• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unable to reach internal websites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Unable to reach internal websites Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unable to reach internal websites - 4.Apr.2006 4:14:18 PM   
Gholleman

 

Posts: 6
Joined: 1.Feb.2006
Status: offline
We're having seriously annoying issues with reaching internal websites (actually : webinterfaces on routers/switches and printers) trough isa2004.

When trying to connect to a webinterface of a printer we get an errormessage:

Technical Information (for support personnel)

Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 10.1.2.50
Date: 4/4/2006 1:58:21 PM
Server: FW001.------.net
Source: proxy

On the firewall we get the following message :

Original Client IP Client Agent Authenticated Client Service Referring Server Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Log Time Client IP Destination IP Destination Port Destination Host Name Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type
10.1.10.1    - TCP - -      -    4/4/2006 1:56:59 PM 1731 37000 9677 125558 0x0 0x0 4/4/2006 3:56:59 PM 10.1.10.1 10.1.2.50 8080  Unidentified IP Traffic Closed Connection  0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   Internal Local Host - FW001 Firewall
10.1.10.1    - TCP - -      -    4/4/2006 1:57:01 PM 1734 0 0 0 0x0 0x0 4/4/2006 3:57:01 PM 10.1.10.1 10.1.2.50 8080  Unidentified IP Traffic Initiated Connection  0x0    Internal Local Host - FW001 Firewall

When I disable both the firewallclient and the webproxyclient the connection succeeds. Adding the ipaddress to the 'do not use proxyserver for addresses beginning with' does not make a difference, and fails.

On the propertiepage of the networks-internal-addresses tab the series 10.1.0.0-10.6.255.255 is included in the 'specify the ip-address range to include in this network' and in the webbrowser tab, the 'bypass proxy for webservers in this network' and the 'directly access the servers in this domain' is enabled. Also the 'directly access these servers or domains' includes the 10.1.0.0-10.6.255.255 range.

Config of the network interfaces :

  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
  Physical Address. . . . . . . . . : 00-14-22-73-1C-6F
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 82.--.--.--
  Subnet Mask . . . . . . . . . . . : 255.255.255.248
  Default Gateway . . . . . . . . . : 82.--.--.--
  DNS Servers . . . . . . . . . . . : 10.1.2.1
                                      194.--.--.--
  NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter INTERN:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
  Physical Address. . . . . . . . . : 00-14-22-73-1C-6E
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 10.1.2.50
  Subnet Mask . . . . . . . . . . . : 255.255.0.0
  Default Gateway . . . . . . . . . :
  DNS Servers . . . . . . . . . . . : 10.1.2.1

Routing table :
Persistent Routes:
Network Address          Netmask  Gateway Address  Metric
        10.2.0.0      255.255.0.0         10.1.1.1       1
        10.3.0.0      255.255.0.0         10.1.1.1       1
        10.4.0.0      255.255.0.0         10.1.1.1       1
        10.5.0.0      255.255.0.0         10.1.1.1       1
        10.6.0.0      255.255.0.0         10.1.1.1       1

Now, i have to agree, i'm not an isa specialist (far from, though i did take the course) but i'm kinda lost now what could be the problem.
Post #: 1
RE: Unable to reach internal websites - 4.Apr.2006 4:36:44 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Gholleman,

Do you have a network diagram showing the problematic request/response paths?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Gholleman)
Post #: 2
RE: Unable to reach internal websites - 4.Apr.2006 4:47:31 PM   
Gholleman

 

Posts: 6
Joined: 1.Feb.2006
Status: offline
Hello Tom,

Thanx for the quick response !

Though, i'm not a native speaker, and to be honest i dont' really get what ur asking for.. sorry..

Gilbert

(in reply to tshinder)
Post #: 3
RE: Unable to reach internal websites - 4.Apr.2006 6:10:25 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Where is the ISA in relation to the clients and the internal websites.  If they are both on the same side, why is the ISA involved?  Did you configure them to go direct?

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to Gholleman)
Post #: 4
RE: Unable to reach internal websites - 6.Apr.2006 11:25:43 AM   
Gholleman

 

Posts: 6
Joined: 1.Feb.2006
Status: offline
The isa is on the border of the network/internet, not in between the clients and the switches etc.

I don't get it myself why the isa (considers itself to be) involved. When i disable both the firewall and proxyclient it does work normally.

But it intercepts the traffic and blockes it, and that is the problem i can't figure out.

(in reply to LLigetfa)
Post #: 5
RE: Unable to reach internal websites - 6.Apr.2006 3:15:42 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

But it intercepts the traffic and blockes it

Because you did not configure them to go direct.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to Gholleman)
Post #: 6
RE: Unable to reach internal websites - 6.Apr.2006 4:48:44 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
what LLi is telling u is this :

http://www.isaserver.org/articles/2004directaccessp1.html

http://www.isaserver.org/articles/2004directaccessp2.html

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to Gholleman)
Post #: 7
RE: Unable to reach internal websites - 7.Apr.2006 1:25:30 PM   
Gholleman

 

Posts: 6
Joined: 1.Feb.2006
Status: offline
I was able to solve the problem myself.. and am embarresed to mention the solution :

The rule was allowing from internal to external. Added internal to the destination, and the problem is solved..

Sometimes the solution is to obvious to be noticed....

Thnx everyone for thinking along..

(in reply to elmajdal)
Post #: 8
RE: Unable to reach internal websites - 7.Apr.2006 4:30:30 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
No, NO, NOOO.  The solution is NOT to loopback through ISA with an internal-internal rule.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to Gholleman)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Unable to reach internal websites Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts