Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Website Access failure
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Website Access failure - 11.Mar.2008 11:25:17 AM
|
|
|
jrounkles
Posts: 16
Joined: 20.Jul.2007
Status: offline
|
We are having issues with accessing a DMZ server at a different site. Our set is as follows:
Internal-->ISA-->Pix-->Internet
We are trying to go out to the internet and hit the public address on a website that is hosted on the remote branch's DMZ. If we add the ACL to the Pix for the machine trying to access the website then we can turn off the proxy and it works. However when I turn the proxy back on, it will not connect. I have turned logging on and don't see much info as to what is getting blocked. We currently allow Authenticated Users to connect to www & https. I tried to create a rule for All Users connecting to https & www for this specific site but no luck. The reason behind the All Users firewall policy is because it appears to trying to connect via anonymous user. The only entry that shows in the logging for anything being blocked is:
===============================
Failed Connection Attempt CBCKCSERVICES 3/11/2008 9:33:45 AM
Log type: Web Proxy (Forward)
Status: 995 The I/O operation has been aborted because of either a thread exit or an application request.
Rule: Allow Internet Access
Source: Internal (192.168.101.65)
Destination: External (67.65.XX.XX:443)
Request: merchant.xxxxxxx.com:443
Filter information: Req ID: 0b3fd409; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: XXXXX\jmcdonal
Additional information
Client agent:
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
===============================
FYI - We do not use the firewall client on the workstations.
Any help would be greatly appreciated!!! TIA
|
|
|
|
|
RE: Website Access failure - 11.Mar.2008 4:25:56 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
If we add the ACL to the Pix for the machine trying to access the website then we can turn off the proxy and it works. However when I turn the proxy back on, it will not connect.
You probably didn't add ISA's external IP# to the PIX's ACL. It is ISA accessing the site, not the workstation.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Website Access failure - 12.Mar.2008 3:55:42 PM
|
|
|
jrounkles
Posts: 16
Joined: 20.Jul.2007
Status: offline
|
We have an ACL in place that allows anyone on the "inside" network access to the websites on the "dmz" side. This would include the ISA server.
|
|
|
|
|
RE: Website Access failure - 12.Mar.2008 4:34:47 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
According to your details in the original post the attempt is "failing",...it is not being "denied". That is two different things
The problem appears to be upstream from the ISA (like at the PIX). When users go through the ISA the request appears to come from the ISA, not the Source Client, therefore there seems to still be a problem with the ACL on the PIX. The PIX should have logs that tell you clearly what is happening.
Also, if the ISA is a typical 2-nic ISA (you didn't specify and those are important details) then it is simply *impossible* to just "turn off the proxy" and have things suddenly work because the ISA is physically "in the way" and it is never going to pass the packets through the box by shutting down the ISA Services or removing the proxy settings at the Client. The Client will always "use the proxy" no matter what,...it is just a matter of what component of the ISA it will use.
1. If the Client has "proxy settings" in the browser it will try to use the Web Proxy Service.
2. If the proxy settings are removed and the Firewall Client is installed it will use the Firewall [winsock proxy] Service.
3. If the proxy settings are removed and the Firewall Client is uninstalled then it will attempt to use the ISA's SecureNAT Service by following the LAN's "routing path".
4. If the proxy settings are removed and the Firewall Client is uninstalled and the LAN's "routing path" does not take the Client to the ISA then the Client is simply "cut off" from the outside world unless there is some other NAT Firewall in the LAN's "routing path" to replace the job of the ISA.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Website Access failure - 12.Mar.2008 4:57:10 PM
|
|
|
jrounkles
Posts: 16
Joined: 20.Jul.2007
Status: offline
|
I apologize for my lack of clarity on the issue. I am new to ISA and was given the software to install and manage without any training. I had Microsoft walk me through the install but the price for their support is outrageous considering the support you acutally recieve.
I will get all the information put together and repost. I thank you for your time!!
|
|
|
|
|
RE: Website Access failure - 12.Mar.2008 6:00:03 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Sounds good.
Catcha tomorrow...
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
