• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

"Directly Access" question

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> "Directly Access" question Page: [1]
Login
Message << Older Topic   Newer Topic >>
"Directly Access" question - 10.Mar.2008 8:07:21 PM   
sbaldridge

 

Posts: 15
Joined: 2.May2004
Status: offline
I'm having a problem here... frustrating.

Using ISA 2006 Std, pretty basic config:  one nic to internet, one internally, ISA is a domain member.  I have enabled WPAD discovery through DNS and forced "Automatically detect configuration settings" through group policy, I exclude certain sites from being proxied by opening the Internal network object>Web Browser>"Directly access these servers or domains".  Users have no problem using the proxy with this setup.

I have one site that is listed in the "directly access ..." list, let's call it *.trouble.com.  I have included it as:
"*.trouble.com"
"www.trouble.com"

If I look at logging I see *most* traffic to www.trouble.com is not proxied but some http requests are being proxied.  This particular site is using Citrix Metaframe over https so it is very sensitive to a timeout. 

Question:  why would some traffic to www.trouble.com be proxied when it is specifically excluded by my configuration (above)??

Thanks!!

Scott
Post #: 1
RE: "Directly Access" question - 11.Mar.2008 2:10:44 PM   
Kirill

 

Posts: 205
Joined: 26.Sep.2001
Status: offline
Hi Scott,
Try using just "*trouble.com" instead of 2 definitions.

_____________________________

Regards,
Kirill
Corporate SAP Basis Administrator/Chief IT Security Officer, MSc, MCSE.

(in reply to sbaldridge)
Post #: 2
RE: "Directly Access" question - 11.Mar.2008 4:09:37 PM   
sbaldridge

 

Posts: 15
Joined: 2.May2004
Status: offline
Wouldn't that also filter similar domains like*.bigtrouble.com?

(in reply to Kirill)
Post #: 3
RE: "Directly Access" question - 11.Mar.2008 4:16:05 PM   
sbaldridge

 

Posts: 15
Joined: 2.May2004
Status: offline
Anyway I think I have it worked out.  This problem exists in ISA2004SP2, I'm really surprised it's not corrected by now in the 2006 version.

From this document:
http://technet.microsoft.com/en-us/library/bb794774.aspx
  • Web Browser. Specify browser settings to be configured for Web Proxy clients in the network. <snip> Note the following when you specify destinations for direct access in the Directly access these servers or domains list:
  • You should specify both the IP address and the fully qualified domain name (FQDN) of the destination, or the FQDN only. If there is an IP range in the list, the automatic configuration script determines whether the resolved name of the IP address is included in the list. If it is, the script determines whether the destination is internal before submitting the request.
After I followed the step of excluding the domain I added the host's IP addresses to the "Directly Access.." as well.  The problem went away after adding the IPs. Apparently this problem only occurs if there IP addresses in the "Directly Access" list.

Scott

(in reply to sbaldridge)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> "Directly Access" question Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts