Endpoint Protection

We have SEP 11 installed on approx 500 clients and some of them have issues using Outlook and HTTPS sites. Outlook is running in RPC over HTTPS mode so its likely that the problem is more related to HTTPS and Outlook is suffering because of it.

Outlook - send/receive basically doesnt work (though no errors) - no emails come in and if you send any they just sit in the outbox forever. Right clicking and disabling SEP (only the firewall parts) makes everything spring to life and work fine, but turning it back on blocks again.

HTTPS - many secure websites just stop - no error or failure, they just sit there doing nothing. It doesnt affect all HTTPS sites, just some.

I'm wondering if anyone else has seen this issue or has any suggestions. I have a call open with support but unfortunately nothing is really getting done and hasn't for some time now (months).

Thanks in advance.,
David

What to do:

Check if SEP or only part of it is not working. Go to Clients > Antivirus and Antisypware policy > Microsoft Outlook Auto-Protect
Disable this option first

If it works, then try editing the settings there.
If it still doesn't, check the firewall settings.

Have u deployed any inboun to outbond or putbond to inbound trafic rule in Firewal policies, if yes i guess the ction there is Block, Please check the firewall policy of http and Try to dissable the Autoprotect of Outloo Scanner as well.
Check if this works.

Ajit

Hi Both, thanks a lot for your replies.

RE Outlook Auto-Protect, the policies prevent the AV components from being disabled, so right clicking on the shield and choosing to disable SEP only disables the Network Threat Protection module, which fixes the issue. This suggests the AV side is fine so its a firewall setting issue.

RE Rules - We do have inbound and outbound rules configured but very few and nothign to do with HTTP or HTTPS. Turning on logging for outlook.exe doesnt provide any logs either! I'm pretty sure whichever rule is causing the problem is HTTPS related but none directly relate to this...

Any further suggestions?

Thanks again.
David

Hi,

you have to deeply test the firewall rules, three ways:

1) check the Firewall logs

The rules are applied in the order they are listed, therefore:
2) add an "allow all" rule between your rules to get if the problematic rule is above or below the "allow all" rule
3) disable the firewall rules one by one to isolate the problematic one

Cheers,

My office runs Outlook 2003 with SEP 11 and I have similar problems.  Couple of times a day the Outbox locks and nothing goes out.  If I disable SEP at the taskbar, AND exit Outlook, then restart Outlook, usually the mail will then go out.  So long as I leave SEP disabled there is no problem.  If I enable SEP, the problem sporadically reappears.  Sometimes exiting Outlook doesn't do the trick and I have to log off Windows and log back in.

I have considered up'ing to Outlook 2007 but I am concerned I'll just have some other issue to deal with.

 What version of SEP 11 are using 11.0.xxxx.xxxx
There were issues with previous version but all of them have been fixed in the latest 11.0.4202.xx

What exactly are you doing when outlook crashes. For instance are you opening an attachment? Or maybe it happens with an update to an exchange server? It would also help to know exactly which version of SEP you are running. Also for future reference it would be helpful, to avoid confusion, if you would post a new topic instead of tagging it on to a pre-existing one. I only say this because your issues do differ in significant ways, although they are both about outlook. Thanks.

Grant

For me its not a case of outlook crashing but just not send/receiving - the application is still working otherwise. Office 2007 by the way.

Hi Vikram,

First noticed the problem when MR3 was the latest but we still have the problem despite upgrading to MR4, then MR4MP1 and now MR4MP2.

Hi Giuseppe,

Thanks, I'll give this a try and get back to you - it takes a few days due to having to be in a different location to recreate the issue.

David

Grant_Hall:

Outlook does not crash.  The outbox locks up.  It does not appear to be related to anything that I am doing.  However, frequently the problem begins when I am trying to send an eMail with an attachment of some kind.  This is not exclusively the case though.

OK so I disabled every 'Block' rule (so that only a handful of Allow rules remained enabled) and the problem still occurs...

Hi Guys,

 What happnes if you remove the firewall part & outlook plugin part from add/remove program ?

If it is working fine after that then we will come to know what is blocking & we can work only on that part..
I am telling this just to isolate the problem.....

 Is your Microsoft Exchange Server that on a different subnet ?

Verify the Exchange port configuration.

http://technet.microsoft.com/en-us/library/aa997836(EXCHG.65).aspx

More helpful MS KB's
http://support.microsoft.com/kb/555261
http://support.microsoft.com/Default.aspx?kbid=827330

Thomas

Hi all,

Thanks a lot for the suggestions, I'll check out the exchange bits BUT i'm pretty convinced that its not an exchange issue - it only happens when not directly connected to the same network, e.g. when its using RPC over HTTPS instead of TCP/IP.

I think the key thing here is HTTPS - my thinking is that this is the common problem to both parts of the issue. I also checked the exchange event logs and didnt see any issue. Also, some clients are fine!

All our clients have the App/Device control component removed due to previous issues with running the driver and we didnt need it anyway..

Thanks again..
David

@ David:

Try to remove the Application / Device Control Feature and see if that helps. As far as I can see, the issue has already been isolated to lie with the Firewall Component, and no further woozling around in isolaing is gonna help.

@ above: Furthermore, the issue does not lie with the Exchange Server. I hate to say this, but son, get back to the drawing board and draw some drawings. :P

As far as my LIMITED knowledge :P of exchange goes, (I'm an Exchange Architect.....ssssshhhhh), in all simple logic, the server being on a different subnet is not an issue, and any Exchange Admin would know that's the case since you'd have IP Routes setup at all ends, and Name resolution configured properly(If you have different sites).

One thing you may want to check is if the Event Viewer is throwing up any errors when you try to send an email. Check that, as well as it the removal Application / Device Control helps. If not, do post your findings here and we'll chip in.

I have  some what the same problem i am sure this is not a problem with applications device control & dont expect an Exchange Architect to suggest this.. Anyway i have disable the outlook plugin & remove the NTP as it was creating  other problem & as of now it is working...

@ ukDavidC, Can you update us with the status of your issue?

Hi All,

No update yet unfortunately - I'm just in the process of narrowing down exactly which clients have the problem but otherwise no clues. I'll be sure to update this thread as soon as I have more..

David

Hi David I am an old Sygate (then SEP) Administrator.

Back in 2005 we had similar issues and one day, I don't remember where, I found this

"Mail clients for POP3/SMTP/Lotus NRPC fail and certain web pages fail to load; mostly noticed with but not limited to secure web logon web pages. If setting SPA to Allow All the web pages begin to load and mail is being sent, then this Advanced Rule should correct your problem.
You probably have a DSL broadband connection that is using a DSL/NAT device or home router. DSL uses a lower MTU value than the default value of 1500 assigned by Microsoft for your network card. The best value can vary per user but for most people the MTU value of 1492 is the highest value that can be set and works for most users. When your MTU value is set higher than what is being allowed by the DSL/NAT modem an ICMP packet Type 3 is sent back to your PC telling your PC the packet that was just sent is too big, make it smaller and send it again. SPA will block this request so you must create the Advanced Rule. Now once Type 3 is allowed the Type 4 should be accepted back but just in case we set the rule to accept both ICMP type 3 and 4."

--

As soon as I enabled ICMP type 3 and 4 the problem went away.

Funny enough today I had a few people reporting the same problem, when we migrate to SEP I have refreshed the policies and forgotten about it ;)
So I looked on the forum and I found your post, and remembered the FIX (at least for us)

Hope it helps

Alex

Hi Alex,

You're exactly right - we were filtering some ICMP including 3 and 4 in some policies. Allowing those has fixed the clients that were having trouble, lets HTTPS work properly and therefore lets Outlook RPC over HTTPS work properly too. Your post describes the problem exactly (home DSL etc) so I gave it a try and it worked.

Thanks very very much!
David