between your computer and the LAN network.

    Exchange in an active directory environment will only work with domain accounts so how Outlook is setup on the mobile laptops is probably where the problem is.

    you might try having users be members of the mobile user security group [mobile user template].

    ISA Server isn't the problem if you can make a VPN connection.

    +
    0 Votes
    alan.atkins

    Good point. Do you think it could possibly be a DHCP issue when giving out VPN users an addy? I only ask because that is the only thing I could think between the VPN users and Exchange. All the other services work for VPN users, just not Exchange and Outlook. I created a new mail profile (when I mean ?I created a new profile? I mean ANOTHER mail profile with my email account, and then try to connect to Exchange to retrieve the cached info) and when pointing to the Exchange server the FQDN resolves as well as my user name resolves to the full name. (Ex. aatkins => Alan Atkins) I know there has to be some sort of initial connection for that to happen. However when I open that new mail profile it will not connect to Exchange to retrieve the cached info. Even if I put the internal IP of the Exchange server, the server name resolves itself. So I guess you are right in that ISA may not be the issue. I just have no idea what.

    +
    0 Votes
    CG IT

    Cache mode of course caches until requested and sometimes mail clients even on computers on the LAN will not prompt for Exchange to do a Send/Receive. It will show "Off Line" in the lower right corner of Outlook. If you click on the send/receive button in the menu bar, your forcing Outlook to make a connection to Exchange.

    Try that see what happens. If you can't force a send/receive from the mail client to Exchange, then there's more going on.

    +
    0 Votes
    alan.atkins

    Yes I have used "Send/Receive" several times trying to coonect. It never does. Yes there is more going on, and apparenaly a lot more than I can figure out. I am cluelss and stuck. If anyone knows of ay outsourced network troubleshooting companies please let ne know. Teh one I havefound and havebeen using has ot been able to resole this issue yet. Thank you all for your suggestions.

    +
    0 Votes
    retro77

    If you delete an Outlook profile, does this delete the offline mail? Even if it does, when you recreate the profile, you'll be in cached mode and it will download your mailbox again. Or: set it up to not be in cached mode and once the sales person gets back to the office, set them up as cached.

    But definately your going to have to recreate the Outlook profiles if the server is new, even with the same name and IP.

    DHCP: it wouldnt be a DHCP issue since you can connect to resources.

    +
    0 Votes
    steve.schwindt

    I have the same exact issue on my network. My VPN users can access all resources except exchange. Some had stated in a reply that if you can connect to the VPN then the problem is not with ISA. Actually, what I did was install outlook on the ISA server and tryied to connect to exchange from it and got the same exact symtom, and when I stopped the firewall service on ISA it worked fine, plus the fact that I connected to a RRAS, (non-ISA), server on the same LAN as ISA from the same remote laptop and I could access exchange just fine, so the the problem is in fact with ISA, I just can't find where.

    +
    0 Votes
    alan.atkins

    Well I would say that it is reassuring knowing that someone else has this issue also, but it's not. I'm sure you feel the same. I have no clue where to fix this either. I did just run across an article that states that after the 2K3 SP2 there could be several networking errors. I have dowloaded the requested hotfix, but have not installed yet as I just downloaded minutes ago. I will post the results here. You can find the article, and download the hotfix here: http://support.microsoft.com/kb/936594

  • +
    0 Votes
    retro77

    Did the IP address of the exchange server or the name change? If the name changed, then the profiles have to be recreated. There are software solutions out there, but it seems you ahve to buy them.

    +
    0 Votes
    alan.atkins

    The IP and the name of the server for Exchange did not change. The biggest change was that I set up ISA 2004 from scratch on a new server, and then disabled the ISA 2000 server manager on the old box ( I wanted to keep it in tact just in case). However I cannot go back to the ISA 2000 configuration because while Microsoft has patch for ISA 2000 to run a 2003 server, it will not work for what our support staff of our software need. RDP connections kept dropping constantly when running ISA 20000 on the 2003 server even with the MS patch. So I had to scramble to set up ISA 2004 quickly so the Support staff could remote in and support our software on client machines. It does however no longer have the external IP or NIC enabled from when ISA 2000 was running on it. What?s stranger is that nslookups resolve from anywhere on the network, but ISA cannot ping the Exchange box. I am not sure if it could before as I said everything was on one box and there was no need to ping from ISA to Exchange because the services reside all on one connection... There has to be something I am missing, but I have no idea what. Like I said everything else internally, and through the VPN for that matter, work with no issues. I am stumped and have no answers.

    +
    0 Votes
    retro77

    Even if the name and IP didnt change on the Exchange server, I think you still have to recreate the Outlook profiles. Also did the AD accounts have to be created from scratch on the new DC? You may have a permissions issue. I would call those laptops into the office to have them rejoin the domain again and recreate the Outlook profiles.

    +
    0 Votes
    alan.atkins

    Actually I meant the mail profiles created on the XP machines. I am crating a new mail profile to test VPN connections to Exchange from my home PC. It does connect when I set up the initial mail box to Exchange while connected to the VPN, but it is very flakey. I am rating my own profile with the email store of my email at work. I am using cached Exchange mode from the PC, and when it tries to retrieve the inbox settings it at least connects. But again it is very flakey. I don?t have a new DC, the Exchange server was just upgraded to 2003 with AD on it. I actually have two 2003 DC's that run the 5 FSMO roles already. So no I did not have to re-create any users in Active Directory. Also as long as the users are on the physical network there are no connection issues to Exchange.

    +
    0 Votes
    alan.atkins

    So you think creating the mail profile over again on the laptops could resolve it. Anything is worth a shot, but it may be risky in the situation I am in now at home. If I re-create the mail profile from my laptop while connected to the VPN I could risk losing my mail store until I get back in the office if it can not connect to Exchange. I am using my own laptop to simulate the situation with my Sales VPN users. I am basically doing everything they were accustomed to. I log on laptop under cached domain log on, connect to work VPN, and then open Exchange. It just does not connect at all. It may be worth a shot though as I have tried everything.

    +
    0 Votes
    CG IT

    VPN is remote access where you connect to the network and obtain a LAN address [or you should get a LAN address]. Once the connection is made and you have a LAN address through RRAS, you computer is like any other computer on the LAN network. Only difference is traffic traverses the VPN tunnel between your computer and the LAN network.

    Exchange in an active directory environment will only work with domain accounts so how Outlook is setup on the mobile laptops is probably where the problem is.

    you might try having users be members of the mobile user security group [mobile user template].

    ISA Server isn't the problem if you can make a VPN connection.

    +
    0 Votes
    alan.atkins

    Good point. Do you think it could possibly be a DHCP issue when giving out VPN users an addy? I only ask because that is the only thing I could think between the VPN users and Exchange. All the other services work for VPN users, just not Exchange and Outlook. I created a new mail profile (when I mean ?I created a new profile? I mean ANOTHER mail profile with my email account, and then try to connect to Exchange to retrieve the cached info) and when pointing to the Exchange server the FQDN resolves as well as my user name resolves to the full name. (Ex. aatkins => Alan Atkins) I know there has to be some sort of initial connection for that to happen. However when I open that new mail profile it will not connect to Exchange to retrieve the cached info. Even if I put the internal IP of the Exchange server, the server name resolves itself. So I guess you are right in that ISA may not be the issue. I just have no idea what.

    +
    0 Votes
    CG IT

    Cache mode of course caches until requested and sometimes mail clients even on computers on the LAN will not prompt for Exchange to do a Send/Receive. It will show "Off Line" in the lower right corner of Outlook. If you click on the send/receive button in the menu bar, your forcing Outlook to make a connection to Exchange.

    Try that see what happens. If you can't force a send/receive from the mail client to Exchange, then there's more going on.

    +
    0 Votes
    alan.atkins

    Yes I have used "Send/Receive" several times trying to coonect. It never does. Yes there is more going on, and apparenaly a lot more than I can figure out. I am cluelss and stuck. If anyone knows of ay outsourced network troubleshooting companies please let ne know. Teh one I havefound and havebeen using has ot been able to resole this issue yet. Thank you all for your suggestions.

    +
    0 Votes
    retro77

    If you delete an Outlook profile, does this delete the offline mail? Even if it does, when you recreate the profile, you'll be in cached mode and it will download your mailbox again. Or: set it up to not be in cached mode and once the sales person gets back to the office, set them up as cached.

    But definately your going to have to recreate the Outlook profiles if the server is new, even with the same name and IP.

    DHCP: it wouldnt be a DHCP issue since you can connect to resources.

    +
    0 Votes
    steve.schwindt

    I have the same exact issue on my network. My VPN users can access all resources except exchange. Some had stated in a reply that if you can connect to the VPN then the problem is not with ISA. Actually, what I did was install outlook on the ISA server and tryied to connect to exchange from it and got the same exact symtom, and when I stopped the firewall service on ISA it worked fine, plus the fact that I connected to a RRAS, (non-ISA), server on the same LAN as ISA from the same remote laptop and I could access exchange just fine, so the the problem is in fact with ISA, I just can't find where.

    +
    0 Votes
    alan.atkins

    Well I would say that it is reassuring knowing that someone else has this issue also, but it's not. I'm sure you feel the same. I have no clue where to fix this either. I did just run across an article that states that after the 2K3 SP2 there could be several networking errors. I have dowloaded the requested hotfix, but have not installed yet as I just downloaded minutes ago. I will post the results here. You can find the article, and download the hotfix here: http://support.microsoft.com/kb/936594