Re: IPSEC question
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Thu, 28 Jun 2007 10:38:39 GMT
Hello Jim,
Thank you for kind update.
If the issue persists after you perform all steps in my previous reply,
please try to following the KB to reset TCP/IP on SBS and XP clients:
How to reset "Internet Protocol (TCP/IP)" in Windows Server 2003
http://support.microsoft.com/?id=317518
How to reset Internet Protocol (TCP/IP) in Windows XP
http://support.microsoft.com/?id=299357
If the issue persists, please kindly help me collect some information for
further investigation:
1. Does the slow issue happen when every client access SBS?
2. How about transfer large files between client and client, is it slow too?
3. How many NIC are installed on the SBS server?
4. Use the Networking MPS report to capture the SBS for further analysis:
a. Download MPSrepot_network from
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE
b. Run MPSRPT_NETWORK.exe on the server box.
c. The tool will automatically collect the information. This procedure will
take 10~15 minutes.
d. Open Windows Explorer, navigate to the folder:
%SystemRoot%\MPSReports\Network\Reports\Cab\
e. Send the .cab file directly to me at v-terliu@xxxxxxxxxxxxxx
Hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "jim smith" <james.smith32@xxxxxxxxxxx>
| References: <ukAf$9$tHHA.1052@xxxxxxxxxxxxxxxxxxxx>
<GpWsabHuHHA.360@xxxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: IPSEC question
| Date: Wed, 27 Jun 2007 08:01:46 -0500
| Lines: 240
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| Message-ID: <#qIaHtLuHHA.1204@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: cpe-76-185-127-107.tx.res.rr.com 76.185.127.107
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:46616
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Terrance:
|
| Thank you for your response. I have been totally frustrated over this
issue
| since Service Pack 2 was installed bak in May. ISA is not installed. I
am
| convinced it is something to do with policy and/or registry settings as
| things changed immediately after SP2 was installed. SP2 had issues so I
had
| help from MS support and we spent 32 hours over 1 week, 12 of which it
took
| just to get SP2 installed after the initial failure. The rest was spent
| investigating the slow network. A new NIC was installed (per their
| suggestion), all offloading was disabled, RSS, TCPA, etc. SMB sounds
like a
| real possibility.
|
| Dare I even mention the fact that one of their main programs, ACT 6.0 now
| fails completely after the SP2 update? We have 2 machines that can still
| run the program connecting to the database on the server. They were
| upgraded from W2K to XP Pro. All other machines were initially loaded
with
| XP Pro and now they fail to run the program after SP2.
|
| The important issue is to get the server working properly first without
| rebuilding it if at all possible.
|
| I will try the suggestion you made this evening and let you know how they
| work.
|
| I hit the SBS weblog and tried their stuff. Your response has been the
most
| reasoned so far and you seem to grasp the idea that this is not suddenly
a
| hardware issue.
|
| Jim
| "Terence Liu [MSFT]" <v-terliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:GpWsabHuHHA.360@xxxxxxxxxxxxxxxxxxxxxxxxx
| > Hello James,
| >
| > Thank you for posting here.
| >
| > From your description, I understand the issue is that the network is
very
| > slow when you transfer large files to/from SBS thru shard folder. If I
am
| > off base, please let me know.
| >
| > Based on my research, I think this issue is no relationship with IPSec,
if
| > you only enable IPSec on SBS, the client computers will completely
cannot
| > access SBS. I suggest we try the following steps to see if we can
resolve
| > this issue:
| >
| > 1. Disable SMB signing in the whole clients and SBS:
| >
| > 1) Make sure the following policies are all ''Disable'' (instead of
''Not
| > defined'') in BOTH ''Default Domain Policy'' and ''Default Domain
| > Controller Policy'':
| >
| > A. Microsoft network client: Digitally sign communications (always):
| > Disabled
| > B. Microsoft network client: Digitally sign communications (if server
| > agrees): Disabled
| > C. Microsoft network server: Digitally sign communications (always):
| > Disabled
| > D. Microsoft network server: Digitally sign communications (if client
| > agrees): Disabled
| > E. LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2
| > session security if negotiated
| >
| > You can find the policy as following:
| >
| > A. Open Server Management, and then expand Advanced Management | Group
| > Policy Management | Forest | Domains | Server name.
| > B. Right click Default Domain Policy and select Edit.
| > C. In Group Policy Object Editor, expand Computer Configuration |
Windows
| > Settings | Security Settings | Local Policies.
| > D. Click Security Options.
| > E. Open Server Management, and then expand Advanced Management | Group
| > Policy Management | Forest | Domains | Server name | Domain Controllers.
| > F. Right click Default Domain Controllers Policy and select Edit.
| > G. In Group Policy Object Editor, expand Computer Configuration |
Windows
| > Settings | Security Settings | Local Policies.
| > H. Click Security Options.
| >
| > 2) Still on the DC, issue ''gpupdate /force'' in a command console.
| > 3) Restart the DC and client computer to take effect.
| >
| > More information:
| >
| > 298804 Internet firewalls can prevent browsing and file sharing
| > http://support.microsoft.com/?id=298804
| >
| > 2. You can try to install the update to see if it helps.
| >
| > 898060 Installing security update MS05-019 or Windows Server 2003
Service
| > Pack 1 may cause network connectivity between clients and servers to
fail
| > http://support.microsoft.com/default.aspx?scid=kb;EN-US;898060
| >
| > 899148 Some firewalls may reject network traffic that originates from
| > Windows Server 2003 Service Pack 1-based computers
| > http://support.microsoft.com/?kbid=899148
| >
| > Server Message Block communication between a client-side SMB component
and
| > a server-side SMB component is not completed if the SMB signing settings
| > are mismatched in Group Policy or in the registry
| > http://support.microsoft.com/?kbid=916846
| >
| > After applying above the hotfixes, please reboot the server box and
client
| > computer and then test the issue to see if the issue fixed.
| >
| > 3. Make sure that you have selected Enable NetBIOS over TCP/IP on all
| > local
| > and remote computers and SBS server internal NIC as following:
| >
| > 1) Right click My Network Places and select Properties.
| > 2) Right click Local Area Connection (client computer)/Network
Connection
| > (server) and select Properties.
| > 3) Click Internet Protocol (TCP/IP) and high light it. Click Properties.
| > 4) On the General tab, click Advanced. Go to WINS tab.
| > 5) Make sure that you select Enable NetBIOS over TCP/IP.
| > 6) Click OK twice and close all the windows.
| >
| > For detailed information, please refer to the following KB article:
| >
| > 318030 You cannot access shared files and folders or browse computers
in
| > the
| > http://support.microsoft.com/?id=318030
| >
| > 4. Make sure the TCP/IP NetBIOS Helper service and the Server service
and
| > Workstation service are running on SBS and client computers. You may
check
| > them through running Services.msc.
| >
| > 5. Check WINS:
| >
| > 1) Open WINS console in the SBS Administrative Tools.
| > 2) Make sure that the service is started.
| >
| > 6. Check Computer Browser on SBS and client computers:
| >
| > 1) Open Services console in the SBS Administrative Tools.
| > 2) In the right pane, make sure that the "Computer Browser" service is
| > started and the startup type is "Automatic".
| > 3) Check the same settings on all client computers and make sure that
the
| > "Computer Browser" service is stopped and the startup type is
"Disabled".
| >
| > If the issue persists, please kindly help me collect some information
for
| > further investigation:
| >
| > 1. How about transfer large files between client and client, is it slow
| > too?
| >
| > 2. Is ISA installed on the SBS server? What is the ISA edition? How many
| > NIC are installed on the SBS server?
| >
| > 3. Use the Networking MPS report to capture the SBS for further
analysis:
| > a. Download MPSrepot_network from
| >
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
| > 15706/MPSRPT_NETWORK.EXE
| >
| > b. Run MPSRPT_NETWORK.exe on the server box.
| >
| > c. The tool will automatically collect the information. This procedure
| > will
| > take 10~15 minutes.
| >
| > d. Open Windows Explorer, navigate to the folder:
| > %SystemRoot%\MPSReports\Network\Reports\Cab\
| >
| > e. Send the .cab file directly to me at v-terliu@xxxxxxxxxxxxxx
| >
| > Hope this information helps. If you have further questions or concerns
on
| > this issue, please let me know. I am looking forward to hearing from
you.
| >
| > Have a nice day!
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "jim smith" <james.smith32@xxxxxxxxxxx>
| > | Subject: IPSEC question
| > | Date: Tue, 26 Jun 2007 09:37:31 -0500
| > | Lines: 11
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| > | Message-ID: <ukAf$9$tHHA.1052@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: cpe-76-185-127-107.tx.res.rr.com 76.185.127.107
| > | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:46360
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Can IPSEC, if set up incorrectly, cause connection problems with
| > | workstations and servers? For example, transferring large files
| > peer-peer
| > | works fine and the network, but transferring them to/from the server
and
| > a
| > | workstation is SSLLOOWW! Other issues such as NIC drivers are all
| > updated,
| > | no errors showing in any log, quality hardware throughout the network.
| > This
| > | just recently started happening after installing SP2 which installs
some
| > | IPSEC functionality.
| > |
| > | What real danger is there in turning off IPSEC services?
| > |
| > |
| > |
| >
|
|
|
.
- References:
- IPSEC question
- From: jim smith
- RE: IPSEC question
- From: Terence Liu [MSFT]
- Re: IPSEC question
- From: jim smith
- IPSEC question
- Prev by Date: Problem communicating with Netgear router
- Next by Date: Re: Blackberry and SBS 2003
- Previous by thread: Re: IPSEC question
- Next by thread: Re: GPO causing client security logs to fill?
- Index(es):
Relevant Pages
|
