Work though the following steps to troubleshoot the MAPI Proxy:
Step 1. Work through the troubleshooting steps as explained in the "Troubleshooting Steps for Single Channel TCP Application" section.
Step 2. You must have already successfully connected to the exchange server through LAN access. The Application Access Applet on the client PC will read Registry Keys populated during the LAN connection to the Exchange Server. Both Global Catalog Server and Exchange server can be detected through the registry entries.
Step 3. The Application Access Applet is populated with the server names determined from the following registry entries:
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\
- HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\
- Exchange server Key: 13dbb0c8aa05101a9bb000aa002fc45a\001e6602
- Global catalog server Key: dca740c8c042101ab4b908002b2fe182\001e6602
If either the Exchange Server or Global Catalog server is not found, MAPI Proxy will fail. Example 8-16 shows JAVA console output (refer to the section entitled "Java Applet Debugging" for details on how to turn on debug for Java Applet) when Exchange server is found but the Global Catalog server is not found.
Example 8-16. Java Console Debug Output when Exchange Server Is Found But Global Catalog Server Is Not Found
[View full width]
user diretory = C:\Documents and Settings\mygroup\
Looking for DLL: "C:\Documents and Settings\mygroup\WebVpnRegKey4-63-67-72-190.dll"
DLL exits? YES
System dir: C:\WINDOWS\System32
Windows dir: C:\WINDOWS
System dir: C:\WINDOWS\System32
Windows dir: C:\WINDOWS
WebVPN Service: debug level: 3
Default Exchange Profile: Mygroup Exchange
Looking for exchange server in: Software\Microsoft\Windows NT\CurrentVersion\Windows
Messaging Subsystem\Profiles\Mygroup Exchange\13dbb0c8aa05101a9bb000aa002fc45a
Exchange server: My-local-exchange Server
Looking for global catalog server in: Software\Microsoft\Windows NT\
CurrentVersion\Windows Messaging Subsystem\Profiles\Mygroup Exchange\
dca740c8c042101ab4b908002b2fe182
Registry error: Query value key failed
updateRegistry: orig value: ncalrpc,ncacn_ip_tcp,ncacn_spx,ncacn_np,netbios,ncacn_vns_spp
updateRegistry: new value: ncalrpc,ncacn_http,ncacn_ip_tcp,ncacn_spx,ncacn_np,netbios
,ncacn_vns_spp
Found hosts file: C:\WINDOWS\System32\drivers\etc\hosts
Exchange = true
Step 4. Ensure that you have Enable Outlook/Exchange Proxy checked under the group setup.
Step 5. Ensure the DNS is working from the Concentrator.
Configuration Steps for E-mail Proxy
With the E-mail Proxy configuration (this is different than MAPI Proxy as discussed earlier), the Concentrator acts as a relay for secure e-mail protocols. Work through the following steps to configure E-mail Proxy:
Step 1. Go to Configuration > Interfaces > Ethernet 2 to modify public interface settings. Under the WebVPN tab, check Allow POP3S sessions, Allow ICAP4S sessions, and Allow SMTPS sessions.
Step 2. Browse to Configuration > Tunneling and Security > WebVPN > E-mil Proxy page to define Authentication, mail server IP, and so on.
Step 3. Refer to the following link for additional details on VPN Concentrator and e-mail client configuration: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/config/enduser2.htm#wp1589079
Troubleshooting Steps for E-mail Proxy
Work through the following steps if the e-mail client is unable to send and receive e-mail:
Step 1. Be sure SMPTS, POP3s, or IMAP4S are open on the public interface.
Step 2. Be sure SSL is enabled for incoming and outgoing mail in the e-mail client.
Step 3. If the client is trying to use an incorrect port number or if SSL is not enabled on the client, there is no notification from the concentrator.
Step 4. Be sure that SSL is working between the VPN Client and the Concentrator.
Step 5. If the SSL connection is failing, you will see SSL events on the VPN Concentrator as follows:
71 06/02/2005 14:38:04.410 SEV=6 SSL/20 RPT=1 172.16.172.119 Received
an SSL alert fatal/SSL_ALERT_UNKNOWN_CA.
72 06/02/2005 14:38:04.410 SEV=6 SSL/15 RPT=617 172.16.172.119 Socket
is closing (context=0x6A0004): received alert. 73 06/02/2005
14:38:04.410 SEV=5 EMAILPROXY/47 RPT=172.16.172.119
Step 6. Verify that the concentrator configuration is for Required Authentication.
Step 7. Verify the username and password that is set on the client with respect to the configuration on the concentrator.
Step 8. If piggyback authentication is configured, verify that the username/password format is correct as follows:
vpnusername:mailusername
vpnpassword:mailpassword
With Piggyback authentication, be sure the WebVPN session is up; otherwise, piggyback will not work.
It is important to note that Concentrator log messages generally will display what happens in the process but will not display failures in client-server authentication.
Step 9. Test the account locally, and then through the concentrator. Generally if SSL can come up and the account works, the E-mail Proxy should work fine.
Thick Client (SSL VPN Client)
Thick Client, or the SSL VPN Client, provides the full tunneling ability for the Remote Access VPN Connection on VPN Concentrator. Thick client, or the SSL VPN Client software (generally 500K max), is delivered via automatic download (Active X, Java, or EXE) to the user PC. This client is delivered via a web page (the device that the user is connecting to) and never needs to be manually distributed or installed. No reboot is required after the SSL VPN client is downloaded and installed. It provides similar access to traditional IPsec VPN client, but provides better accessibility over firewalls and NAT than the traditional IPsec VPN Client. SSL VPN Client usually requires administrative privileges for initial install, but in the absence of admin privileges, a stub-installer is used. The sections that follow discuss both the configuration and troubleshooting of SSL VPN Client implementation. The discussion is organized as follows:
Configuration steps for SSL VPN client
Troubleshooting steps for SSL VPN client