• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Web Traffic going thru FWC

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Web Traffic going thru FWC Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Web Traffic going thru FWC - 20.Jun.2002 12:05:00 PM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi there

I have been noticing something very strange on my machine. At times I will be surfing fine without anyhassles, and then after a while I will all of a sudden start getting timeout failures, unknown hosts etc.

When I checked the logs in my database I noticed that in the FirewallLog table (which should log all traffic made via the Firewall Service) that there is traffic for my ClientIP that uses the ClientAgent IEXPLORE.EXE:3:5:0. Now as I understand it, all traffic from IExplorer should be logged in the WebProxyLog table as it is serviced by the WebProxy Service.

The fact that my traffic is shown in the FWallLog means that the FWClient was servicing some of my IExplorer requests and I cannot understand why as I do have all the necessary IExplorer proxy settings etc in place.

Any ideas?

Cheers
William R.
Post #: 1
RE: Web Traffic going thru FWC - 20.Jun.2002 12:31:00 PM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi there

I've also noticed the following:
1) When I check the Firewall Service under the Monitoring tab, sometimes it shows "Number of Sessions" and "Service Up-Time" as UNAVAILABLE.

2) The default Username shown for Web Proxy sessions is the DOMAINNAME\USERNAME all in capital letters. Yet I have seen that sometimes my traffic is authenticated as lowercase domainname\username.

Cheers
William R.

(in reply to wi11iam)
Post #: 2
RE: Web Traffic going thru FWC - 20.Jun.2002 6:40:00 PM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Help! It's getting really confusing with these logfiles. Any ideas peeps?

(in reply to wi11iam)
Post #: 3
RE: Web Traffic going thru FWC - 21.Jun.2002 4:27:00 PM   
whisperedlies

 

Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
That's an issue that I haven't addressed yet (our ISA installation is very recent, so I'm a n00b too), but as I think it goes, forcing the clients to authenticate in the outgoing weblistener should help with the anonymous and ambiguous info in the session list and the logs. however I noticed that what ISA actually logs is hit or miss. There's packets i KNOW it has dropped, that it hasn't logged. I think it goes the same way for any of the other logs. Not really sure why. An explaination might be that it just logs what it can without affecting performance, but I don't know how much water that holds.

(in reply to wi11iam)
Post #: 4
RE: Web Traffic going thru FWC - 24.Jun.2002 8:47:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi Mike

Thanks for that. I hear what you're saying with regards to the actual logging of information and it may or may not hold water. However my problem extends a little beyond that.

What the logs have shown me is what I suspected all along in any case. For some or other reason, every now and then my WEB Proxy traffic is being sent via the Firewall Client and not via the WEB Proxy. I believe that this is a bit of a problem as it is not supposed to work like this and I would like to understand why it is happeneing before I roll the FWClient out to the entire company.

Cheers
William R.

(in reply to wi11iam)
Post #: 5
RE: Web Traffic going thru FWC - 2.Jul.2002 2:32:00 PM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi there

Would anyone have some insight into why my IExplore clients sometimes decide to surf through the Firewall Client instead of via the WEB Proxy settings within IExplorer?

Cheers
William R.

(in reply to wi11iam)
Post #: 6
RE: Web Traffic going thru FWC - 3.Jul.2002 8:09:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi William,

First, I can tell you that I've noticed the very same thing! I have my personal computer set up as a Web Proxy, Firewall and SecureNAT client. When I go over the logs, I see a lot of Firewall client sessions coming from my browser.

Of course, this was a bit of a mystery for awhile, because I thought this was just anothter piece of whackiness coming from ISA Server. However, when I did a reverse lookup at the IP addresses in the Firewall log, I noticed they were for sites that I had configured for Direct Access in the Web Browser config node in the ISA Management console.

So, maybe that's what's going on with your site, too.

HTH,
Tom

(in reply to wi11iam)
Post #: 7
RE: Web Traffic going thru FWC - 3.Jul.2002 8:35:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi Tom

Firstly, the only sites I have configured for Direct Access in the WEB Browser config are my local Intranet sites.

Secondly, there are 565 Unique IP Addresses in my Firewall Log and they include sites such as www.yahoo.com, www.standardbank.co.za, www.win2000mag.com, www.debsfunpages.com etc.

As you can see, it appears to be pretty random and as recent as right now. For example I have just seen that my accessing www.shinder.net has appeared in my Firewall Log and not in my WEB Proxy Log.

Should this be possible?

Cheers
William R.

(in reply to wi11iam)
Post #: 8
RE: Web Traffic going thru FWC - 3.Jul.2002 8:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi William,

Well, that's very interesting! There is something that is causing the client to switch to the Firewall client from the Web Proxy client. A basic rule of thumb is that if the Web Proxy client can't access something, it will switch over to the Firewall or SecureNAT client config in order to service the request.

So, the key seems to be trying to figure out what is blocking the Web Proxy client request.

HTH,
Tom

(in reply to wi11iam)
Post #: 9
RE: Web Traffic going thru FWC - 4.Jul.2002 6:03:00 PM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi Tom

Well, whatever is causing it is probably the cause of most of my frustrations that I experience with ISA. I cannot quite pinpoint a summary of all the problems that I have as they are niggling little indescribable issues that just bite!

Primary among them though is this issue so I believe by solving this I will address most of my other little ones.

I can however not think of any method I can follow to try and resolve this issue. Seeing as it occurs on most all of my client workstations I cannot think it is something that I may have disrupted. It has to be something more global to either IExplorer or the FWC.

Is there some way that I can have an alert notify me when an IExplorer session is using the FWC? I can maybe put a trigger on the FirewallLog table on my SQL Database but that just feels a bit crude.

Any and all comments will be most welcome.

Cheers
William R.

(in reply to wi11iam)
Post #: 10
RE: Web Traffic going thru FWC - 4.Jul.2002 6:22:00 PM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi Tom

Do you think that this may be as a result of DNS Failures? I was reading some of your replies to other articles and I noted that some problems were possibly avoided by using the IP Address of the ISA Server instead of the Node Name.

Do you think that if I configured the AutoConfig of my browser clients to use http://<IP address>:8080/array.dll?Get.Routing.Script that it would make any difference> Do you tj\hink that it might help me avoid having to use the WEB Proxy settings in IExplorer as well?

Cheers
William R.

(in reply to wi11iam)
Post #: 11
RE: Web Traffic going thru FWC - 5.Jul.2002 8:58:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi there

Don't know if my last reply made any sense. Let me know if I need to rephrase.

Cheers
William R.

(in reply to wi11iam)
Post #: 12
RE: Web Traffic going thru FWC - 5.Jul.2002 2:38:00 PM   
lemonwater925

 

Posts: 417
Joined: 22.Mar.2001
From: North of the 49th
Status: offline
I am getting the same issues as you with the UNAVAILABLE and the FWC being used by IE. Still have not been able to figure it out either.

(in reply to wi11iam)
Post #: 13
RE: Web Traffic going thru FWC - 5.Jul.2002 3:13:00 PM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi LW

I would be immensely grateful if you managed to kept me up to dat with any findings you might make.

Cheers
William R.

(in reply to wi11iam)
Post #: 14
RE: Web Traffic going thru FWC - 5.Jul.2002 4:36:00 PM   
lemonwater925

 

Posts: 417
Joined: 22.Mar.2001
From: North of the 49th
Status: offline
will do...

(in reply to wi11iam)
Post #: 15
RE: Web Traffic going thru FWC - 6.Jul.2002 7:12:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

Some possibiliteis:

* The Web Proxy client times out and lets the Firewall client handle the request

* DNS issue? If you are using the default configuration, both the Web Proxy and the Firewall client allow the ISA Server to resolve names on their behalf.

I would also check your routing rules. The only places where I see this is for sites that are included in the Direct Access list. I'll be interested to hear what you guys find.

Thanks!

Tom

(in reply to wi11iam)
Post #: 16
RE: Web Traffic going thru FWC - 8.Jul.2002 9:27:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi Tom

I'm very curious about what you said about a DNS Issue. Firstly, what do you presume is the default configuration? (I.e. How is the client/server setup to be in "default" config?)

And secondly, is there any way that I can get the WEB Proxy and FW Clients to forward their DNS Requests directly to the local DNS Servers instead of routing them via the ISA Server?

Cheers
William R.

(in reply to wi11iam)
Post #: 17
RE: Web Traffic going thru FWC - 8.Jul.2002 5:03:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi William,

you can force the Firewall client to do always DNS lookups locally. Check out http://www.isaserver.org/pages/articles.asp?art=60 how to configure it. It's at the end of the document (NameResolution=L).

HTH,
Stefaan

(in reply to wi11iam)
Post #: 18
RE: Web Traffic going thru FWC - 9.Jul.2002 8:30:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi Stefaan

Thanks, I have made the change on my ISA Server but now I am wondering how long it will take to filter this change through to my FWClients. I have run the UPDATE NOW button within the FW Client but I still cannot see the change within my MSPCLNT.INI under "C:\Program Files\Microsoft Firewall Client\internal_setup"

I have even restarted my ISA Services but it still does not show. I know that the ISA Server will be default propogate changes every 6 hours, but surely if I UPDATE NOW it should send all new configuration settings to my FW Client?

Cheers
William R.

(in reply to wi11iam)
Post #: 19
RE: Web Traffic going thru FWC - 9.Jul.2002 10:50:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi William,

you are probably looking at the wrong place! [Big Grin]

Assuming you are using a W2K workstation, the current MSPCLNT.INI file is stored under "C:\Documents and Settings\All Users\Application Data\Microsoft\Firewall Client". At least if you have made the Firewall client available for all users. Otherwise it will be under the specific user.

Another good test to see what is the current MSPCLNT.INI file is making a call to http://wpad:80/wspad.dat . Of course this assumes you have the proper wpad entry in your internal DNS. If not, replace wpad with the IP-address of the ISA internal interface.

HTH,
Stefaan

(in reply to wi11iam)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Web Traffic going thru FWC Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts