- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-16-2013 02:04 AM
Description
We are experiencing a timeout problem when using outlook/exchange across the PA firewall.
When the RPC connection between Outlook and Exchange is idle, the PA apparently terminates the connection.
This causes the Outlook client to hang/stall until restarted - and thereby establishing a new RPC connection.
When the timeout occours, a Baloon-message appears from the taskbar telling that Outlook is trying to fetch data from the Exchange-server running the CAS role.
Problem exist on various combinations of client and server
We have seen this with Outlook 2007/2010 and 2013, and Exchange 2007 and 2010.
Current workaround
Using Exchange cached mode in the Outlook client causes the client to communicate with Exchange in another way. The timeout error does not appear in this configuration.
What have we already tried?
We have read that Exchange sents a keep-alive beacon every 2 hour through the RPC connection. We have tried adjusting this to a lower value - without succes. So instead we tried raising the Session Timeout for TCP to 7200 seconds. But this didn't help either.
It worked before changing to PA
We didn't experience this problem earlier when using the Microsoft TMG "firewall". But i guess they detected the trafic and didn't let it timeout.
My question is - Is any one else experiencing the same problem? If yes - have you found a solution? I guess it is a general problem when using RPC through the PA.
08-16-2013 06:01 AM
You can try increasing the session time out and TCP timeout for msrpc and ms-exchange applications to14400 seconds, to see if it makes a difference.
You can also try app overriding the traffic for msrpc and exchange, by creating custom apps for these traffic, and apply them under an app override policy.
The below document explains about overriding apps
https://live.paloaltonetworks.com/docs/DOC-1071
BR,
Karthik RP
08-16-2013 06:01 AM
You can try increasing the session time out and TCP timeout for msrpc and ms-exchange applications to14400 seconds, to see if it makes a difference.
You can also try app overriding the traffic for msrpc and exchange, by creating custom apps for these traffic, and apply them under an app override policy.
The below document explains about overriding apps
https://live.paloaltonetworks.com/docs/DOC-1071
BR,
Karthik RP
08-19-2013 12:22 AM
Thanks Karthik - I will try it and get back if it worked. I will try changing the timeout settings first - and if i doesn't work, then the application override method.
10-05-2015 02:36 AM
The suggested solution almost solved the problem. The users still - but rarely - see the timeout issue.
The solution changed the problem from being unacceptable and annoying, to an acceptable occurence.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!