Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Confused and Major Problems
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Confused and Major Problems - 15.Mar.2007 11:49:56 PM
|
|
|
Javlin351
Posts: 12
Joined: 24.Feb.2007
Status: offline
|
Hey Everyone.
I have been having a hell of a time with ISA 2004 lately. I seem to not be able to get it working correctly.
1. I turned on Web Proxy under networks, I have WPAD in DNS, I have our domain in the direct access, auto discovery of firewall on, etc. We have firewall clients installed on all workstations along with auto discovery of proxy in IE. The problem is that people get prompted for credentials when accessing IE, streaming audio and video. Why does this happen when I turn on Authenticated Only for my HTTP, HTTPS, FTP rules? I though the Firewall Client would pass along the credentials?
I also noticed in the logging that port 8080 was being sent to the ISA as web proxy requests and port 8080 was being logged as Firewall, and being denied. Am I supposed to create an access rule for port 8080 when I turned on the web proxy? Any ideas? I am really confused.
2. My MSDE Database is not working. The services are started but when I go and click on the MSDE icon, and type in the name of ISA, it can't find anything. Would it be best just to log to SQL Server instead?
3. We were having problems with www.bremer.com were the web proxy would deny the connection. It seemd like a DNS issue because the website would time out. Look at the logs (query) it would hit the web proxy but fail.
Any idea guys? I would be willing to send my log files from ISA. I am confused about proxy. It uses port 8080 but translates it to port 80 for HTTP, 443 for SSL? I am confused because in the log I see web proxy using port 80 and also using port 8080, along with the FWC using port 8080. I just don't get why I am seeing this.
Does anyone know of any good consultants in Minnesota, Twin Cities area?
I just wan to get this all working.
Thanks
|
|
|
|
|
RE: Confused and Major Problems - 16.Mar.2007 7:09:37 PM
|
|
|
Javlin351
Posts: 12
Joined: 24.Feb.2007
Status: offline
|
Guys, I am getting a resource application error.
Description: The Web Proxy filter failed to bind its socket to 10.10.20.249 port 8080. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
The failure is due to error: 0x80072740
|
|
|
|
|
RE: Confused and Major Problems - 17.Mar.2007 11:28:51 AM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Javlin,
Let's work on solving the resource error first. There is a server service running on the ISA that is utilizing port 8080. You did not mention what server hardware you are running but a few OEM's utilize port 8080 with their sever management software. IBM is one of them that has a management agent that uses port 8080. Check out your server services running for the conflict. You can also change the Web Proxy client port to use something other than port 8080. That would be a good test and to get it working.
I will follow this thread,
Regards,
RB
|
|
|
|
|
RE: Confused and Major Problems - 17.Mar.2007 11:11:10 PM
|
|
|
Javlin351
Posts: 12
Joined: 24.Feb.2007
Status: offline
|
I uninstalled the Dell Openmanage. I do not see anything else install, but I will look closer.
How do I see what processes or services is using port 8080?
|
|
|
|
|
RE: Confused and Major Problems - 18.Mar.2007 9:35:26 AM
|
|
|
Javlin351
Posts: 12
Joined: 24.Feb.2007
Status: offline
|
I am going to go into work today and look at it.
Doe anyone have any basic firewall rules that should be in place? There is so many denied connections going on in my log. I also noticed that I get an alert that says there is a found route that is not in the ISA network, it is 10.255.255.255 and sometimes 10.10.255.255. What should I do? I have our internal routes in ISA, 10.10.0.0 - 10.10.255.255, 10.20.0.0 - 10.20.255.255 and 10.30.0.0 - 10.30.255.255
Any ideas on this?
|
|
|
|
|
RE: Confused and Major Problems - 18.Mar.2007 4:06:58 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Javlin,
You can use NetSTAT or do a NIC capture using Netmon or Systeminternal’s PortMon to find out what ports are in use and by what.
To back up a bit here, from your last post it looks like you also have some issues with the LAT not being configured properly. The ISA LAT should contain the IP subnets ranges that are present on the Internal network and nothing else. It looks like you configured your LAT with the ISA default IP ranges. This may also be the reason you are having the port binding errors on the WebProxy service. You need to resolve these issues before you can move on to configuring firewall rules because of it’s dependency on the WebProxy service.
I would suggest walking through your setup, verify that the internal and external interfaces are properly configured and that the ISA LAT matches and contains only the IP ranges of the internal network. There are several good how-to articles available on this site that cover the installation basics. If you have not already done so, I would also recommend purchasing Tom’s book on configuring ISA 2004, it’s a great resource to have.
In summary, check your ISA LAT IP ranges, internal and external NIC’s are properly configured for ISA installation, (see how-to’s) and WebProxy service will bind properly on port 8080. (Change port if necessary to check operation)
Keep us updated,
RB
|
|
|
|
|
RE: Confused and Major Problems - 18.Mar.2007 4:38:21 PM
|
|
|
Javlin351
Posts: 12
Joined: 24.Feb.2007
Status: offline
|
I am no longer getting the error with the web proxy not binding to 8080 after I uninstalled the Dell OpenManage.
For the Routing, I did not use the ISA firewalls add private IPs from the NIC button. Our IPs are the ones that are listed above. I am not sure why the 10.255.255.255 would come up, we only use the 10.10.x.x, 10.20.x.x, 10.30.x.x
I am not seeing it come up though in any alerts.
So what about problem number 1 and 2? Still having problems with Windows Media Player prompting for Credentials when the Internet Rule is set to Authenticated Only. Any ideas?
I also read on the forums about someone having problems with proxy and noticing that the Firwall Client was sending info to ISA at port 8080 and ISA blocking it. They said they had to create a firewall rule to allow port 8080 from internal to local host.
I did this and it seems to have sped the internet up.
|
|
|
|
|
RE: Confused and Major Problems - 20.Mar.2007 1:47:06 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Interesting issue with having to create an access rule for port 8080. I read somewhere about having to do it for Windows update to work but I can't say that I have run across that one and maybe someone else can make comment on having to do so and why. Based on some of the posts that you have made you certainly have had your share of troubles.
As for problem question 1, with the rule set to “authenticated only” it’s telling me that the trouble is between the client and the ISA. Could be a NTLM or Kerbros negotiation problem between the client and server. You may want to check the ISA system policys. I know that there are some issues with IE 7 and Kerbros and so far the fix is to turn of Integrated Authentication in IE. Have you tried using the FW client check tool? Also check your FW client policy settings to make sure that you have not disable them on the client. Streaming audio and video also require additional firewall rules. That’s probably the first thing that I would check before you go to all the trouble of tracing authentication issues.
Question 2, what you are describing is normal. The ISA monitoring service uses the SQL MSDE engine for logging. You should be able to access all the data from the logging tab under Monitoring on the ISA MMC. If you can’t, configure logging. You can also use a different SQL server if you wish.
RB
|
|
|
|
|
RE: Confused and Major Problems - 21.Mar.2007 12:07:18 AM
|
|
|
Javlin351
Posts: 12
Joined: 24.Feb.2007
Status: offline
|
Yeah. I am not sure what the problem is lately but it seems like it is just not working right.
When I look at the log, I see Web Proxy, port 80 for web requests and then I will see some Firewall, port 8080 being denied after the Web Proxy request. I am assuming it is the Firewall trying to use port 8080 which is the proxy on ISA, but ISA blocks it. This correct? Should I not of created that rule?
Here is the post http://forums.isaserver.org/m_2002031191/mpage_1/key_proxy%2c8080/tm.htm#2002038705
I also created a rule to allow http from internal to internal as we could not access internal IPs. We would get a proxy error. We needed to access internal IPs to manage network devices and printers. I added the IPs into direct access, but it did not work. Any idea on this?
Should Windows MP 10 or 11 prompt for credentials for Streaming audio and video?
I will use the FWCTool to check the Firewall Clients. What about checking the current policy settings? How do you do that? What am I looking for?
< Message edited by Javlin351 -- 21.Mar.2007 12:28:27 AM >
|
|
|
|
|
RE: Confused and Major Problems - 21.Mar.2007 11:07:55 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
When I look at the log, I see Web Proxy, port 80 for web requests and then I will see some Firewall, port 8080 being denied after the Web Proxy request. I am assuming it is the Firewall trying to use port 8080 which is the proxy on ISA, but ISA blocks it. This correct? Should I not of created that rule?
Here is the post http://forums.isaserver.org/m_2002031191/mpage_1/key_proxy%2c8080/tm.htm#2002038705
>Well, you should not have to create the rule for 8080. I never have had to do so and I have done several ISA installations. The above link was referring to a post that the user wanted to use only the firewall client and not the proxy client.
What firewall rules do you have in place? Are your rules properly ordered? Logging should help you determine and identify the denied traffic. Windows update requests maybe what you are seeing and they are being denied because you do not have a rule in place to allow because authentication.
I also created a rule to allow http from internal to internal as we could not access internal IPs. We would get a proxy error. We needed to access internal IPs to manage network devices and printers. I added the IPs into direct access, but it did not work. Any idea on this?
> Should not have to do this either. What you can do here is add an LDT entry for your domain and or also create a group policy in AD to push out Internet settings to bypass the proxy for IP subnets within your Domain. You don't want to be proxying internal requests.
Should Windows MP 10 or 11 prompt for credentials for Streaming audio and video?
>Do you have rules to allow? There are protocols that you need to configure rules for streaming audio and video. I guess the test here is, can you as Administrator make access. To test, create a rule to allow everything, applies to you only and place it at the top. Apply to save the changes. If it works then I guess you found the problem.
I will use the FWCTool to check the Firewall Clients. What about checking the current policy settings? How do you do that? What am I looking for?
> Well the default rule is no access out of the box. You will need rules in place for DNS at minimum for DNS server request forwarding (if you use it) or DNS resolution to an outside server. Anything else is up to you. You want allow rules before deny rules. I put explicit deny rules before my Web access allow rule to block URL's and protocols I don’t want my end-users to have access to. Server rules go closer to the top with Server publishing rules at the top. System rules apply to the ISA local host and you may need to modify depending on your needs. Most of the time no modification is needed.
Please keep me updated,
RB
|
|
|
|
|
RE: Confused and Major Problems - 22.Mar.2007 12:33:45 AM
|
|
|
Javlin351
Posts: 12
Joined: 24.Feb.2007
Status: offline
|
"What firewall rules do you have in place? Are your rules properly ordered? Logging should help you determine and identify the denied traffic. Windows update requests maybe what you are seeing and they are being denied because you do not have a rule in place to allow because authentication. "
- We have OWA Outside and OWA Inside. I then have Internal to Internal for HTTP, the FWC port 8080 from Internal to Local Host, then Internet (HTTP, HTTPS, FTP from Internal to External, BES Server, Application Specific rule, DNS, and SMTP. The thing is that it is not windows update because I am logging it from my computer when just using the internet. Without the rule it is being blocked by the default rule. We do not have any authentication turned on due to these issues.
"Should not have to do this either. What you can do here is add an LDT entry for your domain and or also create a group policy in AD to push out Internet settings to bypass the proxy for IP subnets within your Domain. You don't want to be proxying internal requests."
- How and were to create the LDT? Want me to turn of automatic configuration in AD and set the proxy manually? Set the internal domain and IPs in the bypass box? Shouldn't ISA just use what is configured in the direct access box? Why wouldn't it do that? If I don't do the internal to internal, it will deny going to the IP. It does not proxy if you use the domain name as we were having problems before. When going to internal websites it would not work and get a proxy error but we needed to get a Hotfix and once that was installed the websites started working as we added our domain to the direct access. When going to the IPs without that rule, you get a uniform resource locator error.
"Do you have rules to allow? There are protocols that you need to configure rules for streaming audio and video. I guess the test here is, can you as Administrator make access. To test, create a rule to allow everything, applies to you only and place it at the top. Apply to save the changes. If it works then I guess you found the problem."
- Streaming audio and video works. It is that when I enable authenticated users on the rule, it prompts for credientials. My understanding was that the FWC was supposed to pass the credentials on to the program. I can create a rule to allow audio and video to by un-authenticated.
We have DNS rules like I said above along with other rules. It is just that certian things are not working correctly with ISA. It seems to by Proxy specific.
|
|
|
|
|
RE: Confused and Major Problems - 22.Mar.2007 4:10:46 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
"The thing is that it is not windows update because I am logging it from my computer when just using the internet. Without the rule it is being blocked by the default rule."
Where is the Default DENY rule? It should be last rule. Is your Internet allow rule set to all users?
Could you share your NIC configurations? (Internal/External DNS and GW)
Did you unbind and disable WINNS, Netbios and File and Print sharing on the External NIC?
The LDT is known as the Local Domain Table. (Domains) Adding a domain name to the LDT instructs the Firewall clients not to use the ISA for internal requests. The LDT (Domains) is configured by selecting the Internal Network and clicking properties. You mentioned that you also set the direct access options to bypass internal IP's and Domains on Web Browser option page. Doing so modifies the Routing script for Automatic configuration. It sounds like its not working. Setting it manually might be a better option to troubleshoot your issues.
My configuration will be different than yours. I don't use Automatic discovery configurations but instead push settings out through AD group policy because I have multiple domains and ISA servers. Works better for me this way.
I'm familiar with the hot fix and when you added your Domain for direct access that was for web browsing, not the firewall client. Your firewall client is still directing winsock requests through the proxy for internal requests. Did you add your internal IP’s for direct access? You can do wildcard If so, you should not need the Internal to Internal rule. Setting them manualy if need be.
“Streaming audio and video works. It is that when I enable authenticated users on the rule, it prompts for credientials. My understanding was that the FWC was supposed to pass the credentials on to the program. I can create a rule to allow audio and video to by un-authenticated.”
You are correct that it should be authenticated. The Firewall client communicates to the ISA through TCP/UDP port 1745. I should have asked this earlier, but do you have Windows Firewall or third-part FW software installed and enabled on the client PC? Did you run FW client tool?
Sorry for all the questions, just trying to narrow it down.
RB
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
