20 Replies Latest reply: May 13, 2018 9:17 PM by indra nainggolan RSS

Exchange 2010 (WinXP or Win7) won't optimise - cannot decrypt

Ian Triggs

Hi,

 

In my environment we were running Exchange 2007 fine and had optimisation working well.  We have recently migrated to Exchange 2010 and no longer get any optimisation.  We would see all sessions to the Exchange server as TCP sessions with 1 EPM session.

 

We then upgraded from 6.1.1a to 6.5.1 to resolve this.  Now we can see MAPI on both Steelheads but 'cannot decrypt traffic' on these sessions.

 

We have mostly Windows XP with some Windows 7.  We have tried with both transparent mode and delegation mode and followed the guides exactly, but we can't get the traffic decrypted.  If I turn off Outlook encryption the sessions work fine, but the bosses would prefer this wasn't the solution.

 

Right now I have it set up in delegation mode.  For the Windows 7 hosts we are seeing MAPI-ENCRYPT (cannot decrypt traffic) and for the Windows XP hosts we are seeing MAPI (cannot decrypt traffic).

 

Meanwhile the device still works just fine to the old Exchange 2007 environment.

 

When I launch a Windows XP Outlook 2010 (Exchange 2010) client, I see this in the logs:

 

Jul 19 22:49:26 AU-DC2-SHA-5050 sport[410]: [mapi/rpcserver.NOTICE] - {- -} Unable to instantiate after checking capabilities

 

That's the only related log I can see.

 

When I launch a Windows 7 Outlook 2010 (Exchange 2010) client, I see this in the logs:

Jul 19 22:52:11 AU-DC2-SHA-5050 sport[410]: [rpcserver.NOTICE] 93292 {172.16.37.71:61295 172.16.53.11:22267} Can't delegate for server AUDC2PEXCSHT01, error: LDAP Access Error
Jul 19 22:52:11 AU-DC2-SHA-5050 sport[410]: [mapiserver/client.NOTICE] 93292 {172.16.37.71:61295 172.16.53.11:22267} Authentication level changed after connection setup
Jul 19 22:52:12 AU-DC2-SHA-5050 sport[410]: [rpcserver.NOTICE] 93294 {172.16.37.71:61300 172.16.53.11:22267} Can't delegate for server AUDC2PEXCSHT01, error: LDAP Access Error
Jul 19 22:52:12 AU-DC2-SHA-5050 sport[410]: [mapiserver/client.NOTICE] 93294 {172.16.37.71:61300 172.16.53.11:22267} Authentication level changed after connection setup

 

What would be causing these 2 errors?  'Unable to instantiate after checking capabilities', or 'LDAP Access Error'?

 

I've checked the delegation account in AD and it has the settings as outlined in the delegation guide, and for all the Exchange servers in our environment (including AUDC2PEXCSHT01 listed in the logs above.

 

Any ideas?

 

Thanks in advance,

Ian