Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unexpected web proxy behaviour

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Unexpected web proxy behaviour Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unexpected web proxy behaviour - 27.Nov.2003 5:35:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Hello,

A user just encountered this isssue. When I type serverName.domainName.com into my web browser ISA asks for authentication. For example, server1.my-domain.com

( HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209) )

ISA is setup with the following entries in it's LDT:
*.my-domain.com
*.my-domain.com.

My IE proxy settings are also set to "Bypass Proxy Server for Local Address".

Why is this behaviour happening?

Thanks, in advance

Paul.
Post #: 1
RE: Unexpected web proxy behaviour - 28.Nov.2003 1:11:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Where is everybody?

Thanksgiving holidays (for the US guys)?

(in reply to ptwilliams)
Post #: 2
RE: Unexpected web proxy behaviour - 1.Dec.2003 10:24:00 AM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Anyone?? [Razz]

(in reply to ptwilliams)
Post #: 3
RE: Unexpected web proxy behaviour - 3.Dec.2003 12:14:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Come on ISAServer.org collective brainpower...

Somebody must have some kind of answer [Confused]

(in reply to ptwilliams)
Post #: 4
RE: Unexpected web proxy behaviour - 5.Dec.2003 1:20:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Anyone?

I've done this: http://support.microsoft.com/default.aspx?scid=816959

Somebody mentioned the fact that I'm a SNAT client. However, I thought that adding the domain suffix to the LDT was how to deal with such an issue?

(in reply to ptwilliams)
Post #: 5
RE: Unexpected web proxy behaviour - 5.Dec.2003 1:56:00 PM   
AlexS

 

Posts: 150
Joined: 4.Feb.2002
Status: offline 		Hello Paul.

Strange that nobody ansered you; however the problem seem to be very simple; it all depends on how you configured your ISA server.

SNAT is not the cause: you get 407 error in your browser = means that your browser successfully contacted web proxy service.

Please note that ISA LDT entries and IE "Bypass Proxy Server for Local Address" are completely independent things. The latter option in IE instructs it to contact web site directly if hostname is plain (no dots in name) or you entered host/domain to the Intranet zone in IE.

ISA LDT is for Firewall clients ONLY; it controls how name resolution is performed. Web Proxy and SNAT client do not (and cannot) use ISA LDT. Check ISA help about this.

The problem that you have may be caused by mentioned by you article

http://support.microsoft.com/default.aspx?scid=816959

or something similar.

If you want more help, please specify how you configured Outbound Web Proxy Listener, including authentication types, and what are are your Protocol and Site+Content rules.

HTH,
Alex

(in reply to ptwilliams)
Post #: 6
RE: Unexpected web proxy behaviour - 5.Dec.2003 5:20:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Thanks Alex, and thanks for clearing up the IE and LDT info.

Regarding my outbound authentication listner settings, it is as follows:

Digest, Integrated

Also, the Ask Unauthenticated users for Authentication checkbox is checked.

(I can't remeber why I'm using Digest and Integrated [Big Grin] ) Is this is silly setting or is it OK?

My protocol rules are: groupa - http,https,ftp
Site & content: groupa - any destination, all content types

(I'm testing content filtering at the moment but that isn't the issue -it's temporarily disabled)

Thanks,

Paul.

(in reply to ptwilliams)
Post #: 7
RE: Unexpected web proxy behaviour - 5.Dec.2003 6:26:00 PM   
AlexS

 

Posts: 150
Joined: 4.Feb.2002
Status: offline 		Well, Digest authentication requires some prerequisites, like listed in the following article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;222028

You may try to:

1. Disable digest authentication, leavin only Integrated.
2. Make sure that "Enable Intergrated Authentication" option is checked in IE Advanced options.

HTH,

Alex

(in reply to ptwilliams)
Post #: 8
RE: Unexpected web proxy behaviour - 8.Dec.2003 11:34:00 AM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Alex,

Thanks for the reply. "Enable Integrated Windows Authentication" is enabled in my browser, will have to check some of the others.

I will have a read of the article you mentioned and try this without digest authentication as soon as I can restart the web service (lunch time sounds good [Big Grin] )

Thanks for the help so far.

I'll post back my findings later.

Paul.

(in reply to ptwilliams)
Post #: 9
RE: Unexpected web proxy behaviour - 9.Dec.2003 5:21:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Alex,

I removed digest authentication and tried again with and without enable integrated... in IE. Both failed. Modifying the domain-name.com to *.domain-name.com in the advanced section of IE's proxy settings has resolved this issue.

What I don't understand is why, when *.domain-name.com isn't present, I can't get to the site. Even if the proxy service thinks it's an external address, the machines and user have unlimited www access. The only thing I can think of is that it is trying to access the internal (intranet) site from the dirty side of the firewall. Do you think this could be the case?

I'm probably way off the mark here, but this seems like a rather fundamental issue to be having???

Paul.

(in reply to ptwilliams)
Post #: 10
RE: Unexpected web proxy behaviour - 17.Dec.2003 12:53:00 AM   
cabaldochoa

 

Posts: 12
Joined: 1.Oct.2003
From: Mexico
Status: offline 		Hi,

On Tools->Internet Option->Connections->LAN settings->Proxy Server->Advanced->Exceptions,
write *.your-domain.com;*.your-domain.com;etc..
then OK

(in reply to ptwilliams)
Post #: 11
RE: Unexpected web proxy behaviour - 17.Dec.2003 11:43:00 AM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Thanks cabaldochoa,

What I'm now after is the reason why http://serverName.domain-name.com will only work when *.domain-name.com is an IE exception, whereas http://serverName works fine.

Why does ISA block FQDN's of internal resources? I'm unaware of my rules blocking this?

Paul.

(in reply to ptwilliams)
Post #: 12
RE: Unexpected web proxy behaviour - 17.Dec.2003 1:12:00 PM   
AlexS

 

Posts: 150
Joined: 4.Feb.2002
Status: offline 		That's simple.

http://serverName URL is always considered by IE as "Local Intranet" zone site.

Any dotted names (serverName.domainName) AND IP addresses are always considered by IE as non-intranet zone, unless you manually add the URL to the zone.

If you have "bypass proxy for interanet" IE option enabled, then intranet hosts will be contacted directly, all other hosts - using web proxy service.

To resolve your original problem, you should add *.domainName.com to Intranet Zone (or bypass proxy) settings in IE; if you don't, you can try other ways, like:

http://support.microsoft.com/default.aspx?scid=kb;en-us;322822
http://support.microsoft.com/default.aspx?scid=kb;en-us;299838

HTH,
Alex

(in reply to ptwilliams)
Post #: 13
RE: Unexpected web proxy behaviour - 17.Dec.2003 2:29:00 PM   
tshinder

 

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

Make sure you configure the clients to use the auto config script so that they use the LDT for direct access and then confirm that you're split DNS is in place.

There a good article on Direct Access in the SharePoint Portal Server Deployment Kit doc.

HTH,
Tom

(in reply to ptwilliams)
Post #: 14
RE: Unexpected web proxy behaviour - 17.Dec.2003 4:14:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Alex, thanks very much [Smile] .

quote:
Make sure you configure the clients to use the auto config script so that they use the LDT for direct access and then confirm that you're split DNS is in place
Tom, can you elaborate on this a little?

At the moment I'm not using Auto-config scripts and was under the impression that the LDT didn't come into this because it's web only (please correct me if I'm wrong).

As for split-brain DNS -kind of. Internally I'm using ADS DNS and the ISA North interface uses the ISP's DNS. My web servers are hosted and administered by my ISP

Thanks, in advance

Paul.

(in reply to ptwilliams)
Post #: 15
RE: Unexpected web proxy behaviour - 2.Feb.2004 2:57:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		I'll give this topic a little boost in the hope somebody can help with the last question posted.

Paul.

(in reply to ptwilliams)
Post #: 16
RE: Unexpected web proxy behaviour - 5.Feb.2004 1:55:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		Anyone?
Tom?

(in reply to ptwilliams)
Post #: 17
RE: Unexpected web proxy behaviour - 9.Feb.2004 10:10:00 PM   
ptwilliams

 

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline 		...Make sure you configure the clients to use the auto config script so that they use the LDT for direct access and then confirm that you're split DNS is in place...

This is the part I'm still querying...

Paul.

(in reply to ptwilliams)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Unexpected web proxy behaviour Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts