Outlook 2003 RPC/HTTP slow and asking for log on?

[neilpotter]

We are having problems trying to use our Outlook 2003 clients out of the building using the RPC over HTTP setup. When you try to open outlook, it sits for a whil ethen asks for a user log on. If I put in my full username i.e. user@domain.com with teh password, it will work but takes a while to kick in. If however I kick the VPN in first, it works without asking to authenticate, as you would expect. I would like to get it working without the VPN in case my clients are in areas where the VPN is not allowed.
We have a single Exchange 2007 server sat behind a Nat firewall. Ports 135 and 6001-6004 are being forwarded to the exchange server. On the server, in IIS under RPC, the authentication is set to Integrated Windows and also Basic. SSL is set to 128bit. We have our own SSL cert setup rather than the built in one. The client (Outlook 2003) is setup for connecting over HTTP by using Basic Authentication and using SSL. If I don't use these settings, it doesn't connect at all.
Any ideas what I'm doing wrong? Can it be setup to work without having to authenticate and also load up much faster?
Thanks

 

[MarkArnold]

I'm worried what you say about the ports. With Outlook Anywhere you shouldn't have anything open on the firewall other that 443 only.
Can you close everything off on the firewall other than HTTPS and test again?
What you will see is the client try to connect using RPCs because, basically, it isn't telepathic. If it can "kinda" get to the site but not completely you're going to get a delay. You know how badly Microsoft applications have historically coped with going on and off a network.

Let us know.

M.

 

[neilpotter]

I'll try later. I thought Outlook Anywhere was only for Outlook 2007. I'm using 2003. And I only opened the ports to see if it helped. I can't remember if they are being used or nor. Outlook /RPCDIAG shows everything as HTTPS. Thanks

 

[MarkArnold]

Outlook Anywhere" is what Exchange 2007 calls it. It's the same technology and same settings. Sorry if I confused you there.
And the diags will show as HTTPS, the point is that they might be taking too long to get there because 135 etc. is open (which you have to close on security grounds anyway) and it's trying RPC before RPC over HTTPS.

 

[neilpotter]

Fair doos. I'll can the open ports tonight and try from outside. The main issue really is the log on though rather than the speed. Would you expect the client to ask for a log on using outlook 2003 when outside the building. And if so, why does it not ask when going via the VPN. (VPN is setup via the AD server with PPTP if that helps).

 

[MarkArnold]

Remember that you can also tick the "use https on fast" tickboxes and try this inside the LAN. You can do this now and it will give you some indication.

 

[neilpotter]

Right, tried the "Fast" option, which works fine if I set to HTTP (no SSL) and NTLM. If I try to use SSL it asks for a log on, which works fine if I key it in but is annoying. Is this correct or have I set something up wrong?

 

[MarkArnold]

It will ask for a logon. You wouldn't expect an automatic logon to your Internet banking site would you? And it's the same thing. You can sometimes use NTLM but some of the routers on the Internet will block you so it's best to stick with SSL and Basic.

So it's nice and quick on the LAN and when you have the "Use HTTP on fast" then? That's about what I expected.

Time for you to nip nome and give it a test.

 

[neilpotter]

Right then. I've killed the ports for RPC so I only have 443 open (along with the obvious 25, 80 etc). Still works slowly from out of the building though. Essentially, it takes about a minute before it requests a log on, then a further 30 seconds or so to come to ready and be fully useable. Whilst not a major delay, I know that people will moan so I'm just checking out whether this is correct or not before I go live with the server.

 

[MarkArnold]

The minute is a bit long. I use my lab server from the office on the end of an ADSL link (300 or so up). It's on VMware so it takes a little while to pop up a logon prompt, not quite the minute, and then another 30 before it all kicks into shape and I'm up and running.

If you've now locked all the ports out and such like I'd take a view of the connection. If you're in OWA how long does the FBA screen take to come up from the moment you hit Go?

 

[neilpotter]

OWA is pretty much instant. I assume you mean how long to see the mailbox info etc after i've logged in?

 

[MarkArnold]

Just down to your network then. Remember that RPC over HTTPS will always try to use TCP to get to the server so if it's on a fast home network it'll try and then fall back. So if your users are at home you should make sure the "use HTTPS on fast" is always ticket. Also remember it's got a greater overhead so it will be slower - although sadly you seem to be seeing too slow a performance.
OWA is a good test. If it's quick to bring up the logon and then quick to bring up the email you can exclude the server.