Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SNAT client won't access HTTP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> SNAT client won't access HTTP Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
SNAT client won't access HTTP - 26.May2007 10:46:39 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi,
 
I've got this funny trivial issue that's not making much sense to me. I have an Exchange server sitting behind an ISA with OWA/ActiveSync published to the internet. OWA/Activesync is working. Emails are coming in and going out. Clearly there are no DNS problems as emails are going out and nslookup comes up ok.
 
What doesn't work is that it won't open any websites or anything using http. I've even gone to creating an allow all IP traffic rule coming from the server's ip and going to the external network applicable at all time for all users. It just won't work. I see no denied entries in the monitoring logs. In the monitoring, I do see an *Initiated connection* entry processed by my allow all rule. However the thing just doesn't get any http internet access.
 
If I set the browser to be a webproxy client, it works. That's not how I wanna do it. I have to be ignoring something very basic here. Question is, what?
 
Can anybody help please?
 
Thanks.
Post #: 1
RE: SNAT client won't access HTTP - 28.May2007 10:39:26 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Moh,

If you can't get out using the SecureNAT configuration, it implies that the machine can't resolve Internet host names. The reason why the Web proxy client config works is that the ISA Firewall can resolve Internet host names.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to mohsindabomb)
Post #: 2
RE: SNAT client won't access HTTP - 4.Jun.2007 9:49:15 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Thanks for your reply Tom. Sorry I couldn't come back earlier on this.
 
The SNAT client in question is a live working Exchange box that's sending out emails using DNS. Nslookup comes up fine. I can resolve internet names and can even connect to smtp/pop servers on the internet using their FQDNs.
 
It appears to me it's not a DNS issue as only HTTP/HTTPS access seems to be not working at the moment.
 
What do you think? Any help will be very much appreciated.
 
Many thanks,
 
Mohsin.

(in reply to tshinder)
Post #: 3
RE: SNAT client won't access HTTP - 4.Jun.2007 9:57:25 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Mohsin,

Is there a rule that allows anonymous outbound access to HTTP/HTTPS from the Exchange Server to the default External Network?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to mohsindabomb)
Post #: 4
RE: SNAT client won't access HTTP - 7.Jun.2007 4:13:59 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi Tom,
 
Thanks again for your reply and sorry for the length of time it has taken me to respond.
 
Yes, there is a rule in place that allows access to POP3, SMTP, HTTP, HTTPS protocols from the Exchange Server to the default External network at all times to All Users (unauthenticated).
 
The above same rule allows the Exchange box to send out email using smtp and pull down email using POP3 but it won't make any HTTP/HTTPS access work. I even changed the allowed protocols to "All IP Traffic" temporarily (which clearly is silly) and that didn't help.
 
It appears to me like it's something else on the ISA box. I must be overlooking something. Any ideas?
 
Thanks for all help.
 
Mohsin.

(in reply to tshinder)
Post #: 5
RE: SNAT client won't access HTTP - 7.Jun.2007 10:20:34 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Mohsin,

This suggests that the DNS settings on the ISA Firewall might be incorrect.

What is the DNS server configuration on the ISA Firewall's NICs?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to mohsindabomb)
Post #: 6
RE: SNAT client won't access HTTP - 11.Jun.2007 11:23:31 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi Tom,
 
Following is the ipconfig on the ISA box.
 
Ethernet adapter Internet Connection:
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection with I/O Acceleration #2
  Physical Address. . . . . . . . . : 00-30-48-79-BD-15
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 192.168.0.201
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.0.101
  NetBIOS over Tcpip. . . . . . . . : Disabled
 
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection with I/O Acceleration
  Physical Address. . . . . . . . . : 00-30-48-79-BD-14
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 192.168.16.242
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . :
  DNS Servers . . . . . . . . . . . : 192.168.16.242
 
Notes: ISA box itself is the DNS server and is configured to use forwarders to resolve internet names. 192.168.0.101 is the ip of an adsl router that connects the ISA box to the Internet.
 
Firewall & Web proxy clients work fine and do access http and all other protocols using FQDNS. Even NAT clients can connect to POP3 & SMTP servers on the internet using FQDNS; it's only HTTP that doesn't work for NAT clients.
 
Considering the above, I'm a little lost as to why you think it's a DNS issue. Clearly you know the ISA beast ten times better than I do, I'm just curious. Please help.
 
And sorry for coming back to the topic so late again. I'm in and out of town all the time. Hope to hear from you soon.
 
Thanks,
 
Mohsin.

(in reply to tshinder)
Post #: 7
RE: SNAT client won't access HTTP - 12.Jun.2007 10:05:33 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		What error code do you see when the SecureNAT clients try to connect?

Sometime the SecureNAT clients will have problems connecting if the browser isn't configured to use HTTP 1.1 through proxy connections.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to mohsindabomb)
Post #: 8
RE: SNAT client won't access HTTP - 12.Jun.2007 11:01:28 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi Tom,
 
Thanks for your untiring help.
 
Somehow it has started working. I made no change unless at some time I came to work during my sleep and don't know about it.
 
Verrry annoying, though!! What makes it work now, I wonder. And I wonder. And I wonder.
 
The error I previously got was the default page cannot be displayed that you get when there's no connection to the Internet.
 
I never thought making plain old NAT work would take this much of legwork. It did, and now we don't know what caused it. Any ideas?
 
Thanks for all help anyway. Didn't feel alone in it any point.
 
Mohsin.

(in reply to tshinder)
Post #: 9
RE: SNAT client won't access HTTP - 13.Jun.2007 9:54:22 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Moshin,

I suspect that the DNS server that the SecureNAT clients wasn't working properly at the time and someone fixed it.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to mohsindabomb)
Post #: 10
RE: SNAT client won't access HTTP - 13.Jun.2007 11:38:33 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi Tom,
 
No one changes anything on the servers unless I tell them. This is really queer, one of those things people moan about speaking of MS products and I don't believe 'em. I don't know what this is, some self correcting mechanism in ISA?
 
Mohsin.

(in reply to tshinder)
Post #: 11
RE: SNAT client won't access HTTP - 15.Jun.2007 10:08:38 AM   
seanmon

 

Posts: 2
Joined: 15.Jun.2007
Status: offline 		I seem to be having the same problem too. I'm setting up a completely new network from scratch and started with ISA 2006 on a new windows 2003 server.

Setup my private nic, then public, then installed isa, used the isa network wizard to setup the  network and private addresses and selected allow full internet access.

Setup a my laptop on the private network with fixed IP's (SNAT) and pointed my DNS to my ISP's DNS servers. Proceeded to ping my ISP nameserver then some websites, all names resloved fine. Then used FTP to a public site no problem. I'm thinking that was easy..  Then I fired up my browser and nothing, no access at all.

Checked the ISA log and I could see the DNS request from the browser, and even could see that it thinks it allowed the http requests but no data comes back to the browser. I have not had a chance to sniff the traffic yet, but ISA seems to be blocking HTTP traffic from SNAT clients.

As with the other posts I've seen, enabling the http proxy in the browser works but thats not acceptable.

Any more ideas?

---
Sean

(in reply to mohsindabomb)
Post #: 12
RE: SNAT client won't access HTTP - 15.Jun.2007 5:45:19 PM   
seanmon

 

Posts: 2
Joined: 15.Jun.2007
Status: offline 		Ok, figured this one out on my own. I got a chance to hook up a sniffer and found that the http tcp packets where being reset. Did some more research and found this article on microsoft...

http://support.microsoft.com/kb/927695

That was the key. I made the registry change as described and now SNAT HTTP works as it should.

Hope this helps somebody else...

---
Sean

(in reply to seanmon)
Post #: 13
RE: SNAT client won't access HTTP - 16.Jun.2007 12:38:31 PM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Sean,

Ha! Good find. I didn't even consider Windows 2003 SP2. Yep, the RSS bug will cause that problem.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to seanmon)
Post #: 14
RE: SNAT client won't access HTTP - 28.Jun.2007 2:07:13 AM   
phantom

 

Posts: 1
Joined: 26.Jun.2007
Status: offline 		Great find! I have recently been attempting to troubleshoot this same issue on a new ISA 2004 deployment, this was the answer!

(in reply to tshinder)
Post #: 15
RE: SNAT client won't access HTTP - 1.Aug.2007 1:54:52 PM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Here I am, again with the same issue.
 
Last time I was wrong, sorry for the wrong information, it didn't fix itself. Apparently I had the proxy settings set up in the browser and was too tired to notice. It hadn't fixed itself and I quit trying as HTTP access for SNAT clients didn't matter to me anymore.
 
It did matter earlier on as my web publishing rules weren't working but I found an alternate way to make those work so I stopped bothering about the problem.
 
Now I need to fix it again as I've found my ISA box won't accept PPTP VPN connections because of this RSS bug.
 
http://forums.isaserver.org/m_2002041357/mpage_1/key_/tm.htm#2002050316
 
I've changed the registry entry to disable RSS and restarted the ISA machine. Nothing seems to have changed as PPTP VPN or HTTP access for SNAT clients still doesn't work. There's no apparent effect of the registry change.
 
I have a clear feeling this is because of this RSS bug even though I have changed the registry key. Anybody, any clue why it is still behaving like that even after the registry change?
 
I've also applied ISA SP3. No luck.
 
Any help will be much appreciated. Thanks.

(in reply to phantom)
Post #: 16
RE: SNAT client won't access HTTP - 2.Aug.2007 10:26:13 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Hi All,
 
I've been hunting around and found this.
 
http://blogs.technet.com/sbs/archive/2007/03/19/vpn-securenat-nat-and-outlook-clients-not-working-after-installing-windows-service-pack-2-in-sbs-2003-premium.aspx
 
This suggests updating the NIC drivers may help. I've downloaded the latest drivers for my NICs and will install them tonight and see what happens. Good luck to me.
 
Any ideas anyone? It's hard to believe I'm the only one having this problem.
 
Regards,
 
Mo.

(in reply to mohsindabomb)
Post #: 17
RE: SNAT client won't access HTTP - 6.Aug.2007 10:04:31 AM   
tshinder

 

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline 		Did the new NIC drivers fix the problem?

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to mohsindabomb)
Post #: 18
RE: SNAT client won't access HTTP - 6.Aug.2007 10:14:17 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline 		Thanks for the follow up Tom.
 
I didn't have to update the NIC drivers as changing the RSS setting to disabled in the NIC properties (in device manager) fixed the problem.
 
I wonder why changing the registry entry in the tcp/ip parameters did not have the same effect. That's the feeling I got, RSS was not disabled by the registry entry and changing the NIC setting disabled it.
 
Hope it helps someone. I have three less hair on my head now cause of this.
 
Mo.

(in reply to tshinder)
Post #: 19
RE: SNAT client won't access HTTP - 24.Aug.2007 1:58:27 AM   
mzakir

 

Posts: 151
Joined: 2.Apr.2007
Status: offline 		Hi Friends,

I am facing same problem in my setup... I can access internet thr. proxy setting but not able to do by Secure Nat...

pls suggest...

_____________________________

Malek Zakir
MCP,MCSA:Security,MCSA:Messaging,MCTS,CCNA,DCH

(in reply to mohsindabomb)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> SNAT client won't access HTTP Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts