Forum I am working at a client site today. The client has tasked me with resolving an issue with a Remote user whom uses Cisco VPN client to connect to the network. The issue at hand based on information that the client has discussed with me is as follows: 1. The remote user will launch his Cisco VPN client and it will connect successfully. Once he is through this, he is logged into the Single Domain at the client site, and has his drive mappings. 2. The client will launch Outlook. For some reason, he gets error messages and his emai does not flow. I had placed a sniffer on the client computer and captured the traffic. What i saw in the traffic was an ephemeral port 1127 that was trying to connect in to the Exchange server. NOTE: In this customers topology, there is a Front End Exchange Server in our DMZ, and then the Back End Server is inside. So the client in this case WOULD NOT connect to the Front End Server 1st, but rather straight thru the tunnel to the Back End server. I ended up opening port 1127 on our inside Firewall so that it could make it in to our Back End server, and this attempt was successful. What I do not understand is why that port was being used, and why it was not changing (it is supposed to be ephemeral). One thing I cannot have happening is me having to be reactive for this client, and constantly have to change ports on the FW to allow him in. Please help. KMNRUserKevin Melton

You don't mention the version of Exchange... excluding Exchange 2010 for a second, MAPI clients connect directly to the Exchange server for mailbox... unless they're connected using RPC/HTTPS in which case they'd connect to a FE potentially over 443.. but 443 <> 1127 so it's likely that he's not using RPC/HTTPS, so connection directly to the mailbox server would be expected.

Once you are inside the domain & access the resources(successfull drive mapping etc) then there shouldn't be any need to open any additional port(s). Is this an issue with just one user or more..? Are you able to ping exchange server in question? What is typical error message you get when outlook doesn't work? I would suggest reproducing the problem telneting on port 25 from the VPN client and check the mailflow using telnet and see if that is successfull..Regards, Pushkal MishrA

I agree with your first statement entirely. That is what makes this issue unorthodox. It is an issue with just one user. We can ping the exchange server from the client once he is connected. I am not certain whether the user does get any error message, or whether he just doesnt get mail. I think it is that he cannot connect to Exchange.... (disconnected message). I need to verify this. I will try telnetting to 25. thanks PushkalKevin Melton

Hi KMNR_User, Any update for your issue? Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

No Update yet, Gavin. I will be back onsite at that client tomorrow and will be able to test the recommended solutions then.Kevin Melton

To test connection using telnet please use this link http://support.microsoft.com/kb/153119 Also If you see you can successfully submit emails using telnet & OWA(outlook Web Access) works fine then I recommand recreating outlook profile and see if that makes a different Kevin. Regards, Pushkal MishrA

Hi KMNR_user, Which version of exchange do you use? I would not suggest that you use VPN to connect to the exchange server. Because when we connect to the domain through VPN, and the client would act as a internal client to connect to the exchange server, that means the RPC and MAPI protocols would be used, and they do not using the static port. Some information for you: http://support.microsoft.com/kb/270836 http://technet.microsoft.com/en-us/library/bb331973.aspx Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

thanks for the response. Kevin Melton