This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow Outlook start when using proxy

Hi, there,

on a customer's site I have a SG 210 running 9.605 (current). I used to use the webfilter proxy (running in standard mode) to control outgoing web traffic, worked fine for over a year. The customer also uses an internaly hosted Exchange server, there's a split DNS set up, so autodiscover.domain.tld and all the other domains resolve to internal IP addresses.

A few weeks ago I had to add another network for a sister company that moved in, they now also use the same UTM. This also worked fine ...but... since then, starting Outlook takes ages. On some PCs, it also takes 5 minutes to start Outlook. After that, everything is fine, and web surfing generally is not affected.

The problem disappears as soon as I open the relevant ports in Network Protection and switch off the proxy (via removing the WPAD hostname in the internal DNS).

I added several exceptions to Microsoft sites in the Web Protection exceptions, to no avail. As soon as I use the proxy Outlook slows down.

Has anyone here met the same problems? Any advice would be welcome

 

Thanks in advance

 

Dirk



This thread was automatically locked due to age.
  • Hi,

     

    you have to skip these URLS in the Internetsettings on the clients!

  • Thorsten,

    I did that - even twice, once as exception on the UTM itself, and then also within the wpad.dat, to no avail.

    I'll add the wpad.dat to this post. According to https://app.thorsen.pm/proxyforurl it's syntactically correct.

    If I use the wpad.dat, Outlook requires about 1:30 to start Outlook. Without proxy, it's less than 5 seconds

  • Hi Dirk

    does the delay occur if you specify the proxy on the client machine manually (with exception for your exchange server) too?

    Maybe you could tell us what url your exclusion was? Autodiscover.xyz.com should be one I guess.

    Best regards

    Alex

    -

  • Hi Alexander,

    ist does occur then as well. Below I added my wpad.dat. autodiscover.domain.tld does locally resolve to a 192.168.100.x/24 address. I don't see any requests for that (or for the Exchange server generally) on the proxy log.

     

    function FindProxyForURL(url, host)
    {
        myip = myIpAddress();
        // Convert everything to lower case.
        var lhost = host.toLowerCase();
        host = lhost;
        // Erstmal entscheiden, wann ich _nicht_ über den Proxy gehe
        // Allgemeine Ausnahmen
        //hier werden alle Hosts ohne DNS Suffix ohne Proxy angesprochen: z.B. http://Nagios/
        if (isPlainHostName(host))
            return "DIRECT";

        //lokale Domäne. Beispiel: nagios.domain.local
        else if (shExpMatch(host, "*.local"))
            return "DIRECT";

        // lokale IPs / private Netzwerke
        else if (isInNet(host, "10.0.0.0", "255.0.0.0") ||    
            isInNet(host, "172.16.0.0", "255.240.0.0") ||
            isInNet(host, "192.168.0.0", "255.255.0.0"))
            return "DIRECT";    

        //localhost
        else if (localHostOrDomainIs(host, "127.0.0.1"))
            return "DIRECT";
        
        // If IP of the requested host falls within any of the ranges specified, send direct.
     
        if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
            isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
            isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
            isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
        return "DIRECT";


    if (shExpMatch(url, "*.office365.com"))
            return "DIRECT";
    if (shExpMatch(url, "*.outlook.com"))
            return "DIRECT";
    if (shExpMatch(url, "*.microsoft.com"))
            return "DIRECT";
    if (dnsDomainIs(url, "*.live.com"))
            return "DIRECT";
    if (shExpMatch(url, "*.microsoftonline.com"))
            return "DIRECT";
    if (shExpMatch(url, "*.bing.com"))
            return "DIRECT";
    if (shExpMatch(url, "*.office.net"))
            return "DIRECT";




        return "PROXY 192.168.100.254:8080";
    //        return "DIRECT";
    }

  • Okay, other way around. Does the UTM resolve autodiscover.domain.tld to the internal or external IP?

    You can test this on the UTM, in the support menu.

    Best regards

    Alex

    -

  • Alex,

    all DNS requests to domain.tld resolve to the internal IP address. Just checked.

    Also, the client should contact the internal DC (DNS) first, that one also has the internal IP set up

  • If a proxy is set, the name resolution is done at the proxy not at the client. That was my concern.

    Sorry if you checked that already, I am out of ideas.

    Best regards

    Alex  

    -

  • Whats about the URL of the Clientaccesserver?

     

    Get-ClientAccessServer | fl autodiscover*

     

    Is this URL in the exceptions configured?

  • Thorsten, Axel,

     

    what strike me that although I have configured exceptions / rules in my wpad.dat, I still see requests going through the proxy server:

    2019:09:19-15:06:46 hi-fw01-2 httpproxy[21737]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.100.146" dstip="52.109.28.22" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Customer)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="0" request="0xdc8f0e00" url="odc.officeapps.live.com/.../federationProvider referer="" error="" authtime="0" dnstime="483" aptptime="0" cattime="235" avscantime="0" fullreqtime="60092283" device="0" auth="0" ua="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.11929; Pro)" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension"

    I assume this has to do with a federated sharing we have set up with another company. Still according to the wpad.dat dat those request should never hit the proxy.

     

    Same goes for login.microsoftonline.com/.../

     

    I have now placed a call with Microsoft