Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Some ISA 2004 clients not resolving internal server correctly
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Some ISA 2004 clients not resolving internal server cor... - 8.Dec.2006 2:23:06 PM
|
|
|
Arch Willingham
Posts: 58
Joined: 15.Oct.2001
From: Chattanooga, TN 37404
Status: offline
|
I recently re-built our ISA Server (2004 with SP2). It was an old system that was an upgrade from ISA 2000 which was an upgrade from Proxy Server 2.0. I completely re-built it (reformat and reinstall the OS and then a new install of ISA) - I did not restore the old config.
All works ok except for one thing. One of our applications is an internal web server. The application hits the web server by going to http://intwebsrvv.internal.com:84/exponline/mainframe.jsp . Once you hit the web server, it attempts to load some java apps and then the web page appears. Now, on about a third of our machines, you go to that link and it never lets the java apps finish loading. The kicker is that it works just fine on 2/3 of our machines. All are running the ISA 2004 firewall client.
Here is where is gets even more confusing. If I attempt to go to the site from a machine that works, you never seen any trace on the ISA Server's logs. If, on the other hand, I attempt go to the site from a machine that does not work, you see where the ISA server logs the following hits:
#Software: Microsoft Internet Security and Acceleration Server 2004
#Version: 2.0
#Date: 2006-12-08 00:02:41
#Fields: c-ip cs-username c-agent sc-authenticated date time s-svcname s-computername cs-referred r-host r-ip r-port time-taken cs-bytes sc-bytes cs-protocol cs-transport s-operation cs-uri s-object-source sc-status rule FilterInfo cs-Network sc-Network error-info action
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:02 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 388 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/TreeApplet.jar - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:02 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 409 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/tree/TreeApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:02 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 409 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/tree/TreeApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:03 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 393 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/UtilitiesApplet.jar - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:03 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 419 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/utilities/UtilitiesApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:03 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 419 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/utilities/UtilitiesApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:12 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 402 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/detectplugin/DetectPluginApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:12 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 402 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/detectplugin/DetectPluginApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:18 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 409 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/tree/TreeApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:18 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 419 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/utilities/UtilitiesApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:18 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 409 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/tree/TreeApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
10.1.0.120 anonymous Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_07 N 2006-12-07 20:16:18 w3proxy ISAMAIN - intwebsrvv.internal.com 10.1.0.27 8080 1 419 4299 http TCP GET http://intwebsrvv.internal.com:84/exponline/com/primavera/utilities/UtilitiesApplet.class - 12202 Default rule - Internal Internal 0x800 Denied
The next weird thing: on the machines that don't work, if I change http://intwebsrvv.internal.com:84/exponline/mainframe.jsp to be http://intwebsrvv:84/exponline/mainframe.jsp, they work fine.
I have verified that these are all true:
Internal network properties > tab Domains: make sure your internal domain is listed there.
Internal network properties > tab Web Browser: make sure your internal Network ID is listed there (same content as in the Internal network properties > tab Addresses).
Internal network properties > tab Auto Discovery: make sure that Publish automatic discovery information for this network is enabled.
Make sure IE is configured for Automatic Configuration, either Automatically detect settings or Use automatic configuration script.
Does anyone have any idea what is wrong?
Thanks!
Arch Willingham
|
|
|
|
|
RE: Some ISA 2004 clients not resolving internal server... - 8.Dec.2006 6:25:29 PM
|
|
|
Jason Jones
Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Sounds like IE exceptions list and/or direct access problems to me.
When you use the server name with .internal.com and IE is configured to "bypass proxy for local addresses" traffic will not be routed via the ISA server.
However, when you use webserver.internal.com IE will send this to the ISA server unless this FQDN is included in the IE exceptions list.
You say you are using an autoconfig script so ISA should handle the exceptions list via ISA as opposed to having to do it locally or via group policy.
Ideally, a traffic to internal web servers should always bypass ISA as it is a waste or resoruces and an inefficient path.
It might be worth checking out some the articles on the site that talk about the web proxy client and the autoconfig scripts or WPAD. Then check recommendations against your config.
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Some ISA 2004 clients not resolving internal server... - 10.Dec.2006 10:26:31 AM
|
|
|
Arch Willingham
Posts: 58
Joined: 15.Oct.2001
From: Chattanooga, TN 37404
Status: offline
|
I am even more confused! You said: "When you use the server name with .internal.com and IE is configured to "bypass proxy for local addresses" traffic will not be routed via the ISA server.
However, when you use webserver.internal.com IE will send this to the ISA server unless this FQDN is included in the IE exceptions list. " Is not server name with .internal.com teh same thing as webserver.internal.com?
The other confusing this is that they all are seemingly set up the same way? Why are some working and some not?
Regardless, as a test, based on your suggestion I stuck "webserver.internal.com;webserver" in the IE exceptions list on teh bad client and it worked!
Any links to the cfg info you mentioned?
Arch
|
|
|
|
|
RE: Some ISA 2004 clients not resolving internal server... - 10.Dec.2006 10:58:16 AM
|
|
|
Arch Willingham
Posts: 58
Joined: 15.Oct.2001
From: Chattanooga, TN 37404
Status: offline
|
BTW...after I read your post, I figured I'd get out my copy of Dr. Shinder's ISA 2004 book and re-read that section. I turned to my shelf and it's gone. It turns out #1 child chunked it in a recent forced cleaning episode. Moral of the story: When your kid says "Dad...what about this one - want to throw it out too?" make you are paying attention. I thought she was pointing at an old Exchange 2000 book.
Arch
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
