• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What would cause websites that I have set as direct access to still be proxied?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> What would cause websites that I have set as direct access to still be proxied? Page: [1]
Login
Message << Older Topic   Newer Topic >>
What would cause websites that I have set as direct acc... - 11.Apr.2008 9:04:04 AM   
persiannight

 

Posts: 41
Joined: 5.Mar.2007
Status: offline
I've set 2 website's up for direct access within the internal network configuration and they appear to still be being proxied?  If I have them set for direct access shouldn't they not be appearing in my GFI monitor or my ISA logs??

I'm assuming I put these particular websites under the web browser tab under "directly access these servers or domains" and not under the domains tab...

< Message edited by persiannight -- 11.Apr.2008 9:11:29 AM >
Post #: 1
RE: What would cause websites that I have set as direct... - 11.Apr.2008 9:21:18 AM   
persiannight

 

Posts: 41
Joined: 5.Mar.2007
Status: offline
Hmm... do I have to have to have "use automatic configuration script" checked too??  The only thing I have checked is "use automatic settings"

I'm going to try this and see what happens??   How long will it take for my client's to update their browser with this setting?

(in reply to persiannight)
Post #: 2
RE: What would cause websites that I have set as direct... - 11.Apr.2008 3:50:44 PM   
persiannight

 

Posts: 41
Joined: 5.Mar.2007
Status: offline
I've tried everything I can think of to make this work and it doesn't.

I know it's not working because on machine I go to that is setup as secureNat client has no problems accessing a OWA 2000 site, yet when I go to a firewall client PC I'm continually prompted for username and password...

I had this issue at another client and when I put the web address in for OWA 2000 site into direct access under web browser tab it worked perfectly.  However at this particular site it does not.  Any suggestions.

What would I see in the log to know if this was working??  Would I still have web proxy entries for this particular site?

< Message edited by persiannight -- 11.Apr.2008 3:54:15 PM >

(in reply to persiannight)
Post #: 3
RE: What would cause websites that I have set as direct... - 22.Apr.2008 12:26:42 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Are the machines using the autoconfiguration script?

Also, you might need to reset the Web Proxy list.

Check my blog for proxycfg.exe and how you can use that to help fix this problem.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to persiannight)
Post #: 4
RE: What would cause websites that I have set as direct... - 22.Apr.2008 7:15:11 PM   
persiannight

 

Posts: 41
Joined: 5.Mar.2007
Status: offline
I was able to get it working by adding "/*" after the domain name

for example "*.yahoo.com/*"


(in reply to tshinder)
Post #: 5
RE: What would cause websites that I have set as direct... - 23.Apr.2008 8:13:46 AM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
Strange - I had been working with this last week - even opened a case with MS.

I took the WPAD.DAT file to our senior Java coder with some questions, and he confirmed my suspicions of the process logic for exclusions. Consider the following part of my wpad file: (my comments marked by ";" in italics)



; per the WPAD specification:
; URL  variable format =
http://host.domain.ext:port/path
; HOST variable format = host.domain.ext -
;                        everything between :// and the first : or /

; assume URL =
http://www.xyzzy.com, Host = www.xyzzy.com
 

function FindProxyForURL(url, host){
var hash=0, urllower, i, fIp=false, ip, nocarp=false, skiphost=false;
var list="", pl, j, score, ibest, bestscore;
urllower = url.toLowerCase();         ; forces "url" to all lower-case
 
; these all evaluate FALSE, as this is "http:"
if((urllower.substring(0,5)=="rtsp:") ||
  (urllower.substring(0,6)=="rtspt:") ||
  (urllower.substring(0,6)=="rtspu:") ||
  (urllower.substring(0,4)=="mms:") ||
  (urllower.substring(0,5)=="mmst:") ||
  (urllower.substring(0,5)=="mmsu:"))
return "DIRECT"; 


; This does not succeed, as HOST =
www.xyzzy.com
 if(UseDirectForLocal){          ; is TRUE!
  if(isPlainHostName(host))   ; true only if hostname w/o domain.
  fIp = true;}                            ; set IP flag.


; enumerate the list of DirectNames - cDirectNames = 6 in our situation
; I think the logic here is a bit backward if we have a partial match
; (just hostname), we set a flag and break out of the loop, but THEN we
; check for an exact match of the ENTIRE URL and exit direct. If we have a
; partial match, there's no way to test for an exact match. I would
; have expected the exact match test to be performed first.

for(i=0; i<cDirectNames; i++){
if(shExpMatch(host, DirectNames)){               
  ; Checks DirectName value to Host (matches when i=1)
   fIp = true;      ; Is TRUE!
  break;}                                            
; breaks  the for-loop -
; I would expect a < return "DIRECT" > here instead..
  if(shExpMatch(url, DirectNames)) 
  ; checks for exact URL to DirectName match
  return "DIRECT";
}
 
; continue processing - fIp is true - the above code processed the BREAK statement
 
 if(cDirectIPs == 0){ ; cDirectIPs is 28 - next 2 lines are skipped
if(fIp)
  return "DIRECT";}

else{
ip = host;                              ; assume name is IP?
  if(fIp)                                     ; if IP flag is true, do DNS lookup
   ip = dnsResolve(host);     ; get IP from Host
  var isIpAddr = /^(\d+.){3}\d+$/;  
  ; RegEx to evaluate x.x.x.x format  
 
; This returns here if the
www.xyzzy.com IP (22.11.33.77) is in the DirectIP list -
if(isIpAddr.test(ip)){            ; if IP format is valid
   for(i=0; i<cDirectIPs; i += 2){  ; enumerate net/mask pairs
    if(isInNet(ip, DirectIPs, DirectIPs[i+1]))     
   ; If IP is in the DirectIP network
     return "DIRECT";}}

else if(isPlainHostName(host))  ; host is NOT a plain host name!
   return "DIRECT";
} ; end of else
 
; processing continues - fIp is still true... 
; at this point DIRECT is not an option - the proxy will be used!!!


As you can see, the process of testing for partial matches before exact matchs seems flawed, since a partial match would superscede an exact match, preventing the exact-match logic from ever triggering.

I'm not a Java coder, so I could be wrong in my interpretations. However - our resident Java programmer did run this through his development environment and got the results I posted above. I'm not sure how to fix this, and have not had a fix from MS since opening the ticket last week.

Glenn

< Message edited by gbarnas -- 23.Apr.2008 8:21:46 AM >

(in reply to persiannight)
Post #: 6
RE: What would cause websites that I have set as direct... - 23.Apr.2008 8:18:25 AM   
persiannight

 

Posts: 41
Joined: 5.Mar.2007
Status: offline
You'll know it's working by monitoring the log.   Instead of having the domain name, the IP address for the site will be logged.   I also knew it was working because when I was trying to access an Outlook Web Access 2000 site I would continually be prompted for username and password.  Once I entered it into direct access using the /* it worked fine.   So, all in all,  it appears that in my case, I have to use /* after each internet domain I want to use for direct access.

(in reply to gbarnas)
Post #: 7
RE: What would cause websites that I have set as direct... - 23.Apr.2008 8:21:46 AM   
persiannight

 

Posts: 41
Joined: 5.Mar.2007
Status: offline
quote:

ORIGINAL: tshinder

Are the machines using the autoconfiguration script?

Also, you might need to reset the Web Proxy list.

Check my blog for proxycfg.exe and how you can use that to help fix this problem.

HTH,
Tom


I ran the proxycfg on a workstation and it the results came back as none.  I know you can refresh that based on your blog but do I have to??  Everything is working a okay now and the windows update site works fine.

(in reply to tshinder)
Post #: 8
RE: What would cause websites that I have set as direct... - 23.Apr.2008 4:47:04 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

ORIGINAL: persiannight

I was able to get it working by adding "/*" after the domain name

for example "*.yahoo.com/*"




This is mentioned here : http://support.microsoft.com/kb/920715

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to persiannight)
Post #: 9
RE: What would cause websites that I have set as direct... - 24.Apr.2008 10:01:15 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tarek,

Good one!
Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to elmajdal)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> What would cause websites that I have set as direct access to still be proxied? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts