• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can't Access Websites By IP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Can't Access Websites By IP Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Can't Access Websites By IP - 4.May2009 4:20:20 PM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
Using ISA 2006.

Trying to browse to websites by IP address and get IE timeout error.
I do live monitoring of the session in ISA and never even see any connection trying to be initiated.

I can ping the site from local pc and ISA server itself. Can also do nslookup.

If I use the DNS name, it browses fine and I see the traffic in ISA.
If I use IP, I get http timeout. No log in ISA, no ISA error page.

Any suggestions?
Post #: 1
RE: Can't Access Websites By IP - 4.May2009 4:23:48 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Stop trying to browse by IP?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to dvizzle)
Post #: 2
RE: Can't Access Websites By IP - 4.May2009 7:31:16 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
How are your clients configured to access ISA? Are you sure using the right IP for that website?

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dvizzle)
Post #: 3
RE: Can't Access Websites By IP - 5.May2009 9:17:07 AM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
Some of the geniuses we work with see DNS as this fancy fad that will be over soon enough. Still, I know how stupid it sounds, but there are a few sites that need to be browsed by IP.

The IP is correct. I can browse to the website direct via IP using a direct connection to the internet that does not go through ISA, as well as going through the old proxy which we are setting ISA up to replace.

It is confusing since I can ping and tracert it from the ISA server and the desktop, but I am getting no traffic in the ISA log nor an ISA error message, just the IE timeout message.

(in reply to inderjeet)
Post #: 4
RE: Can't Access Websites By IP - 5.May2009 9:49:50 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Are these external websites? DMZ websites? Do you publish them?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to dvizzle)
Post #: 5
RE: Can't Access Websites By IP - 5.May2009 9:50:24 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
It should work with IP as well. I have tried that on my ISA Server and it works with IP....

Can you collect some network traces on ISA and the test client machine at the same time? Save both the traces as .CAP file and send me at isaissues@yahoo.com also, Let me know the time you did the test, Client IP from where you did the test, and the Internal IP of ISA.

I can only tell after looking into the logs

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dvizzle)
Post #: 6
RE: Can't Access Websites By IP - 5.May2009 9:53:12 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Sounds to me like it's their own websites they can't access. Haven't added the IP into the public name feild of the pub rule. Bad practice that.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to inderjeet)
Post #: 7
RE: Can't Access Websites By IP - 5.May2009 9:54:50 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Can you get  to http://69.147.76.15/

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to SteveMoffat)
Post #: 8
RE: Can't Access Websites By IP - 5.May2009 11:37:43 AM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
These are public IP's as well as internal IP's.

I cannot access http://69.147.76.15/ using ISA as the proxy. I see no logging either.

(in reply to SteveMoffat)
Post #: 9
RE: Can't Access Websites By IP - 5.May2009 11:53:09 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Internal IPs should go directly not through your proxy. This is configured in Local Address Table (LAT) in ISA under Network > Internal > Properties > Web Browser Tab and also you may check the box "Directly access computers specified in the address tab" under the same Tab

Whereas, for external i would need the logs as mentioned in my above post.

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dvizzle)
Post #: 10
RE: Can't Access Websites By IP - 5.May2009 12:29:36 PM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
quote:

ORIGINAL: inderjeet

Internal IPs should go directly not through your proxy. This is configured in Local Address Table (LAT) in ISA under Network > Internal > Properties > Web Browser Tab and also you may check the box "Directly access computers specified in the address tab" under the same Tab

Whereas, for external i would need the logs as mentioned in my above post.


That solved the internal issue but it does not resolve public IP's.

I'm not sure what logs you need since ISA isn't generating anything when I'm doing a live monitor while trying to establish the connection.

Thank you for the help so far.

(in reply to inderjeet)
Post #: 11
RE: Can't Access Websites By IP - 5.May2009 12:44:51 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Install Network Monitor 3.2 on ISA and the client. Then enable tracing on both. Then test opening a website. Stop traces on both and save them as .CAP files. Send those to me at the email mentioned above. Send me below information as well

1. ISA's Internal IP
2. Client IP (do Ipconfig /all >c:\ipconfig.txt)
3. Time you did the test

Send me the .CAP files and the TXT file mentioend above in point number 2

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dvizzle)
Post #: 12
RE: Can't Access Websites By IP - 5.May2009 2:25:24 PM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
It is a production enviornment being used by 20k users. Please let me know what you need me to use in the filters in order to only collect and capture the most necessary info since I don't want to wait 2 hours for it to finish parsing.

(in reply to inderjeet)
Post #: 13
RE: Can't Access Websites By IP - 5.May2009 2:46:02 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Filter it for HTTP and from client machine

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dvizzle)
Post #: 14
RE: Can't Access Websites By IP - 5.May2009 3:37:29 PM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
ISA server got back nothing.

Client received a few frames. What should I be looking for specifically?

(in reply to inderjeet)
Post #: 15
RE: Can't Access Websites By IP - 5.May2009 4:03:34 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Can you give me an example of one of the web IP's that will not work?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to dvizzle)
Post #: 16
RE: Can't Access Websites By IP - 5.May2009 4:12:27 PM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
Anything in a public IP range.

Another user asked me to try http://69.147.76.15/ which did not work when ISA is being used. If the proxy is changed, it works fine and takes me to the Yahoo home page.

(in reply to SteveMoffat)
Post #: 17
RE: Can't Access Websites By IP - 5.May2009 4:55:48 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Sorry guys,..but everyone is running off in every direction but where you need to go. Although inderjeet came real close.

1. This only happens when the Site is on the LAN, and should be direclty accessed in the first place.

2. The root of the problem is IE, not ISA.  IE does not handle IP#s in the URL properly when it has proxy settings at the same time.

3. IE has had this problem since the days of cavemen.

There are three official solutions. Number 3 is the best one and the most flexible, it just takes a little more work to setup initially, however it solves a lot of other issues that you do not even know that you have yet or will have later.

1.  Add the IP# to the Intranet Zone on every single involved PC within every single user profile on that PC.  Obviously that is not very "pretty".  This is somewhat along the same lines as what interjeet said although his method is probably less work since it is done centrally at the ISA.  But option #3 avoids ever having to do any of that because IE will not ever send it to the proxy to begin with.

2. Never ever ever ever ever use IP#s in a URL.  It horribly complicates things,...it does not make things "simpler" as the common wizdom of the industry thinks.

3. Configure the LAN to use Proxy Autodection via WPAD and have the firewall client installed on the workstation.  The WPAD Script when received by IE will allow IE to make the proper decision and not send the request to the proxy.

_____________________________

Phillip Windell

(in reply to dvizzle)
Post #: 18
RE: Can't Access Websites By IP - 5.May2009 4:57:21 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Hi,

Do the tracing again on both machines. From client first test with website name and then with IP. Can you send me the logs? It's difficult to tell what to see in logs...



_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dvizzle)
Post #: 19
RE: Can't Access Websites By IP - 5.May2009 5:06:45 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
quote:

3. Configure the LAN to use Proxy Autodection via WPAD and have the firewall client installed on the workstation.  The WPAD Script when received by IE will allow IE to make the proper decision and not send the request to the proxy.


Hey Phillip,

That is the whole issue. The requests are anyhow not going to the proxy with http://PUBLICIP 

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to pwindell)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Can't Access Websites By IP Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts