Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Need some help
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Need some help - 19.Aug.2008 10:24:36 AM
|
|
|
auengineer
Posts: 7
Joined: 19.Aug.2008
Status: offline
|
Hi,
I consider myself somewhat of an ISA novice. I do have many years of experience working with ISA (2000,2004 and now 2006) but i'm definitely not a GURU. I understand the basics but i've never had the opportunity to really study a lot of material.
With that being said, my organization has two networks protected with ISA 2006 standard, network A and network B. Network A has all of our published servers and a DMZ zone outside of the LAN. Network B is a branch office that is connected back to network A via a Site to Site VPN.
The problem:
Both of our network have some similar rules setup to block/allow certain content. Network A has been suffering from some repeatitive problems that I cannot get a handle on.
The first is that periodically, rules that publish some servers seem to stop accepting external requests. When this happens, it doens't affect internal acces rules. There are not obvious logs or alerts on ISA but all requrest are denied.
The second issue is for internal users trying to access certain allowed websites. By default, we have all requests outbound on port 80 blocked. We have a rule where we have allowed access to certain domain name sets. MOst of the time, these work great. Periodically, a user will receieve a message from ISA that the website blocked. There are actually two message that we have seen, here is one of them:
Network Access Manager: The page cannot be displayed
Technical Information (for Support Personel)
- Error Code: 502 Proxy Error. The host server is unreachable. (10065)
- IP Address: external site ip
- Date: date
- Server: ISA Server name
- Source: Proxy
Any help would be most appreciated. I can be contacted at canderson@medcoservices.com.
Thanks,
Cory
|
|
|
|
|
RE: Need some help - 21.Aug.2008 8:45:35 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
What I would do it try to repro the situation and then take a look at the ISA firewall's log files when this is happening.
Make sure that your OS is fully service packed and that you're running ISA 2006 SP1.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Need some help - 27.Aug.2008 5:39:10 PM
|
|
|
auengineer
Posts: 7
Joined: 19.Aug.2008
Status: offline
|
Ok, i was able to get a log of one of the issues. I had user complaining about 403 error when going to google. I have certain IP blocks in my network that are allowed to have full outbound access, his workstation is in that range (static address). Here is the log from ISA monitoring that shows him receiving 403 error but i don't understand why because the rule used doesn't restrict any web content.
Allowed Connection
GATEWAY1 8/27/2008 4:29:58 PM
Log type: Web Proxy (Forward)
Status: 403 Forbidden
Rule: Full Outbound Access - Based on IP
Source: Internal (192.168.1.99)
Destination: External (eo-in-f103.google.com 209.85.165.103:80)
Request: GET http://www.google.com/search?hl=en&q=perfect&aq=f&oq=
Filter information: Req ID: 02eaac2a; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.1)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x48040000 (Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. Response includes the VIA header. Response should not be cached.)
Processing time: 1 ms
MIME type: text/html
Any idea?
Also, the isa server is completely up to date on all services packs and windows updates.
|
|
|
|
|
RE: Need some help - 28.Aug.2008 10:59:32 AM
|
|
|
auengineer
Posts: 7
Joined: 19.Aug.2008
Status: offline
|
I'm hoping that it is a simple user error, however, i've been unable to identify it. The rule is about as simple as it could be. It allows all private addresses in the range 192.168.1.1-99 to have full outbound access on port 80 (HTTP). This user that generated this error can work fine for 80% of the time. When this situation occurs, it doesn't always affect the same user. We have a couple users that have full outbound access and 95% are restricted. The restricted users have certain websites they can visit, such as Google. The users that are affected are completely random and a restart of the firewall service temporarily fixes the issue.
|
|
|
|
|
RE: Need some help - 2.Sep.2008 9:45:53 AM
|
|
|
auengineer
Posts: 7
Joined: 19.Aug.2008
Status: offline
|
Yes and yes. Actually, most of our problems when we moved to all proxy.
|
|
|
|
|
RE: Need some help - 2.Sep.2008 11:05:09 AM
|
|
|
auengineer
Posts: 7
Joined: 19.Aug.2008
Status: offline
|
yes, we are using the auto configuration script (as well as Group policy)
|
|
|
|
|
RE: Need some help - 4.Sep.2008 1:56:57 PM
|
|
|
auengineer
Posts: 7
Joined: 19.Aug.2008
Status: offline
|
yes and the error is happening on all browsers attempted (IE, Firefox, Chrome)
|
|
|
|
|
RE: Need some help - 5.Sep.2008 8:29:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
OK, good. At this point I would identify the log entires on the firewall to see what rules are triggering the denied messages. The 502 indicates that the Web site is offline or the route to the site is down.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Need some help - 5.Sep.2008 10:38:24 AM
|
|
|
auengineer
Posts: 7
Joined: 19.Aug.2008
Status: offline
|
The problem is that the logs are only showing allowe rules with results of 502 or 403 (which are returned in an html page from ISA, not the browser or the serving host). The sites are sites such as Google and other major commercial services. The DNS and ping to these sites still go through successfully, the site can be accessed from our DMZ. If we restart the firewall service, the sites work immediately. I have another proxy/firewall now installed on the edge of our internal network and it is not experiencing the same problem (not ISA).
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
