Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Filters stop working and error 10060

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Filters stop working and error 10060 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Filters stop working and error 10060 - 2.Feb.2007 5:19:59 PM   
edfirst

 

Posts: 12
Joined: 2.Jun.2005
From: UK
Status: offline 		Ok Guys…

Can anyone assist me with this weird problem, first the configuration:
1,         ISA server 2004, 2003 standard server, loads of memory and dual Xeon server.
2,         Intel SX fibre Nic card with multiple Vlans configured and connected all aok so far.
3,         Public 10.*.*.* address to external interface, private 172.16.*.* ip addresses configured on the internal networks.
4,         DNS and Domain comms are all good internally.

All works great internally all policies work great internally and the network traffic does what it supposed to do. “Now the problem”, when this was in the development lab this isa server was great, now it is in production the issue is this, when I try to use the web proxy filter to deny sites, methods, strings well basically anything, I just get “error 10060 connection timeouts”.
The major difference is that we now have to push traffic to an external perimeter proxy server, as this is a college network protected by a corporate system.

So here is the original development design configuration:

1,         Web proxy enabled and set at port 8080 (standard config)
2,         Firewall client enabled and auto detect ticked, and the correct ISA-server name is in the box with the domain suffix correct.
3,         Auto discovery is ticked, and firewall clients auto detect the ISA server fine using the DNS “WPAD” entry.
4,         All clients are pointing to this ISA as default gateway, all client proxy settings point to this ISA with port 8080.

Under this configuration the proxy filter works great and the list of URL’s in a denied access policy work great along with the redirection to error pages we have designed. Connection to sites is great that are supposed to be connected to as allowed.

Now the production configuration:

1,         Web proxy enabled and set at port 8080 (standard config)
2,         Firewall client enabled and auto detect ticked, and the correct ISA-server name is in the box with the domain suffix correct, now in the lower box I have told ISA to use a proxy server ticked and the address of the corporate proxy in the box, I notice that the greyed out custom URL appends the corporate proxy address also with the port 8080 (above box) which is their correct port number we have to use.
3,         Auto discovery is ticked, and firewall clients auto detect the ISA server fine using the DNS “WPAD” entry.
4,         All clients are pointing to this ISA as default gateway, all client proxy settings point to this ISA with port 8080.


Under this configuration we have the same result, the filters work the banned sites work, the redirectors work, but when we try to access any other sites we get error 10060 connection timeout.

Next we tried the proxy settings on clients pointing instead to the corporate proxy on port 8080, now we have connectivity but now no filters work, no banned sites, so I am assuming this is now bypassing the proxy filter and so here is the next setup tried, in the monitoring logs I noticed there were a lot of port 8080 entries failing to connect:

1,         Web proxy enabled and set at port 8080 (standard config)
2,         Firewall client enabled and auto detect ticked, and the correct ISA-server name is in the box with the domain suffix correct, now in the lower box I have told ISA to use a proxy server ticked and the address of the corporate proxy in the box, I notice that the greyed out custom URL appends the corporate proxy address also with the port 8080 (above box) which is their correct port number we have to use.
3,         Auto discovery is ticked, and firewall clients auto detect the ISA server fine using the DNS “WPAD” entry.
4,         All clients are pointing to this ISA as default gateway, all client proxy settings point to this ISA with port 8080.
5,         Now created a protocol “Proxy” outbound port 8080 and applied the proxy filter to this.
6,         Had to remove the http protocol and replace with the proxy one above, or no filters work.

Now traffic is denied point blank, the proxy filter works again redirects to all the correct places and all the http filters work great, all the correct error messages are displayed, but this time I get denied messages to all other pages that should be allowed.

Next I replaced the proxy settings to the clients pointing to the corporate proxy and ISA as the gateway as before, but this time I tried it with the Proxy protocol only instead of the http, I now have similar symptoms as the http protocol except this time I get the connection timeout errors for all the none filtered or banned pages.

Fwengmon tool reports everything working, proxy is listening, firewall client is listening, shows connections to redirected pages on internal intranet site. There are no reported resource errors or config errors in events or alerts panel.

So if any one could point me to info using an upstream proxy server through ISA server, or some help walking through the config, as I am now almost bald and about to get the knives out of the draws to end my misery……lol….

Seriously I would greatly appreciate any help, and if you need any further info into this nightmare then please let me know.

_____________________________

he who asks a question now is a fool for five minutes, he who does'nt is a fool forever..........
Post #: 1
RE: Filters stop working and error 10060 - 4.Feb.2007 5:30:21 PM   
ianfermo

 

Posts: 234
Joined: 7.Nov.2004
From: Zamboanga, Philippines
Status: offline 		Hi,

Try using web chaining. This will point your front end ISA to the Upstream server.

Cheers...

(in reply to edfirst)
Post #: 2
RE: Filters stop working and error 10060 - 5.Feb.2007 3:43:27 AM   
lchuzel

 

Posts: 10
Joined: 2.Mar.2004
From: velizy france
Status: offline 		Hi i use an upstream ISA 2004 in my company but first i have to disable the DNS request.
Don't worry even with this configuration the local request works fine.
My topology is this one :

1- ISA 2004 SP2 in port 80 wich authenticate my user in NTLM.

This ISA 2004 resolve some URL in local and redirect Internet on an other ISA 2004 SP2 on a DMZ in anonymous mode.
He also forward some extranet on an other ISA 2004 behind few LS.

My users  just  use Internet Explorer in web proxy mode even if they have the firewall client on their computer (for that i put disable to 1 for iexplore in firewall client setting)

the script to disable DNS is this one (VBS file) Apply it for your inside ISA 2004

' Create the root object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
' Declare the other objects needed.
Dim isaArray    ' An FPCArray object
Dim webProxy    ' An FPCWebProxy object
Dim restartMask ' A 32-bit bitmask of type FpcServices
' Get references to the array object
' and the Web proxy object.
Set isaArray = root.GetContainingArray()
Set webProxy = isaArray.ArrayPolicy.WebProxy
' Configure the Web proxy to skip name resolution
' while checking access and routing rules and save
' the new configuration.
webProxy.SkipNameResolutionForAccessAndRoutingRules = True
restartMask = webProxy.GetServiceRestartMask
webProxy.Save
' Restart the Firewall service so that
' the change will take effect.
isaArray.RestartServices restartMask
WScript.Echo "Done!"

 If you need other info you can ask

L chuzel

Paris

(in reply to edfirst)
Post #: 3
RE: Filters stop working and error 10060 - 5.Feb.2007 6:52:58 PM   
edfirst

 

Posts: 12
Joined: 2.Jun.2005
From: UK
Status: offline 		Cheers for all help so far...

Let me explain a little further detail, this colleges network is connected in kind of a big metropolitan topology design, each local college have there own IT guys and are all connected together inside this type of topology. Unfortunatly each of the college is separate when it comes to admin. The guys who have control over the perimeter firewall and proxy servers( both unix boxes) are "Unix gurus", and find communications with us windows guys a lesser mortal?, so the basic idea is we are on our own, there is no authentication or possibilities of being allowed to upstream a link with there superior (yeh whatever)kit, especially with authentication.They purely allow unauthenticated filtered (to a degree) pass through traffic only.

Hence the reason we need our own firewall (to stop them remoting all over us) and proxy to have instant control over traffic allowed( instead of days, weeks they take to sort stuff).

now i have the hurdles out of the way now a better explanation of what is happening. originally we distributed isa 2004 standard on a windows 2000 advanced server, with the same hardware spec used for this new configuration.
It was configured identical to this new one, networks, network rules, policies, network objects, basically the exact same, even down to using the isa to pass traffic to the upstream county proxy server, the only difference is we are using win2k3 r2 standard server. Which initially worked great when passing traffic direct to the internet using an NTL Dsl link we have also.
But due to county policy and connection to all the other college MIS systems we have to use the internal metro network which is i have to say far faster than the NTL one.
The win2k advanced setup worked outstanding, http filters work in respect of banned url lists were redirected to pages based on the action we designed. http proxy filters also work banning strings we could not do with url addresses, methods etc, all these responded with the ISA brown error pages, Now they only return the plain IE ones not the isa ones, these only surface if i directly point clients to the isa instead of the county proxy.
Instead of it behaving correctly using just the HTTP protocol being included in the rule for protocol, i have to create a Http proxy as is included in isa 2006 to filter the traffic, but using this only proxy filters work the banned urls don't, they are simply ignored.
If i revert to the http protocol as original configuration, all are bypassed, connections time out to allowed addresses, and sometimes the proxy filter works a bit hit and miss.

Phewwwww..........

Ok now thats out the way what i have noticed is that college staff machines firewall clients cannot find the isa-server unless i use the IP address, which i know to be the DNS as this has a wpad entry which is addressed on the other(students) network, which was by design really, as staff have access rules to allow them to the students, but the opposite is not. so we addressed the wpad entry this way.

So in a round about way i guess it is DNS related, but more internally, without using Group Policy(which is more user related) and will fail when staff log onto a student machine, to provide the correct proxy pointers, is there a way to get each network to accept its end poit connection to the isa instead of this kind of shared(routed) address, though this configuration worked in previous setup. Also is there a way to access the wpad.dat and see what info is in there, sure i read on this site somewhere that it can be edited, and also any links to help setup external proxies through isa and configuration of the firewall client software?

Strange as DNS resolution works and traffic is routed to other resources on the other networks without problems, it seams to be the proxy configurations that are messing things now.

I will say that i have just got hold of isa 2006 to try but again it will not rear its head till out of lab to production, will have to work a solution to that?

But if anyone has any pointers to configure wpad to resolve on each subnet instead of accross, then i think we can crack this discovery problem first. Has anyone else had similar issues with 2k3 server? and http filters.

Oh yeh logs show that nothing is being denied, just lots of failed connection attempts using port 8080 using http protocol, and filters are ignored, using the new proxy protocol clients pointed direct to isa all connections are denied point blank though filters show the correct error pages. Pointed to the external proxy, filters work but valid connections just die and time out, even with firewall client?

Again i think i need so major help, and thanks for all the suggestions so far, and thanks for the script i will check that out for a future project we have on the go, could also help with that.

Cheers..............Ed

_____________________________

he who asks a question now is a fool for five minutes, he who does'nt is a fool forever..........

(in reply to lchuzel)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Filters stop working and error 10060 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts