• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Direct Access only working for some sites - why?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Direct Access only working for some sites - why? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Direct Access only working for some sites - why? - 3.Apr.2009 6:41:45 AM   
dgunner

 

Posts: 34
Joined: 1.Dec.2005
Status: offline
Hi,

I'm running ISA 2006 and have the following configuration:

Internal network: 192.168.100.0
Subnet mask: 255.255.254.0

ISA - 192.168.101.254
Router - 192.168.101.253 routes to 192.168.210.0 and 192.168.110.0
Client default gateway - 192.168.101.253

ISA static routes:

192.168.210.0 255.255.255.0 192.168.101.253
192.168.110.0 255.255.255.0 192.168.101.253


Internal sites:

http://Intranet.companydomain.com - 192.168.100.19
https://epolicy.companydomain.com:8443 - 192.168.100.15
http://OpenNMS.companydomain.com:8980 - 192.168.110.220

ISA has the following configuration on the internal network:

Addresses:
(Add adapter)
192.168.100.0 - 192.168.101.200
192.168.101.231 - 192.168.101.255
192.168.110.0 - 192.168.110.255
192.168.210.0 - 192.168.210.255


Domains:
*.companydomain.com


Web browser:

Bypass proxy for web servers in this network: Yes
Directly access computers specified in the domains tab: yes
Directly access computers specified in the addresses tab: no

Directly access these servers or domains:
*.companydomain.com/*
http://intranet.companydomain.com/*
http://opennms.companydomain.com/*
https://epolicy.companydomain.com/*

Firewall client:

Enable Firewall client for this netowork: Yes
Automaitcally detect settings: Yes
Use configuration script: No
Use a web proxy server: No

Autodiscovery:

Publish automatic discovery information: Yes (port 80)



The problem I am having is that I cannot access directly some internal webservers.

The one that works fine and I never see any log entries for is:

http://intranet.companydomain.com

The ones that don't work are:

http://opennms.companydomain.com:8980
https://epolicy.companydomain.com:8530

For some reason ISA shows an http proxy connection on port 8080 followed by an access denied entry for the web site requests.

Why are the entries for these two sites going via ISA when the other one (Intranet.companyname.com) never shows up?


The opennms server is on a remote subnet accessed via the router - again why are requests going via ISA for this server?

Any help greatly appreciated!

< Message edited by dgunner -- 3.Apr.2009 6:46:24 AM >
Post #: 1
RE: Direct Access only working for some sites - why? - 27.Apr.2009 9:42:27 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
I couldn't understand the below entries

Directly access these servers or domains:
*.companydomain.com/*
http://intranet.companydomain.com/*
http://opennms.companydomain.com/*
https://epolicy.companydomain.com/*

There is not way you can give the URLs here, how did you give it? You can only define domains or the IP address range. Either you mention the IP range or you just mention your domain i.e *.companydomain.com

Hope that works

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dgunner)
Post #: 2
RE: Direct Access only working for some sites - why? - 2.Jun.2009 3:29:02 PM   
robocp01

 

Posts: 9
Joined: 21.Oct.2008
Status: offline
I ran into exactly the same issue.  You have to explicitly define exceptions if the application uses a non-standard port.

Have a look at the following for some details on this behavior and syntax - http://support.microsoft.com/kb/920715/ and http://blogs.isaserver.org/pouseele/2006/07/21/solving-the-directly-access-these-servers-or-domains-issue-in-isa-server-2004-sp2/ .

Basically you'll need to add exceptions in this format...*host.domain.com:port/*

HTTPS traffic I belive will be handled differently.  You'll have to allow a non-standard HTTPS port to be handled.  There is a port tool available for that.


(in reply to dgunner)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Direct Access only working for some sites - why? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts