IPSEC question

Discussion in 'Windows Small Business Server' started by jim smith, Jun 26, 2007.

  1. jim smith

    jim smith Guest

    Can IPSEC, if set up incorrectly, cause connection problems with
    workstations and servers? For example, transferring large files peer-peer
    works fine and the network, but transferring them to/from the server and a
    workstation is SSLLOOWW! Other issues such as NIC drivers are all updated,
    no errors showing in any log, quality hardware throughout the network. This
    just recently started happening after installing SP2 which installs some
    IPSEC functionality.

    What real danger is there in turning off IPSEC services?
     
    jim smith, Jun 26, 2007
    #1
    1. Advertisements

  2. Hello James,

    Thank you for posting here.

    From your description, I understand the issue is that the network is very
    slow when you transfer large files to/from SBS thru shard folder. If I am
    off base, please let me know.

    Based on my research, I think this issue is no relationship with IPSec, if
    you only enable IPSec on SBS, the client computers will completely cannot
    access SBS. I suggest we try the following steps to see if we can resolve
    this issue:

    1. Disable SMB signing in the whole clients and SBS:

    1) Make sure the following policies are all ''Disable'' (instead of ''Not
    defined'') in BOTH ''Default Domain Policy'' and ''Default Domain
    Controller Policy'':

    A. Microsoft network client: Digitally sign communications (always):
    Disabled
    B. Microsoft network client: Digitally sign communications (if server
    agrees): Disabled
    C. Microsoft network server: Digitally sign communications (always):
    Disabled
    D. Microsoft network server: Digitally sign communications (if client
    agrees): Disabled
    E. LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2
    session security if negotiated

    You can find the policy as following:

    A. Open Server Management, and then expand Advanced Management | Group
    Policy Management | Forest | Domains | Server name.
    B. Right click Default Domain Policy and select Edit.
    C. In Group Policy Object Editor, expand Computer Configuration | Windows
    Settings | Security Settings | Local Policies.
    D. Click Security Options.
    E. Open Server Management, and then expand Advanced Management | Group
    Policy Management | Forest | Domains | Server name | Domain Controllers.
    F. Right click Default Domain Controllers Policy and select Edit.
    G. In Group Policy Object Editor, expand Computer Configuration | Windows
    Settings | Security Settings | Local Policies.
    H. Click Security Options.

    2) Still on the DC, issue ''gpupdate /force'' in a command console.
    3) Restart the DC and client computer to take effect.

    More information:

    298804 Internet firewalls can prevent browsing and file sharing
    http://support.microsoft.com/?id=298804

    2. You can try to install the update to see if it helps.

    898060 Installing security update MS05-019 or Windows Server 2003 Service
    Pack 1 may cause network connectivity between clients and servers to fail
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;898060

    899148 Some firewalls may reject network traffic that originates from
    Windows Server 2003 Service Pack 1-based computers
    http://support.microsoft.com/?kbid=899148

    Server Message Block communication between a client-side SMB component and
    a server-side SMB component is not completed if the SMB signing settings
    are mismatched in Group Policy or in the registry
    http://support.microsoft.com/?kbid=916846

    After applying above the hotfixes, please reboot the server box and client
    computer and then test the issue to see if the issue fixed.

    3. Make sure that you have selected Enable NetBIOS over TCP/IP on all local
    and remote computers and SBS server internal NIC as following:

    1) Right click My Network Places and select Properties.
    2) Right click Local Area Connection (client computer)/Network Connection
    (server) and select Properties.
    3) Click Internet Protocol (TCP/IP) and high light it. Click Properties.
    4) On the General tab, click Advanced. Go to WINS tab.
    5) Make sure that you select Enable NetBIOS over TCP/IP.
    6) Click OK twice and close all the windows.

    For detailed information, please refer to the following KB article:

    318030 You cannot access shared files and folders or browse computers in the
    http://support.microsoft.com/?id=318030

    4. Make sure the TCP/IP NetBIOS Helper service and the Server service and
    Workstation service are running on SBS and client computers. You may check
    them through running Services.msc.

    5. Check WINS:

    1) Open WINS console in the SBS Administrative Tools.
    2) Make sure that the service is started.

    6. Check Computer Browser on SBS and client computers:

    1) Open Services console in the SBS Administrative Tools.
    2) In the right pane, make sure that the "Computer Browser" service is
    started and the startup type is "Automatic".
    3) Check the same settings on all client computers and make sure that the
    "Computer Browser" service is stopped and the startup type is "Disabled".

    If the issue persists, please kindly help me collect some information for
    further investigation:

    1. How about transfer large files between client and client, is it slow too?

    2. Is ISA installed on the SBS server? What is the ISA edition? How many
    NIC are installed on the SBS server?

    3. Use the Networking MPS report to capture the SBS for further analysis:
    a. Download MPSrepot_network from
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    15706/MPSRPT_NETWORK.EXE

    b. Run MPSRPT_NETWORK.exe on the server box.

    c. The tool will automatically collect the information. This procedure will
    take 10~15 minutes.

    d. Open Windows Explorer, navigate to the folder:
    %SystemRoot%\MPSReports\Network\Reports\Cab\

    e. Send the .cab file directly to me at .

    Hope this information helps. If you have further questions or concerns on
    this issue, please let me know. I am looking forward to hearing from you.

    Have a nice day!

    Best regards,

    Terence Liu(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "jim smith" <>
    | Subject: IPSEC question
    | Date: Tue, 26 Jun 2007 09:37:31 -0500
    | Lines: 11
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
    | Message-ID: <ukAf$9$>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: cpe-76-185-127-107.tx.res.rr.com 76.185.127.107
    | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:46360
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Can IPSEC, if set up incorrectly, cause connection problems with
    | workstations and servers? For example, transferring large files
    peer-peer
    | works fine and the network, but transferring them to/from the server and
    a
    | workstation is SSLLOOWW! Other issues such as NIC drivers are all
    updated,
    | no errors showing in any log, quality hardware throughout the network.
    This
    | just recently started happening after installing SP2 which installs some
    | IPSEC functionality.
    |
    | What real danger is there in turning off IPSEC services?
    |
    |
    |
     
    Terence Liu [MSFT], Jun 27, 2007
    #2
    1. Advertisements

  3. jim smith

    jim smith Guest

    Terrance:

    Thank you for your response. I have been totally frustrated over this issue
    since Service Pack 2 was installed bak in May. ISA is not installed. I am
    convinced it is something to do with policy and/or registry settings as
    things changed immediately after SP2 was installed. SP2 had issues so I had
    help from MS support and we spent 32 hours over 1 week, 12 of which it took
    just to get SP2 installed after the initial failure. The rest was spent
    investigating the slow network. A new NIC was installed (per their
    suggestion), all offloading was disabled, RSS, TCPA, etc. SMB sounds like a
    real possibility.

    Dare I even mention the fact that one of their main programs, ACT 6.0 now
    fails completely after the SP2 update? We have 2 machines that can still
    run the program connecting to the database on the server. They were
    upgraded from W2K to XP Pro. All other machines were initially loaded with
    XP Pro and now they fail to run the program after SP2.

    The important issue is to get the server working properly first without
    rebuilding it if at all possible.

    I will try the suggestion you made this evening and let you know how they
    work.

    I hit the SBS weblog and tried their stuff. Your response has been the most
    reasoned so far and you seem to grasp the idea that this is not suddenly a
    hardware issue.

    Jim
     
    jim smith, Jun 27, 2007
    #3
  4. Hello Jim,

    Thank you for kind update.

    If the issue persists after you perform all steps in my previous reply,
    please try to following the KB to reset TCP/IP on SBS and XP clients:

    How to reset "Internet Protocol (TCP/IP)" in Windows Server 2003
    http://support.microsoft.com/?id=317518

    How to reset Internet Protocol (TCP/IP) in Windows XP
    http://support.microsoft.com/?id=299357

    If the issue persists, please kindly help me collect some information for
    further investigation:

    1. Does the slow issue happen when every client access SBS?

    2. How about transfer large files between client and client, is it slow too?

    3. How many NIC are installed on the SBS server?

    4. Use the Networking MPS report to capture the SBS for further analysis:
    a. Download MPSrepot_network from
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    15706/MPSRPT_NETWORK.EXE

    b. Run MPSRPT_NETWORK.exe on the server box.

    c. The tool will automatically collect the information. This procedure will
    take 10~15 minutes.

    d. Open Windows Explorer, navigate to the folder:
    %SystemRoot%\MPSReports\Network\Reports\Cab\

    e. Send the .cab file directly to me at .

    Hope these steps will give you some help.

    Thanks and have a nice day!

    Best regards,

    Terence Liu(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "jim smith" <>
    | References: <ukAf$9$>
    <>
    | Subject: Re: IPSEC question
    | Date: Wed, 27 Jun 2007 08:01:46 -0500
    | Lines: 240
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
    | Message-ID: <#>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: cpe-76-185-127-107.tx.res.rr.com 76.185.127.107
    | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:46616
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Terrance:
    |
    | Thank you for your response. I have been totally frustrated over this
    issue
    | since Service Pack 2 was installed bak in May. ISA is not installed. I
    am
    | convinced it is something to do with policy and/or registry settings as
    | things changed immediately after SP2 was installed. SP2 had issues so I
    had
    | help from MS support and we spent 32 hours over 1 week, 12 of which it
    took
    | just to get SP2 installed after the initial failure. The rest was spent
    | investigating the slow network. A new NIC was installed (per their
    | suggestion), all offloading was disabled, RSS, TCPA, etc. SMB sounds
    like a
    | real possibility.
    |
    | Dare I even mention the fact that one of their main programs, ACT 6.0 now
    | fails completely after the SP2 update? We have 2 machines that can still
    | run the program connecting to the database on the server. They were
    | upgraded from W2K to XP Pro. All other machines were initially loaded
    with
    | XP Pro and now they fail to run the program after SP2.
    |
    | The important issue is to get the server working properly first without
    | rebuilding it if at all possible.
    |
    | I will try the suggestion you made this evening and let you know how they
    | work.
    |
    | I hit the SBS weblog and tried their stuff. Your response has been the
    most
    | reasoned so far and you seem to grasp the idea that this is not suddenly
    a
    | hardware issue.
    |
    | Jim
    | | > Hello James,
    | >
    | > Thank you for posting here.
    | >
    | > From your description, I understand the issue is that the network is
    very
    | > slow when you transfer large files to/from SBS thru shard folder. If I
    am
    | > off base, please let me know.
    | >
    | > Based on my research, I think this issue is no relationship with IPSec,
    if
    | > you only enable IPSec on SBS, the client computers will completely
    cannot
    | > access SBS. I suggest we try the following steps to see if we can
    resolve
    | > this issue:
    | >
    | > 1. Disable SMB signing in the whole clients and SBS:
    | >
    | > 1) Make sure the following policies are all ''Disable'' (instead of
    ''Not
    | > defined'') in BOTH ''Default Domain Policy'' and ''Default Domain
    | > Controller Policy'':
    | >
    | > A. Microsoft network client: Digitally sign communications (always):
    | > Disabled
    | > B. Microsoft network client: Digitally sign communications (if server
    | > agrees): Disabled
    | > C. Microsoft network server: Digitally sign communications (always):
    | > Disabled
    | > D. Microsoft network server: Digitally sign communications (if client
    | > agrees): Disabled
    | > E. LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2
    | > session security if negotiated
    | >
    | > You can find the policy as following:
    | >
    | > A. Open Server Management, and then expand Advanced Management | Group
    | > Policy Management | Forest | Domains | Server name.
    | > B. Right click Default Domain Policy and select Edit.
    | > C. In Group Policy Object Editor, expand Computer Configuration |
    Windows
    | > Settings | Security Settings | Local Policies.
    | > D. Click Security Options.
    | > E. Open Server Management, and then expand Advanced Management | Group
    | > Policy Management | Forest | Domains | Server name | Domain Controllers.
    | > F. Right click Default Domain Controllers Policy and select Edit.
    | > G. In Group Policy Object Editor, expand Computer Configuration |
    Windows
    | > Settings | Security Settings | Local Policies.
    | > H. Click Security Options.
    | >
    | > 2) Still on the DC, issue ''gpupdate /force'' in a command console.
    | > 3) Restart the DC and client computer to take effect.
    | >
    | > More information:
    | >
    | > 298804 Internet firewalls can prevent browsing and file sharing
    | > http://support.microsoft.com/?id=298804
    | >
    | > 2. You can try to install the update to see if it helps.
    | >
    | > 898060 Installing security update MS05-019 or Windows Server 2003
    Service
    | > Pack 1 may cause network connectivity between clients and servers to
    fail
    | > http://support.microsoft.com/default.aspx?scid=kb;EN-US;898060
    | >
    | > 899148 Some firewalls may reject network traffic that originates from
    | > Windows Server 2003 Service Pack 1-based computers
    | > http://support.microsoft.com/?kbid=899148
    | >
    | > Server Message Block communication between a client-side SMB component
    and
    | > a server-side SMB component is not completed if the SMB signing settings
    | > are mismatched in Group Policy or in the registry
    | > http://support.microsoft.com/?kbid=916846
    | >
    | > After applying above the hotfixes, please reboot the server box and
    client
    | > computer and then test the issue to see if the issue fixed.
    | >
    | > 3. Make sure that you have selected Enable NetBIOS over TCP/IP on all
    | > local
    | > and remote computers and SBS server internal NIC as following:
    | >
    | > 1) Right click My Network Places and select Properties.
    | > 2) Right click Local Area Connection (client computer)/Network
    Connection
    | > (server) and select Properties.
    | > 3) Click Internet Protocol (TCP/IP) and high light it. Click Properties.
    | > 4) On the General tab, click Advanced. Go to WINS tab.
    | > 5) Make sure that you select Enable NetBIOS over TCP/IP.
    | > 6) Click OK twice and close all the windows.
    | >
    | > For detailed information, please refer to the following KB article:
    | >
    | > 318030 You cannot access shared files and folders or browse computers
    in
    | > the
    | > http://support.microsoft.com/?id=318030
    | >
    | > 4. Make sure the TCP/IP NetBIOS Helper service and the Server service
    and
    | > Workstation service are running on SBS and client computers. You may
    check
    | > them through running Services.msc.
    | >
    | > 5. Check WINS:
    | >
    | > 1) Open WINS console in the SBS Administrative Tools.
    | > 2) Make sure that the service is started.
    | >
    | > 6. Check Computer Browser on SBS and client computers:
    | >
    | > 1) Open Services console in the SBS Administrative Tools.
    | > 2) In the right pane, make sure that the "Computer Browser" service is
    | > started and the startup type is "Automatic".
    | > 3) Check the same settings on all client computers and make sure that
    the
    | > "Computer Browser" service is stopped and the startup type is
    "Disabled".
    | >
    | > If the issue persists, please kindly help me collect some information
    for
    | > further investigation:
    | >
    | > 1. How about transfer large files between client and client, is it slow
    | > too?
    | >
    | > 2. Is ISA installed on the SBS server? What is the ISA edition? How many
    | > NIC are installed on the SBS server?
    | >
    | > 3. Use the Networking MPS report to capture the SBS for further
    analysis:
    | > a. Download MPSrepot_network from
    | >
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    | > 15706/MPSRPT_NETWORK.EXE
    | >
    | > b. Run MPSRPT_NETWORK.exe on the server box.
    | >
    | > c. The tool will automatically collect the information. This procedure
    | > will
    | > take 10~15 minutes.
    | >
    | > d. Open Windows Explorer, navigate to the folder:
    | > %SystemRoot%\MPSReports\Network\Reports\Cab\
    | >
    | > e. Send the .cab file directly to me at .
    | >
    | > Hope this information helps. If you have further questions or concerns
    on
    | > this issue, please let me know. I am looking forward to hearing from
    you.
    | >
    | > Have a nice day!
    | >
    | > Best regards,
    | >
    | > Terence Liu(MSFT)
    | >
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    | > the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    | > doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    | > rights.
    | >
    | > --------------------
    | > | From: "jim smith" <>
    | > | Subject: IPSEC question
    | > | Date: Tue, 26 Jun 2007 09:37:31 -0500
    | > | Lines: 11
    | > | X-Priority: 3
    | > | X-MSMail-Priority: Normal
    | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    | > | X-RFC2646: Format=Flowed; Original
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
    | > | Message-ID: <ukAf$9$>
    | > | Newsgroups: microsoft.public.windows.server.sbs
    | > | NNTP-Posting-Host: cpe-76-185-127-107.tx.res.rr.com 76.185.127.107
    | > | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
    | > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:46360
    | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > |
    | > | Can IPSEC, if set up incorrectly, cause connection problems with
    | > | workstations and servers? For example, transferring large files
    | > peer-peer
    | > | works fine and the network, but transferring them to/from the server
    and
    | > a
    | > | workstation is SSLLOOWW! Other issues such as NIC drivers are all
    | > updated,
    | > | no errors showing in any log, quality hardware throughout the network.
    | > This
    | > | just recently started happening after installing SP2 which installs
    some
    | > | IPSEC functionality.
    | > |
    | > | What real danger is there in turning off IPSEC services?
    | > |
    | > |
    | > |
    | >
    |
    |
    |
     
    Terence Liu [MSFT], Jun 28, 2007
    #4
  5. jim smith

    jim Guest

    I will be attempting all these tasks this afternoon. Thanks for continuing
    to dialog with me.

    Jim
     
    jim, Jul 3, 2007
    #5
  6. Hello Jim,

    Thank you for kind update.

    I was just writing to say that I hope everything is going well.

    If there's anything else I can do for you, please do not hesitate to let me
    know.

    Thank you and have a nice day,

    Best regards,

    Terence Liu(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | Thread-Topic: IPSEC question
    | thread-index: Ace9go2I6Kjnp6+zSLmKl+lJ3i5OYA==
    | X-WBNR-Posting-Host: 207.46.19.168
    | From: =?Utf-8?B?amlt?= <>
    | References: <ukAf$9$>
    <>
    <#>
    <A#cK$>
    | Subject: Re: IPSEC question
    | Date: Tue, 3 Jul 2007 07:58:02 -0700
    | Lines: 307
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
    | Newsgroups: microsoft.public.windows.server.sbs
    | Path: TK2MSFTNGHUB02.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:47925
    | NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | I will be attempting all these tasks this afternoon. Thanks for
    continuing
    | to dialog with me.
    |
    | Jim
    |
    | "Terence Liu [MSFT]" wrote:
    |
    | > Hello Jim,
    | >
    | > Thank you for kind update.
    | >
    | > If the issue persists after you perform all steps in my previous reply,
    | > please try to following the KB to reset TCP/IP on SBS and XP clients:
    | >
    | > How to reset "Internet Protocol (TCP/IP)" in Windows Server 2003
    | > http://support.microsoft.com/?id=317518
    | >
    | > How to reset Internet Protocol (TCP/IP) in Windows XP
    | > http://support.microsoft.com/?id=299357
    | >
    | > If the issue persists, please kindly help me collect some information
    for
    | > further investigation:
    | >
    | > 1. Does the slow issue happen when every client access SBS?
    | >
    | > 2. How about transfer large files between client and client, is it slow
    too?
    | >
    | > 3. How many NIC are installed on the SBS server?
    | >
    | > 4. Use the Networking MPS report to capture the SBS for further
    analysis:
    | > a. Download MPSrepot_network from
    | >
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    | > 15706/MPSRPT_NETWORK.EXE
    | >
    | > b. Run MPSRPT_NETWORK.exe on the server box.
    | >
    | > c. The tool will automatically collect the information. This procedure
    will
    | > take 10~15 minutes.
    | >
    | > d. Open Windows Explorer, navigate to the folder:
    | > %SystemRoot%\MPSReports\Network\Reports\Cab\
    | >
    | > e. Send the .cab file directly to me at .
    | >
    | > Hope these steps will give you some help.
    | >
    | > Thanks and have a nice day!
    | >
    | > Best regards,
    | >
    | > Terence Liu(MSFT)
    | >
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | >
    | > --------------------
    | > | From: "jim smith" <>
    | > | References: <ukAf$9$>
    | > <>
    | > | Subject: Re: IPSEC question
    | > | Date: Wed, 27 Jun 2007 08:01:46 -0500
    | > | Lines: 240
    | > | X-Priority: 3
    | > | X-MSMail-Priority: Normal
    | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    | > | X-RFC2646: Format=Flowed; Original
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
    | > | Message-ID: <#>
    | > | Newsgroups: microsoft.public.windows.server.sbs
    | > | NNTP-Posting-Host: cpe-76-185-127-107.tx.res.rr.com 76.185.127.107
    | > | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
    | > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:46616
    | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > |
    | > | Terrance:
    | > |
    | > | Thank you for your response. I have been totally frustrated over
    this
    | > issue
    | > | since Service Pack 2 was installed bak in May. ISA is not installed.
    I
    | > am
    | > | convinced it is something to do with policy and/or registry settings
    as
    | > | things changed immediately after SP2 was installed. SP2 had issues so
    I
    | > had
    | > | help from MS support and we spent 32 hours over 1 week, 12 of which
    it
    | > took
    | > | just to get SP2 installed after the initial failure. The rest was
    spent
    | > | investigating the slow network. A new NIC was installed (per their
    | > | suggestion), all offloading was disabled, RSS, TCPA, etc. SMB sounds
    | > like a
    | > | real possibility.
    | > |
    | > | Dare I even mention the fact that one of their main programs, ACT 6.0
    now
    | > | fails completely after the SP2 update? We have 2 machines that can
    still
    | > | run the program connecting to the database on the server. They were
    | > | upgraded from W2K to XP Pro. All other machines were initially
    loaded
    | > with
    | > | XP Pro and now they fail to run the program after SP2.
    | > |
    | > | The important issue is to get the server working properly first
    without
    | > | rebuilding it if at all possible.
    | > |
    | > | I will try the suggestion you made this evening and let you know how
    they
    | > | work.
    | > |
    | > | I hit the SBS weblog and tried their stuff. Your response has been
    the
    | > most
    | > | reasoned so far and you seem to grasp the idea that this is not
    suddenly
    | > a
    | > | hardware issue.
    | > |
    | > | Jim
    | > | | > | > Hello James,
    | > | >
    | > | > Thank you for posting here.
    | > | >
    | > | > From your description, I understand the issue is that the network
    is
    | > very
    | > | > slow when you transfer large files to/from SBS thru shard folder.
    If I
    | > am
    | > | > off base, please let me know.
    | > | >
    | > | > Based on my research, I think this issue is no relationship with
    IPSec,
    | > if
    | > | > you only enable IPSec on SBS, the client computers will completely
    | > cannot
    | > | > access SBS. I suggest we try the following steps to see if we can
    | > resolve
    | > | > this issue:
    | > | >
    | > | > 1. Disable SMB signing in the whole clients and SBS:
    | > | >
    | > | > 1) Make sure the following policies are all ''Disable'' (instead of
    | > ''Not
    | > | > defined'') in BOTH ''Default Domain Policy'' and ''Default Domain
    | > | > Controller Policy'':
    | > | >
    | > | > A. Microsoft network client: Digitally sign communications (always):
    | > | > Disabled
    | > | > B. Microsoft network client: Digitally sign communications (if
    server
    | > | > agrees): Disabled
    | > | > C. Microsoft network server: Digitally sign communications (always):
    | > | > Disabled
    | > | > D. Microsoft network server: Digitally sign communications (if
    client
    | > | > agrees): Disabled
    | > | > E. LAN Manager Authentication Level set to Send LM and NTLM - use
    NTLMv2
    | > | > session security if negotiated
    | > | >
    | > | > You can find the policy as following:
    | > | >
    | > | > A. Open Server Management, and then expand Advanced Management |
    Group
    | > | > Policy Management | Forest | Domains | Server name.
    | > | > B. Right click Default Domain Policy and select Edit.
    | > | > C. In Group Policy Object Editor, expand Computer Configuration |
    | > Windows
    | > | > Settings | Security Settings | Local Policies.
    | > | > D. Click Security Options.
    | > | > E. Open Server Management, and then expand Advanced Management |
    Group
    | > | > Policy Management | Forest | Domains | Server name | Domain
    Controllers.
    | > | > F. Right click Default Domain Controllers Policy and select Edit.
    | > | > G. In Group Policy Object Editor, expand Computer Configuration |
    | > Windows
    | > | > Settings | Security Settings | Local Policies.
    | > | > H. Click Security Options.
    | > | >
    | > | > 2) Still on the DC, issue ''gpupdate /force'' in a command console.
    | > | > 3) Restart the DC and client computer to take effect.
    | > | >
    | > | > More information:
    | > | >
    | > | > 298804 Internet firewalls can prevent browsing and file sharing
    | > | > http://support.microsoft.com/?id=298804
    | > | >
    | > | > 2. You can try to install the update to see if it helps.
    | > | >
    | > | > 898060 Installing security update MS05-019 or Windows Server 2003
    | > Service
    | > | > Pack 1 may cause network connectivity between clients and servers
    to
    | > fail
    | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US;898060
    | > | >
    | > | > 899148 Some firewalls may reject network traffic that originates
    from
    | > | > Windows Server 2003 Service Pack 1-based computers
    | > | > http://support.microsoft.com/?kbid=899148
    | > | >
    | > | > Server Message Block communication between a client-side SMB
    component
    | > and
    | > | > a server-side SMB component is not completed if the SMB signing
    settings
    | > | > are mismatched in Group Policy or in the registry
    | > | > http://support.microsoft.com/?kbid=916846
    | > | >
    | > | > After applying above the hotfixes, please reboot the server box and
    | > client
    | > | > computer and then test the issue to see if the issue fixed.
    | > | >
    | > | > 3. Make sure that you have selected Enable NetBIOS over TCP/IP on
    all
    | > | > local
    | > | > and remote computers and SBS server internal NIC as following:
    | > | >
    | > | > 1) Right click My Network Places and select Properties.
    | > | > 2) Right click Local Area Connection (client computer)/Network
    | > Connection
    | > | > (server) and select Properties.
    | > | > 3) Click Internet Protocol (TCP/IP) and high light it. Click
    Properties.
    | > | > 4) On the General tab, click Advanced. Go to WINS tab.
    | > | > 5) Make sure that you select Enable NetBIOS over TCP/IP.
    | > | > 6) Click OK twice and close all the windows.
    | > | >
    | > | > For detailed information, please refer to the following KB article:
    | > | >
    | > | > 318030 You cannot access shared files and folders or browse
    computers
    | > in
    | > | > the
    | > | > http://support.microsoft.com/?id=318030
    | > | >
    | > | > 4. Make sure the TCP/IP NetBIOS Helper service and the Server
    service
    | > and
    | > | > Workstation service are running on SBS and client computers. You
    may
    | > check
    | > | > them through running Services.msc.
    | > | >
    | > | > 5. Check WINS:
    | > | >
    | > | > 1) Open WINS console in the SBS Administrative Tools.
    | > | > 2) Make sure that the service is started.
    | > | >
    | > | > 6. Check Computer Browser on SBS and client computers:
    | > | >
    | > | > 1) Open Services console in the SBS Administrative Tools.
    | > | > 2) In the right pane, make sure that the "Computer Browser" service
    is
    | > | > started and the startup type is "Automatic".
    | > | > 3) Check the same settings on all client computers and make sure
    that
    | > the
    | > | > "Computer Browser" service is stopped and the startup type is
    | > "Disabled".
    | > | >
    | > | > If the issue persists, please kindly help me collect some
    information
    | > for
    | > | > further investigation:
    | > | >
    | > | > 1. How about transfer large files between client and client, is it
    slow
    | > | > too?
    | > | >
    | > | > 2. Is ISA installed on the SBS server? What is the ISA edition? How
    many
    | > | > NIC are installed on the SBS server?
    | > | >
    | > | > 3. Use the Networking MPS report to capture the SBS for further
    | > analysis:
    | > | > a. Download MPSrepot_network from
    | > | >
    | >
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    | > | > 15706/MPSRPT_NETWORK.EXE
    | > | >
    | > | > b. Run MPSRPT_NETWORK.exe on the server box.
    | > | >
    | > | > c. The tool will automatically collect the information. This
    procedure
    | > | > will
    | > | > take 10~15 minutes.
    | > | >
    | > | > d. Open Windows Explorer, navigate to the folder:
    | > | > %SystemRoot%\MPSReports\Network\Reports\Cab\
    | > | >
    | > | > e. Send the .cab file directly to me at .
    | > | >
    | > | > Hope this information helps. If you have further questions or
    concerns
    | > on
    | > | > this issue, please let me know. I am looking forward to hearing
    from
    | > you.
    | > | >
    | > | > Have a nice day!
    | > | >
    | > | > Best regards,
    | > | >
    | > | > Terence Liu(MSFT)
    | > | >
    | > | > Microsoft CSS Online Newsgroup Support
    | > | >
    | > | > Get Secure! - www.microsoft.com/security
    | > | >
    |
     
    Terence Liu [MSFT], Jul 4, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.