• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Some ISPs can't see my sites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Some ISPs can't see my sites Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Some ISPs can't see my sites - 10.Mar.2009 1:39:40 PM   
jpark

 

Posts: 8
Joined: 20.Sep.2006
Status: offline
Hi, I have several sites on a few Windows 2003 servers.  The main server runs ISA Server 2004, SP3, and everything is up-to-date with Microsoft Update and Genuine Advantage (or whatever it's called lol).

I had no trouble setting up anything, and all of my clients can easily access any of the sites running on the various servers for the past two years...at least until now.

Over the past few months, several users are complaining that they can't see the sites from their home ISPs, mainly via Comcast cable internet...but that isn't the problem, as it turns out.

I've worked with one user, and after opening the logs and looking at the connections, ISA does see their IP on my end as an initiated connection (first log event), then it simply times out and "gracefully" closes the connection 120 seconds later (as specified in the default listener) with another event.

The ISA event log shows that the headers didn't match.  Um, what?  Why would this work for literally thousands of users who hit my sites, but not for one or two users who DO connect to the site?  Their DNS is obviously working if they can hit my sites, and the proper header names even show up in the event logs---and they match the header names in ISA.  I've even connected via Remote Desktop and typed the domain name myself.  Other sites work fine.

I'm getting really annoyed at this problem.  I'm sorry if I don't have all of the details, since I'm really busy at the moment, but I'd appreciate any help or ideas.  Thanks!

< Message edited by jpark -- 10.Mar.2009 1:41:19 PM >
Post #: 1
RE: Some ISPs can't see my sites - 10.Mar.2009 1:53:35 PM   
ezpcc

 

Posts: 52
Joined: 26.Jul.2005
From: New Jersey
Status: offline
I am wondering, are these sites using SSL certificates? Are these certificates self generated or did you purchase them from a registar? I had a similar problem when my self generated SSL certificates expired. .... just a thought.

(in reply to jpark)
Post #: 2
RE: Some ISPs can't see my sites - 10.Mar.2009 3:51:34 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Something to consider is that the ISA firewall, by default, allows only valid RFC compliant HTTP communication.  If at some point during the communication some device alters the HTTP request and it is not valid, the ISA firewall will reject the request.

If you have confirmed that everything looks good in the communication stream, then another thought might be that it is a routing issue.  The requests are making it to your ISA firewall, but the return traffic isn't making it back to the requester.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to jpark)
Post #: 3
RE: Some ISPs can't see my sites - 10.Mar.2009 4:30:44 PM   
jpark

 

Posts: 8
Joined: 20.Sep.2006
Status: offline
Thanks for the quick replies---much appreciated.

SSL isn't a problem, but I do appreciate the suggestion.  While I do have SSL pages, these users can't get to any pages.

As it turns out now, this is also happening with a user who was able to access my sites until they changed their ISP last month.  They didn't change their firewall, other than new IP addresses, but I can't even PING my base IP from their office, and they can get to any other site.  I can't PING to them from my ISA server command line, either.

(in reply to richardhicks)
Post #: 4
RE: Some ISPs can't see my sites - 10.Mar.2009 4:32:26 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Interesting.  So either it is a routing issue (not necessarily on your side, could be and probably is on the ISP side) or your traffic is being blocked by the ISP for some reason.  Those are about the only explanations I can think of.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to jpark)
Post #: 5
RE: Some ISPs can't see my sites - 10.Mar.2009 4:38:05 PM   
jpark

 

Posts: 8
Joined: 20.Sep.2006
Status: offline
Event #30058 is fired:
Date and time: 03/10/2009-16:34:01.863
Packet context: 00000005 137b25ca 137b25cb
Log source: Firewall service

The destination in the request does not match the public names specified in the Web publishing rule.

(in reply to jpark)
Post #: 6
RE: Some ISPs can't see my sites - 10.Mar.2009 4:40:02 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Alright then...it's definitely something to do with the HTTP request headers!  I'd take a look at the communication with a protocol analyzer and watch for myself to see what the HOST header value is.  Perhaps something along the way is altering it? 

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to jpark)
Post #: 7
RE: Some ISPs can't see my sites - 10.Mar.2009 4:51:28 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
They may be gettong routed through a proxy that's corrupting the data.

Came across this issue a few years ago.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to richardhicks)
Post #: 8
RE: Some ISPs can't see my sites - 10.Mar.2009 4:53:44 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Hi Steve,

I think you may be right.  If an ISP is using a proxy server, it is entirely possible that the request headers are being mangled on the way out.  The ISA firewall, with its advanced security capabilities, blocks this traffic as it should.  A standard web server, or another less secure reverse proxy, would simply let this traffic pass. 

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to SteveMoffat)
Post #: 9
RE: Some ISPs can't see my sites - 10.Mar.2009 4:56:20 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
quote:


I can't PING to them from my ISA server command line, either.


Hate to interject but I think you have something going on with routing. Check with you ISP and make sure everything is pointing back where it should be.

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to jpark)
Post #: 10
RE: Some ISPs can't see my sites - 10.Mar.2009 4:56:43 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
I'm always right...except when I'm wrong!!!



_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to richardhicks)
Post #: 11
RE: Some ISPs can't see my sites - 10.Mar.2009 4:57:10 PM   
jpark

 

Posts: 8
Joined: 20.Sep.2006
Status: offline
I don't have a protocol analyzer.

Also, on that same remote computer, I get nothing on that end when I ping my IP.

The ISA log shows five denied ping requests.

Would this mean that it's something even simpler?

(in reply to richardhicks)
Post #: 12
RE: Some ISPs can't see my sites - 10.Mar.2009 4:58:13 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Seeing as it's mainly Comcast, if it is a routing issue, it's likely in their routing .

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to SteveMoffat)
Post #: 13
RE: Some ISPs can't see my sites - 10.Mar.2009 4:58:58 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Have you done a trace from an affected machine?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to jpark)
Post #: 14
RE: Some ISPs can't see my sites - 10.Mar.2009 4:59:45 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
Would it also be possible that your clients are using a DNS filtering service like OpenDNS?

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to Rotorblade)
Post #: 15
RE: Some ISPs can't see my sites - 10.Mar.2009 5:00:20 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Ping tests can be inconclusive because you don't know for a fact that ICMP is being allowed end-to-end.  The ISA firewall certainly rejects incoming ICMP requests from hosts that are not in the Remote Management computer set.  It is, however, configured to allow outbound ICMP when you are on the ISA firewall itself.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to jpark)
Post #: 16
RE: Some ISPs can't see my sites - 10.Mar.2009 5:00:33 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
David, he also said that the traffic was being denied by ISA

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to Rotorblade)
Post #: 17
RE: Some ISPs can't see my sites - 10.Mar.2009 5:06:58 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
quote:


David, he also said that the traffic was being denied by ISA


Thanks Steve, then probably as mentioned, something wacky going on with the headers from that ISP. Would disabling HTTP the security filter in the publishing rule aid in troubleshooting?


_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to SteveMoffat)
Post #: 18
RE: Some ISPs can't see my sites - 10.Mar.2009 5:07:30 PM   
jpark

 

Posts: 8
Joined: 20.Sep.2006
Status: offline
Yes, the pings do reach ISA; they're just denied.  The ping denials are exactly the same as those from a machine that *can* connect to my sites.

(in reply to SteveMoffat)
Post #: 19
RE: Some ISPs can't see my sites - 10.Mar.2009 5:08:45 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
If you're sure it's strictly a Comcast issue, then you or your customer will have to get Comcast support to help with the troubleshooting.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to jpark)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Some ISPs can't see my sites Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts