• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Failed to detect ISA Server in FWC

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> Failed to detect ISA Server in FWC Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Failed to detect ISA Server in FWC - 2.Apr.2008 1:01:31 PM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline
This is a real stumper!

 



I have two ISA servers, OLD is ISA 2004, NEW is ISA 2006.  NEW will replace old.  New is pretty much ready to go live, I am doing some final testing, and have run into a problem with Firewall Client configuration.

 

There are three subnets.  Subnet A & B are both in DOMAIN1, same domain as both ISA servers.  Subnet C is in DOMAIN2.  All subnets use the same ISA server to get to the internet.

 

Subnets A & B in DOMAIN1 automatically detect the new ISA server.  I am using a WPAD entry in DNS (not in DHCP) to point to NEW.  In Subnet C, however, when I click Detect Now in the Firewall Client, it still points to OLD.

 

Now, if I go to Configuration, Networks, Internal, Auto Discovery tab, and I uncheck the box "Publish automatic discovery information for this network" on OLD, and then I retry the Detect Now, I get "Failed to detect ISA Server."

 

To summarize so far - Subnets A & B in DOMAIN1 are finding NEW, but Subnet C in DOMAIN2 won't find NEW.

 

In Subnet C, I can "ping wpad", and it gets replies from NEW, so I know the WPAD is setup.  Also, in the Firewall Client, I can enter NEW in the "Manually specified ISA Server", and click Test, and it finds it.

 

So my issue is, why can't clients on Subnet C automatically find NEW?

 

I've gone though the config on OLD and NEW, compared them to each other, and I can't find anything to explain this behavior.
 
Here's the FWC config on NEW.

 



Guys, this is driving me insane!I removed the wpad at SubnetC from both DHCP and DNS on the local server down there, which means FWC autodiscovery should fail, right?  But it still keeps detecting OLD !!  How can this be if there are no wpad entires??


< Message edited by dfosbenner -- 2.Apr.2008 3:23:55 PM >
Post #: 1
RE: Failed to detect ISA Server in FWC - 2.Apr.2008 4:58:35 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		1. In the screen-shot, clear the last textbox,...uncheck the last checkbox

2. You have multiple Domains,...you're probably not getting the DNS Suffix that you think you are,...especially considering that the subnet having the trouble is the only one that is a different Domain.  ISA is probably resolving to wpad.domain2.com instead of wpad.domain1.com and then obviously failing.  

It is #5  in the following article.
http://www.isaserver.org/tutorials/ISA-Firewall-Dirty-Dozen-FAQ.html

Beyond that,...I don't know.

_____________________________

Phillip Windell

(in reply to dfosbenner)
Post #: 2
RE: Failed to detect ISA Server in FWC - 2.Apr.2008 8:24:17 PM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		Phil,

Thanks for the reply.  I read your response and Tom's article.  On Subnet C, I can ping NEW by name, or I can ping "wpad" by itself, I still get responses from NEW.  All indications are that wpad is resolving correctly.  If it weren't I should get a FAIL message.  But instead, Detect Now keeps sending me back to OLD.  (OLD is still running, because I haven't cutover yet).

On paper it seems simple.  You need a wpad entry in either DHCP or DNS (or both), and you need the ISA server to publish auto discovery.  I have all this pointing to NEW, but just this one subnet is still going to OLD.  I can't make heads or tails of.it.  So much for a quick cutover.  I spent all day on this, with nothing to show for it!

If you have anymore ideas, I'm willing to try.

-Dave

(in reply to pwindell)
Post #: 3
RE: Failed to detect ISA Server in FWC - 3.Apr.2008 9:21:04 AM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		Subnet C - I removed all wpad entries from DNS/DHCP.  Detect Now still finds OLD.  No explanation for this.  There's no apparent explanation of how automatic discovery is working.  In other words, I'm trying to break it, and I can't even do that!

(in reply to dfosbenner)
Post #: 4
RE: Failed to detect ISA Server in FWC - 3.Apr.2008 9:55:10 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		I am at the point of "wild guesses" here.....so if anyone knows what is going on with this,...jump in,...the waters warm.

Put it all back correctly in the DNS and DHCP for Domain-1/Subnet-A&B.  We cannot test with it if it doesn't work and isn't there.  Make sure that at least Domain-1/Subnet-A&B and the respective Clients work correctly.  I don't want to troubleshoot the whole entire LAN,...troubleshooting the third subnet is enough to worry about.  Make sure that the DNS Server in Domain-2 does not have a WPAD entry in Domain-2's Zone and that the DHCP in Domain-2/Subnet-C (if there is one) points to the wpad entry in Domain-1,...not Domain-2.

Add WINS to the LAN.  Make sure everything is using the same WINS. WINS has nothing to do with Domains,...Domains are irrelevant,...make sure everything is using the same WINS.  If you add a second backup WINS then make sure the two are push/pull partners and that both are listed in the TCP/IP config all the machines no matter if static or by DHCP.  Machines will enter themselves automatically into WINS when they are rebooted or you do a "repair" on the LAN connection.  They may also do it if you disable/re-enable the connection or unplug and plug back in the cable,... but I am not sure.

If it were me I would never have had a second Domain and if I took over a system like that I would eliminate the second Domain.  Then the problem would never have happened.  But anyway...

Do the Clients of each respective Domain use only their own DNS servers and none other,...with their own DNS servers having thier own list of Forwarders independently of whatever is being done on Domain-1?  The answer needs to be "yes".

Are both of these Domains in the same Forest?  Does the DNS of each one possess a Zone for the other Domain?  I am assuming the answer is no in both cases and that this is two different Domains with in there own separate Forest.  If this is not the case then ignore everything after this point,...and I have no idea what to tell you.

Domains in different Forests will not be aware of each others Zone Contents.  Do Zone Transfers (both ways) so that both Domains are fully aware of each others contents.

_____________________________

Phillip Windell

(in reply to dfosbenner)
Post #: 5
RE: Failed to detect ISA Server in FWC - 3.Apr.2008 10:13:29 AM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		Put it all back correctly in the DNS and DHCP for Domain-1/Subnet-A&B.  Make sure that at least Domain-1/Subnet-A&B and the respective Clients work correctly.
Domain1/Subnet A&B - I left these untouched.  These are both working.  They are using DNS & DHCP WPAD entries, and the FWC correctly resolves to NEW.
 
Make sure that the DNS Server in Domain-2 does not have a WPAD entry in Domain-2's Zone and that the DHCP in Domain-2/Subnet-C (if there is one) points to the wpad entry in Domain-1,...not Domain-2.
Done.


Add WINS to the LAN.  Make sure everything is using the same WINS.
Each site has a single WINS server.  No push/pull between Subnets A&B and C.

If it were me I would never have had a second Domain and if I took over a system like that I would eliminate the second Domain.  Then the problem would never have happened.  But anyway...
Domain1, Subnets A&B is one company.  Domain2, SubnetC is a second company.  These are two different forests, and they are joined with a trust.

Do the Clients of each respective Domain use only their own DNS servers and none other,...with their own DNS servers having thier own list of Forwarders independently of whatever is being done on Domain-1?  The answer needs to be "yes".
Yes.  Clients use their own local DNS.  If that DNS can't resolve, it forwards to the ISP's DNS.  Recursion is disabled.

Are both of these Domains in the same Forest?
No.

Does the DNS of each one possess a Zone for the other Domain?
Yes.  Each DNS has the other's DNS as a Secondary zone.

Domains in different Forests will not be aware of each others Zone Contents.  Do Zone Transfers (both ways) so that both Domains are fully aware of each others contents.
Already in place.
 
To kind of sum up...everything in place described herein has always worked fine with ISA2004.  Now that I've added an ISA2006 box to the mix, SubnetC continues to only Auto Discover the old ISA2004 box.  If I turn Discovery off on OLD, then Discovery simply fails.
 
I do apprec. the help.  At least I'm not the only one out of ideas on this one. 

_____________________________

David Fosbenner, MCITP EA/SA, MCSE NT/2000/2003, MCSA 2000/2003

(in reply to pwindell)
Post #: 6
RE: Failed to detect ISA Server in FWC - 3.Apr.2008 10:32:00 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		Add WINS to the LAN.  Make sure everything is using the same WINS. 
   Each site has a single WINS server.  No push/pull between Subnets A&B and C.
 
Then WINS is being worthless.  The WINS Database on every WINS Server, no matter where it is located, needs to be identical.
Proxy autodetection does involve Netbios,...just don't ask me to explain how and why.

Keep in mind that you cannot have duplicate machine names across the entire system.  FQDNs are irrelevant to WINS,...mach1.domain1.com and mach1.domain2.org are duplicate names are far as WINS is concerned.
Of course in some Corporations this is impossible to establish because there are too many machines to deal with and too many IT people to organze and regulate,...which means that such a Corporation cannot use Proxy Autodetection with a centralized proxy and therefore each site needs to stop using auto-detection and go static,...or have its own local independent proxy with auto-detection and its own independent internet connection.

Does the DNS of each one possess a Zone for the other Domain? 
   Yes.  Each DNS has the other's DNS as a Secondary zone.

Domains in different Forests will not be aware of each others Zone Contents.  Do Zone Transfers (both ways) so that both Domains are fully aware of each others contents. 
   Already in place.

And these zones were created by virtue of the Zone Transfers and not something you created separately yourself?



_____________________________

Phillip Windell

(in reply to dfosbenner)
Post #: 7
RE: Failed to detect ISA Server in FWC - 3.Apr.2008 10:38:35 AM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		Then WINS is being worthless.  The WINS Database on every WINS Server, no matter where it is located, needs to be identical.
Proxy autodetection does involve Netbios,...just don't ask me to explain how and why.
We haven't had much use for WINS, DNS takes care of most things.  There are 1 or 2 static mappings in WINS on SubnetC, which allow it to resolve to a server on SubnetA/B.  I added the ISA2006 server NEW as a static mapping in WINS on SubnetC yesterday, but it didn't help.

Keep in mind that you cannot have duplicate machine names across the entire system.
Noted.

Does the DNS of each one possess a Zone for the other Domain? 
   Yes.  Each DNS has the other's DNS as a Secondary zone.

Domains in different Forests will not be aware of each others Zone Contents.  Do Zone Transfers (both ways) so that both Domains are fully aware of each others contents. 
   Already in place.

And these zones were created by virtue of the Zone Transfers and not something you created separately yourself?
Correct.

(in reply to pwindell)
Post #: 8
RE: Failed to detect ISA Server in FWC - 3.Apr.2008 11:09:20 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		Ok, Well I am out of ideas.
Maybe one of the other guys here will think of something.


_____________________________

Phillip Windell

(in reply to dfosbenner)
Post #: 9
RE: Failed to detect ISA Server in FWC - 4.Apr.2008 1:57:17 PM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		FIXED.  I got it to work. 

First, I removed DHCP wpad entries from the picture.  I saw no reason not to continue using DNS which is all we ever used.  Next, I noticed when I would ping NEW, it would reply as NEW.Domain2.com, when in fact this host was in Domain1.  This was happening because of a static mapping in WINS in Domain2.  I removed that, cleared everything out, and now was getting a correct name resolution response of NEW.Domain1.com.

This wasn't the issue though, the FWC was still resolving incorrectly.  Why?

OLD was still up and running, it's IP address was .2 on the subnet.  The router joining Subnet A & C was pointing to the .2 address as the default gateway, which it was, as this is the internet NIC in ISA.  Even though NEW was online, traffic from Subnet C was still being routed to OLD.

I took OLD off the network today, changed the internal IP address of NEW to .2, and now the router was pointing to NEW as the default gateway.

I am unclear why SubnetC did this, and not SubnetB.  But I have been running NEW with ISA 2006 live for about an hour and a half now!

YEAH !!!!!!!!

_____________________________

David Fosbenner, MCITP EA/SA, MCSE NT/2000/2003, MCSA 2000/2003

(in reply to pwindell)
Post #: 10
RE: Failed to detect ISA Server in FWC - 4.Apr.2008 2:09:34 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		The LAN Router Default Gateway was irrelevant to everything except SecureNAT Clients if you had any,...and SecureNAT Clients do not involved themselves with the proxy auto-detection.

Only Firewall Client and Web Proxy Clients make use of  auto-detection.  Default Gateways and Routing pathes with respect to internet access are irrelevant to them as long as they know how to reach the ISA.

What probably "fixed" it was when you gave the new ISA athe IP# that the previous one used.  Although you shouldn't have had to do that.


_____________________________

Phillip Windell

(in reply to dfosbenner)
Post #: 11
RE: Failed to detect ISA Server in FWC - 4.Apr.2008 2:11:52 PM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		Yeah, and if things always worked like they shoulda.... 
Thanks for your help on this one!  I was going crazy with it.

(in reply to pwindell)
Post #: 12
RE: Failed to detect ISA Server in FWC - 4.Apr.2008 2:15:23 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		Your welcomed sir!

Oh,..and fixing the LAN Routers default gateway was the correct thing to do,..I just don't think it was the root of the problem  :-)


_____________________________

Phillip Windell

(in reply to dfosbenner)
Post #: 13
RE: Failed to detect ISA Server in FWC - 7.Apr.2008 1:08:43 PM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		Phil, check this nifty little find:

Go to an ISA FWC PC, go to Program Files\Microsoft Firewall Client 2004 folder (or wherever you have it installed).  There's a command line tool called FWCTOOL.EXE

Type "fwctool testautodetect" - it produces a wealth of information.  This would've been a great help last week.

FWIW - I have a client on that SubnetC that is unable to find the ISA server even though I've been running it for 3 days now.  Wow.

(in reply to pwindell)
Post #: 14
RE: Failed to detect ISA Server in FWC - 7.Apr.2008 2:36:21 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		Cool!  I hadn't used that before. It does return a lot of good details.

_____________________________

Phillip Windell

(in reply to dfosbenner)
Post #: 15
RE: Failed to detect ISA Server in FWC - 7.Apr.2008 2:58:48 PM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		I'm posting this message here for posterity...

After changing the WPAD entry in DHCP for SubnetC, the FWCTOOL shows the clients still picking up the old WPAD entry, even days later.  The only solution I could find to get the client to refresh was to change the TCP/IP config from "Obtain an IP Address Automatically", to a manual IP address.

Specify an address, mask & gateway, click OK to connect manually.  THEN reset the IP Config back to automatic.  This forces a fresh read of all the DHCP options.  Now when running FWCTOOL, the new WPAD entry is found.

This is INSANE to have to do this.  I'm quickly finding that ISA Auto Discovery is more trouble than its worth!!

(in reply to pwindell)
Post #: 16
RE: Failed to detect ISA Server in FWC - 7.Apr.2008 3:12:51 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		After a domain migration here I had to do a manual Release/Renew from the commandline on all FW Clients even though the DHCP Scopes were changed and were correct.  But I never had to go Static then back to DHCP.


_____________________________

Phillip Windell

(in reply to dfosbenner)
Post #: 17
RE: Failed to detect ISA Server in FWC - 7.Apr.2008 3:40:05 PM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		I just tried release/renew - it worked because the clients are remote it's a little tricky, but it works.  Thanks.

(in reply to pwindell)
Post #: 18
RE: Failed to detect ISA Server in FWC - 11.Apr.2008 9:53:22 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi David,

Very interesting thread!

It would have been interesting to have NetMON packet captures to see what was going on over the wire.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to dfosbenner)
Post #: 19
RE: Failed to detect ISA Server in FWC - 11.Apr.2008 9:56:01 AM   
dfosbenner

 

Posts: 129
Joined: 14.Nov.2001
From: Maybrook, NY USA
Status: offline 		Tom, DHCP is MESSED UP!

Altering, even deleting the WPAD entry in DHCP didn't matter, XP SP2 still kept the original wpad entry.  Very frustrating! 

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> Failed to detect ISA Server in FWC Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts