Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Can't get to Internal Websites via IP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Can't get to Internal Websites via IP - 31.May2006 3:11:00 PM
|
|
|
davidtheilman
Posts: 20
Joined: 2.Apr.2004
From: Maryland
Status: offline
|
Hello:
I have a multiple websites setup on our internal network. I can get to all of them using http://website but not by using http://ipaddress
The log on the ISA 2004 server says "Anonoymous" as user if the firewall client is turned on. If I turn it off, it shows no user and it works via IP. Using the name of the website works no matter what
Within ISA I have bypass proxy for servers in this network checked and Directly access computers specified in the Domain tab checked
The server is Windoz 2003 SP1 and ISA 2004 SP2. This starting happening after I installed SP2 last week.
Thanks
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 7.Jun.2006 3:40:18 PM
|
|
|
davidtheilman
Posts: 20
Joined: 2.Apr.2004
From: Maryland
Status: offline
|
I already have that set, that is how they can get to the site by name.
My question is does anyone know why the name will work but entering the IP address does not?
http://servername works
http://172.16.6.60 does not work
Thanks in Advance!
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 7.Jun.2006 5:51:11 PM
|
|
|
gary1218
Posts: 37
Joined: 16.Dec.2003
From: Upstate NY
Status: offline
|
Hi, David -
I have asked the same question, received no answer. I'm not sure anyone knows why. There was an explanation that almost made sense in another thread. I'll see if I can find it and put a link. It had to do with the way the ISA servers resolve the name to the IP address. It was only explained in the most vague terms, so I'm not sure I fully understand why. I do know if you remove the proxy connection settings from your browser, thus bypassing the proxy, you can get to the Internal sites.
I have a related problem myself- in that, regardless of the Internal networks being correctly set up and the setting for direct access, some internal sites still get a proxy denied error, even though they are located on the Internal network. I would think the proxy won't even be involved, but that's not the case. It is apparent that the proxy server handles all web traffic, even if the Internal networks are supposed to be bypassed. I've had to put in specific rules for accessing internal websites, which every piece of documentation says you don't have to do. I've also checked using the ISA BPA and it doesn't indicate there is any problem with my setup.
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 7.Jun.2006 6:27:24 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
quote:
I'm not sure anyone knows why
I'm not sure I understand what has been tried and what does not work for you. I use WPAD and centrally manage all my *direct* and proxy exceptions and have no problem to access anything internal by IP.
That said, there are some issues with IP exceptions with SP2 and something about EE and CARP but I have not encountered them. I run ISA SE.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 7.Jun.2006 6:32:53 PM
|
|
|
davidtheilman
Posts: 20
Joined: 2.Apr.2004
From: Maryland
Status: offline
|
I use WPAD also and I guess the bottom line is that pre SP2 for ISA all worked, after I installed SP2, connecting to the site via IP and not by name broke and I can't seem to figure out what SP2 did to it.
I know SP2 broke it because when I uninstalled it to test everything worked (IP and name). However, I have a ISA 2004 to ISA 2004 tunnel issue that SP2 did fix. So I can't uninstall it.
Thanks
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 7.Jun.2006 7:27:56 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
SE or EE?
Care to compare WPAD entries?
//Copyright (c) 1997-2004 Microsoft Corporation
BackupRoute="DIRECT";
UseDirectForLocal=true;
function MakeIPs(){
this[0]="127.0.0.0";
this[1]="255.0.0.0";
this[2]="10.0.0.0";
this[3]="255.0.0.0";
this[4]="127.0.0.1";
this[5]="255.255.255.255";
this[6]="192.168.0.0";
this[7]="255.255.0.0";
}
DirectIPs=new MakeIPs();
cDirectIPs=8;
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 7.Jun.2006 8:25:36 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Have you already seen Tom's Blog about this?
ISA Firewall SP2 Breaks Direct Access and How to Fix It
http://blogs.isaserver.org/shinder/2006/02/17/isa-firewall-sp2-breaks-direct-access-and-how-to-fix-it/
Not sure if it'll help your scenario since the 'fix' is to remove the IPs from the Direct Access field - the MSFT KB article goes into a little more detail though.
From the article...
quote:
Note If at least one IP address is present in the Directly access these servers or domains list, you must include all the IP address ranges that you want the client computer to access directly. If you do not include all the IP addresses that you want the client computer to access directly, the client routes requests to sites other than those that appear in the Directly access these servers or domains list. Additionally, to prevent requests from IP address 127.0.0.1 from being routed when no IP address ranges exist in this list, add the 127.0.0.1 IP address as a domain name to the Directly access these servers or domains list. If other IP address ranges are present in this list, the address range of 127/8 is automatically added.
< Message edited by ClintD -- 7.Jun.2006 8:27:45 PM >
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 9.Jun.2006 3:02:02 AM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hey guys,
I know that they're working on a fix for this, but right now, just enter domain names, since all the hosts on your internal domain should be registered in your DNS.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
RE: Can't get to Internal Websites via IP - 19.Jun.2006 4:26:17 PM
|
|
|
Gabonescu
Posts: 8
Joined: 19.Jun.2006
From: London, ON
Status: offline
|
Hello Everybody,
I'm trying to do the same with my new ISA 2004 but I have different isuses:
- I can't see any of my internet web sites is a client is configured to use ISA as a proxy;
To be more exact we've installed ISA Server 2004 Standard (+SP2) on an WIndows 2003 (+SP1) in a SIngle Network Adapter config (we want to use this ISa just for cache). Not special settings just standatd one: a defalult Web rule. When I tried to acces my http://intranet.xx.com the error is
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
I've trieed to Publist this webserver with standard options in the rule but no luck.
There is anybody who can tell me a basic way to publish a classic internal web site fro my users?
Any help is really apreciated!
Thanx,
gabon
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 19.Jun.2006 4:42:56 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Gabonescu,
If you have different issues why are you hijacking this topic? Start your own.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 19.Jun.2006 4:49:05 PM
|
|
|
Gabonescu
Posts: 8
Joined: 19.Jun.2006
From: London, ON
Status: offline
|
Sorry but I was not my intention.
It looks for me something related with this posting....that's all.
Gabon
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 19.Jun.2006 5:42:08 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Gabon,
Can you repost your question in the Web Proxy Caching section? I like to keep the single NIC deployment issues outside of the rest of the ISA firewall discussions.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 19.Jun.2006 5:53:24 PM
|
|
|
Gabonescu
Posts: 8
Joined: 19.Jun.2006
From: London, ON
Status: offline
|
Sure I can...but I don't know in which section is this ...web caching.
Maybe you can guide me...
Thanks,
Gabon
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 19.Jun.2006 6:03:39 PM
|
|
|
Gabonescu
Posts: 8
Joined: 19.Jun.2006
From: London, ON
Status: offline
|
Done!
|
|
|
|
|
RE: Can't get to Internal Websites via IP - 31.Jul.2006 5:32:06 PM
|
|
|
gary1218
Posts: 37
Joined: 16.Dec.2003
From: Upstate NY
Status: offline
|
In a follow up to Tom's note "ISA-firewall-SP2-breaks-direct-access-and-how-to-fix-it". I recently attended the "Microsoft ISA Server" session at SANSFIRE 2006 in Boston MA, presented by Jason Fossen.
Here is a quote from his guide on the issue.
"But with SP2, a requested name in the list is accessed directly only if no IP addresses are included in the list whatsoever. If IP addresses are in the list, ISA Server tries to resolve the FQDN to an IP address and access is direct only if the resolved IP address is found in the list. Hence, either specify both the IP address and FQDN of the of the destination, or specify the FQDN only. If there are only FQDN's on the list, the behavior remains as it was prior to SP2. If you add any IP addresses to the list, then you should add ALL the IP address ranges that you want the client computer to access directly; otherwise, destinations that are not in the list will be routed through the ISA server."
Clear as mud... Simply, you apparently can use IP's but it's all or nothing - don't mix and match.
Just wanted to share that.
Thanks.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
