In regards to the RPC and Exchange problem that I was having: I got an answer from Checkpoint and here is the explanation: With SP2, checkpoint fixed the issue where the firewall would allow NON-SYN packets through after the connection timed out of the table. In other words, whereas before if it saw a NON-SYN packet, it would place it in the connection table and continue as long as it matched the rules, now it just drops it. So, when exchange and outlook negotiate a port to use for RPC, Checkpoint sees that and keeps it open for TCP_TIMEOUT seconds. However, outlook keeps that port in cache for the remainder of the session. If there is no activity, the port times out of the connection tables, but Outlook still keeps that in cache. That's why 10 minutes later the FW blocks it There are a couple of suggestions: one, disable the blocking of NON-SYN packets (see SP2 release notes), or, increase the TCP_TIMEOUT for RPC communications. I tried that with editing init.def before, but that didn't work, but the Checkpoint guy suggested editing table.def rpc service entries and changing the TCP_TIMEOUT value to the actual timeout in seconds, up to 24h: ./table.def:dcerpc_binds = dynamic sync refresh expires TCP_TIMEOUT; ./table.def:dcerpc_sessions = dynamic sync refresh expires TCP_TIMEOUT; ./table.def:rpc_sessions = dynamic refresh sync expires UDP_TIMEOUT; So, I'll try that at one point and let you know. If anyone has had the same issue and is going to attempt this fix, i'd appreciate an email letting me know how it went... Thanks -Gary- > -----Original Message----- > From: Elden Breckenridge [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, August 16, 2000 11:37 AM > To: '[EMAIL PROTECTED]' > Subject: RPC and Exchange > > > Hello > > Just read your note and realized we're experiencing the same problem. > Intermittent but noticeable to our users. Have you receive any > recommendations to help you resolve this issue? > > Elden > [EMAIL PROTECTED] > [EMAIL PROTECTED] > ************************** > > Date: Tue, 15 Aug 2000 11:43:45 -0400 > From: "Portnoy, Gary" <[EMAIL PROTECTED]> > Subject: [FW1] RPC and MS Exchange > > Hi there, > > I upgraded to 4.1 SP2 from just straight 4.1 over the weekend > and started > having this little problem: > A firewall is located between my exchange server and the > internal network. > I am forcing Exchange IS and DS services to use port 1200 per > instructions > on phoneboy's site. I understand that is not necessary with > FW-1 4.0 and > above, but I am doing it anyway. > > When Outlook is started on the internal network, it connects > to the RPC > portmapper on port 135 on the Exchange box and negotiates a > port to use for > the future (1200), then it switches to that port. Initially > everything > works fine, however, if I let Outlook sit inactive for about > 10 minutes > there is about 20-50 second pause the next time I try to do > some action for > which it has to contact the Exchange server (address book > lookup). This > looks like some sort of timeout... I ran a sniffer and > indeed, I see RPC > Request packets destined to the Exchange server port 1200, which keep > getting retransmitted because there is no response. > Eventually the request > times out, and Outlook recovers by trying to connect to the > portmapper again > and negotiate a port again. This goes through immediately > and then the > original RPC Request goes through. If I continuously use > Outlook, I am > fine, but if I pause for another 10 minutes, again I get the > same situation. > > In my rule base I am allowing "internal any any allow", so > this shouldn't be > a problem. I also read that RPC isn't included within ANY, > so what do I do? > I tried a rule "internal exchange_server MS_Exchange allow" > hoping to use > the 4.1 functionality when it comes to Exchange and still nothing... > I defined RPC_OVER_TCP in base.def and even tried to set the > timeout of port > 1200 to 3600 sec in init.def. > > Still nothing... > > Now I am out of ideas, but really, really don't want to roll > back to 4.1 > SP0... > Help??? > > - -Gary- > > Gary Portnoy > Network Administrator > [EMAIL PROTECTED] > > > Elden > [EMAIL PROTECTED] > http://www.fcwa.org/ > 703.289.6222 ...Tel > 703.289.6212....Fax > 703.606.2700....Cell > 877.712.3364....Pager > [EMAIL PROTECTED] > > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
