• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Strange, rare problem... Should I open up a case with Microsoft?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Strange, rare problem... Should I open up a case with Microsoft? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Strange, rare problem... Should I open up a case with M... - 9.Aug.2004 6:56:00 PM   
Ross G

 

Posts: 11
Joined: 5.Aug.2004
From: Michigan
Status: offline
First, thanks Tom for your help with the several minor issues I've had during setup; It's thanks to you I've widdled things down to one remaining issue.

I've found something that I think is a possible bug in ISA...

It involves using a webserver on the local machine (unavoiadable in my situation). There are 2 IP's on the machine, on the same network adapter: 10.10.10.58, and 10.10.0.125. A host header called "webserve" points to the second IP.

When the proxy client is set up not to force authentication, everything works fine, and users can access the internal website by typing http://webserve in their browsers' address bars. But, I need to authenticate users so I set it (internal network) to force integrated authentication. When this happens, they are given the standard ISA URL denial screen.

After studying this problem using logging queries, I found a key difference in the way requests for the local machine are seen by ISA when using authentication vs. not using it.

When NOT using authentication, a user request for "http://webserve/websites" will show in the logs like this:
- HTTP Allowed connection Accessrule1 Local Host GET http://10.10.0.125/websites

While WITH integrated auth forced it looks like this:
- HTTP Denied connection (Blank under "rule" column) Local Host GET /websites

So, somehow when authentication is forced the IP is being stripped out of the request that ISA sees.

I have tried:
* web listeners specifically for the host headers, per microsoft's site's instructions.
* adding 10.10.0.125 and webserve to local lists to be bypassed

Should I open a case with Microsoft?

Thanks in advance

P.S. I heard the suggestion once that I should apply authentication via access rules but have not seen a way to do this.

[ August 09, 2004, 11:52 PM: Message edited by: Ross G ]
Post #: 1
RE: Strange, rare problem... Should I open up a case wi... - 10.Aug.2004 8:57:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
Hi ,

Do you have a NAT relationship between Client network and your ISA server website ?

Kind regards,
LexP

(in reply to Ross G)
Post #: 2
RE: Strange, rare problem... Should I open up a case wi... - 10.Aug.2004 11:41:00 PM   
Ross G

 

Posts: 11
Joined: 5.Aug.2004
From: Michigan
Status: offline
Hi Lex,

They're all on the same network (single network adapter template). The internal network represents everything but 127.0.0.1-127.255.255.255 in this setup.

This server is an internal machine I intend to use for access control, caching, and reporting.

(in reply to Ross G)
Post #: 3
RE: Strange, rare problem... Should I open up a case wi... - 12.Aug.2004 9:57:00 PM   
Ross G

 

Posts: 11
Joined: 5.Aug.2004
From: Michigan
Status: offline
It's fixed now,

Problem actually applied to all internal sites. Creating separate rule for internal/local host that allowed all users, and a rule for external that only allowed auth users did the trick

(in reply to Ross G)
Post #: 4
RE: Strange, rare problem... Should I open up a case wi... - 13.Aug.2004 11:52:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ross,

Just a quick tip here. You should not loop back through the ISA firewall for internal access. The users should connect directly to the Internal network server and bypass the ISA firewall to internal network resources.

HTH,
Tom

(in reply to Ross G)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Strange, rare problem... Should I open up a case with Microsoft? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts