• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Direct Access to "Inside" sites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Direct Access to "Inside" sites Page: [1]
Login
Message << Older Topic   Newer Topic >>
Direct Access to "Inside" sites - 5.May2006 11:56:47 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
 
I am running ISA 2004 on Windows Server 2003.  All of my clients are Firewall clients utilizing wpad for configuration settings.

This setup has been online and operational for a very long time.  I can watch the monitor and see that my clients were hitting inside sites without ever touching ISA (after getting the latest wpad).  Last night I applied ISA 2004 SP2 and all of a sudden my clients were all hitting ISA when trying to access inside sites.  I could see in the monitor that the source and destination networks were both Internal.  No one was getting anywhere until I quickly created a rule allowing access from Internal to Internal.  Clients are all IE 6.0.

The clients can still browse to the wpad.dat file and see all of the "directly access" strings.  Can anyone tell me what changed in SP2 to cause this?  Can I get them back to directly accessing Internal sites and subnets?
Post #: 1
RE: Direct Access to "Inside" sites - 6.May2006 12:15:20 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kerry,

yep, there are some changes in ISA 2004 SP2 regarding direct access. For more info and how to fix it, check out:


HTH,
Stefaan

(in reply to Kerry.Kriegel)
Post #: 2
RE: Direct Access to "Inside" sites - 8.May2006 5:03:00 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
Thanks Stefaan - the articles did help. 

I removed all of my IP addresses from the "Web Browser" tab and left only the exisiting domain names - with wildcards.  i.e. "*.racineco.com" and discovered much to my surprise that my clients were still hitting ISA ta access those sites.

I entered "www.racineco.com" in the list and no my users access directly.  Apparently wildcards are no longer allowed?

I have literally hundreds of "*.state.wi.us" websites that my users connect to over a private link.  This is going to be such a major pain that I guess I will be better off un-installing SP-2.

Is there a new syntax for wildcards?  Or are wildcards history?


_____________________________

WANMAN

(in reply to spouseele)
Post #: 3
RE: Direct Access to "Inside" sites - 8.May2006 8:57:12 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kerry,

I can assure you that wildcards are still supported. Keep in mind that the 'wpad.dat' file is cached on the client and has a default time-to-live of 50 minutes. So, wait that long are clear the IE cache before making a new test.

HTH,
Stefaan 

(in reply to Kerry.Kriegel)
Post #: 4
RE: Direct Access to "Inside" sites - 8.May2006 8:57:32 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
 
UPDATE -

I have discovered that the wildcard problem is restricted to users of wpad.dat ONLY.  If I go to an end-user machine and de-select the "Use automatic configuration script", and put them back to proxy clients, the wildcard in the domain name functions properly.

When "Use automatic configuration script" is in use, and pointing my users to the wpad.dat, the wildcard in a domain name is not valid.  i.e.  *.racineco.com will cause the client to hit ISA, but  www.racineco.com  will send the client directly to the server.

Using a browser to look at the wpad.dat file reveals no apparent differences than before SP-2.  All names, including the ones with wildcards, are in quotes.  "*.racineco.com"

Has anyone else had a problem with wildcards in wpad?  At this point I think I have no choice except to un-install SP-2. 

_____________________________

WANMAN

(in reply to Kerry.Kriegel)
Post #: 5
RE: Direct Access to "Inside" sites - 8.May2006 10:57:46 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
 
Stefaan,

While wondering this site looking for a solution, I came across this post...

http://forums.isaserver.org/m_2002013771/mpage_1/key_/tm.htm#2002013829

which seems to be the same issue I am having.  Is it possible for me to get the "private fix" mentioned?


_____________________________

WANMAN

(in reply to Kerry.Kriegel)
Post #: 6
RE: Direct Access to "Inside" sites - 8.May2006 11:41:59 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kerry,

I've just tested it again and direct access for '*.domain.tld' just works as it should if you use Automatic Configuration (wpad.dat)! However, make sure you have *no* IP addresses specified in the Web Browser tab of the internal network properties, otherwise it won't work with ISA 2004 SP2.

BTW --- as far as I know, the private fix is not yet released to the public. I have tested and used it for a while but the new update http://support.microsoft.com/?kbid=916106 breaks the private fix.

HTH,
Stefaan

(in reply to Kerry.Kriegel)
Post #: 7
RE: Direct Access to "Inside" sites - 9.May2006 11:36:11 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
 
Stefaan,

I have found - and resolved - the problem I have been having with the "direct access".

My employer, Racine County, has 2 main domains - RacineCo.com and goRacine.org.  Over the years I have developed the habit of typing them just that way.  3 Years ago, when I first implemented ISA, that is how they were entered in the "domains" tab -->  *.RacineCo.com  and  *.goRacine.org.  They also appeared that way in the wpad.dat file when viewed with a browser.  They have also functioned correctly over the last 3 years.

After the implementation of SP-2, my clients began hitting the ISA box when accessing either of those domains.  Remebering that when I first setup the wpad in my DNS there were several articles warning that it was case sensitive, I figured, why not take a shot.

I changed the syntax of the entries on the "domains" tab to  *.racineco.com  and  *.goracine.org  and voila - all of my clients are behaving as expected.  I must admit that this makes absolutely no sense, but; it is now working correctly so -- ???? -- who knows.

_____________________________

WANMAN

(in reply to spouseele)
Post #: 8
RE: Direct Access to "Inside" sites - 10.May2006 8:28:55 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kerry,

wow... would never thought of that!

I've just checked it on ISA 2004 SP2 and yes, the function shExpMatch(host, DirectNames) used in the wpad.dat file seems to be case sensitive. The funny thing is that this is a javascript function running on the client itself. So, how can that change between ISA 2004 SP1 and SP2 ?

The only explanation I could think of is that maybe in pre-SP2 the wpad file was created with all FQDNs in lowercase. I have no longer an ISA 2004 SP1 running, so I can't verify that. Can you still check that?

Thanks,
Stefaan

(in reply to Kerry.Kriegel)
Post #: 9
RE: Direct Access to "Inside" sites - 10.May2006 8:52:47 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
 
Stefaan,

Unfortunately, I upgraded both of my ISA's to SP-2 so I can not test backwards.

The only thing I can offer here is that it used to work with upper case entries in the "domains" tab and in the "web browser" tab.  Visual inspection of the wpad.dat file via a browser showed the upper case entries and my clients would not hit the ISA box when accessing those sites.

After SP-2 upper case entries caused me problems and I had to create an "Allow Internal to Internal" rule.  Visual inspection of the wpad.dat file via a browser looked exactly the same as before.  

I haven't got a clue.  I have not delved into this too deeply as my clients are now functioning correctly and I was able to remove the Allow Internal to Internal rule.  It would appear that that some thing has changed in the run-time wpad.dat generator after SP-2.

_____________________________

WANMAN

(in reply to spouseele)
Post #: 10
RE: Direct Access to "Inside" sites - 10.May2006 9:39:53 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kerry,

OK, I will post this to the discussion list and hopefully Tom or Jim have a good explanation.

Thanks,
Stefaan

(in reply to Kerry.Kriegel)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Direct Access to "Inside" sites Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts