Endpoint Protection

I just installed SEPM and I am using the default Firewall policy. Everything works fine, but Outlook hangs when it starts. The network activity monitor shows that outlook.exe has blocked outgoing traffic.

I tried to explicitly add Outlook.exe to an allowed rule, but no luck. I disabled the firewall, logged into Outlook fine, then re-enabled the firewall. Outlook runs fine. It appears to be just the logging into Exchange that is blocked.

Please advise.

For testing create an "Allow All" rule and place it at the top of the FW policy. Test your Outlook login, then move "Allow All" the rule down one row at a time while testing. Once things stop working, you know the rule just above your "Allow All" rule is the issue. Make sure logging is enabled on the rule that is blocking and troubleshoot from there.

Moving thread to Endpoint Protection forum.

Interesting. I placed an "allow all" at the top of the rules list, pushed out the new policy, confirmed that the new policy was received by the client, restarted Outlook, and the same problem occured (no log in).

Nothing in the log shows as 'blocked' all logged traffic is 'allowed', and yet Network Activity shows that Outlook.exe has blocked traffic outgoing.

In the logs I can see my pings to Exchange 'allowed' and then then traffic outgoing to Exchange from Outlook.exe, but I can't connect to Exchange, and the blocked traffic in the activity monitor.

Please advise. How can I see what is causing the blocked traffic in the network activity monitor?

can you post the screen shot plz?

Aattached are screenshots of the currently applied policy and the network activity monitor showing the blocked outbound traffic.

Is it the connection to Exchange, or the connection to the DC for authentication? How would I know?

in the network activity tab, is there a column which says about rule?

try creating an exception for outlook.exe under centralized exception. I guess is that its not the rule which is blocking..

how are u checking the logs on the client or on the sepm?

What version of SEP are you running? What other features are installed? Are you using any Stealth settings?

I see no column about rule in Network Activity monitor.

What central exception should I create? TruScan exception? I tried that and it had no effect.

I check logs on client.

no stealth

version 11.0.6005.562 on both client and SEPM

I ran a packet trace on my workstation with the firewall on and off, and the firewall is preventing any communication to the DC for authentication (protocol SMB) when I launch Outlook, which is causing Outlook to fail to connect to Exchange.

BUT! The Exchange Server is on a separate subnet. I can ping it ok, but if I try to connect to a network share on that server, SEP blocks it, and the blocked outgoing counts increase in network activity monitor. 

So, what we have here is a "SMB across subnets" issue. 

Please advise on the firewall rules to craft to allow this kind of inter-subnet SMB authentication.

I hope that was clear.

Thank you for your help. I found my solution.

Cool, was that the setting listed on the Traffic and Stealth setting page?

Nice...I learned something today, thank u :)