Exchange - need to increase "firewall time-out" to 15 mins or more
Getting an error on our exchange server behind pfsense 2.3.3:
The average of the most recent heartbeat intervals  for request [Ping] used by clients is less than or equal to .
Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.
A bit of research has shown this isn't so much an exchange thing as a tweak that MS want to the firewall - their HeartBeatAlertThreshold is set to 540 seconds so they suggest increasing the firewall http(s) timeout to 15 mins or more.
Is this something I can do a) just for this particular port forward/firewall rules to the server or b) in general for the firewall?
Did you mess with firewall optimization settings?
You can check your timers.. An established connection would be 24 hours unless closed.. Are you saying that I could send a request and it might not get answered for 540 seconds. So I send syn and have to wait for up to 540 seconds for the syn,ack – or you talking after the tcp handshake has occurred?
[2.4.0-BETA][email@example.com]/var/dhcpd/etc: pfctl -st tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 58200 states adaptive.end 116400 states src.track 0s
Hello John, thanks for the reply. I haven't played with my settings. Here are mine which seem to differ only at the end which I imagine aren't that relevant to this:
tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 854400 states adaptive.end 1708800 states src.track 2000s
I am not entirely clear with the microsoft documentation so will try to get my head around it a bit better as to if it's tcp handshake or the ack it's waiting for
You can change the Firewall Optimization Options to "Conservative":
System -> Advanced -> Firewall & NAT
There are several tuning options here also -> https://blogs.technet.microsoft.com/david231/2015/03/30/for-exchange-2010-and-2013-do-this-before-calling-microsoft/
Thanks Marvosa that thread looks very helpful - will take a look through it
pfSense itself does not have an HTTP(S) timeout, only a TCP timeout, which defaults to 24 hours. If you're running a proxy, your proxy may need to have the HTTP(S) timeout configured.