Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
If it is a public IP# that is truely on the actual External side of the ISA then I think he has more than one problem.
The internal IP# are never supposed to hit the ISA (when handled properly) so the ISA is irrelevant. But the Public IP# have to go through the ISA and so if they fail it is for completely different reasons than the private IP#s.
Sorry, I don't really have any suggestions for that unless these are SSL sites,...in which case that just won't work with IP#s because the IP# does not match the "Common Name" in the Certificate assigned to the Site. Which further demonstrates my point that using IP#s horribly complicates things,...does not make things "simpler" as the common wizdom of the industry thinks.
I agree Phillip. I had him resolved the Internal IP issue through LAT in ISA but just waiting for his logs to check. He is using the IP for Yahoo and that too on HTTP so makes me think twice on to why isn't that working....
First, thanks to everyone with the help and suggestions so far so I'll try to go through them:
quote:
There are three official solutions. Number 3 is the best one and the most flexible, it just takes a little more work to setup initially, however it solves a lot of other issues that you do not even know that you have yet or will have later.
1. Add the IP# to the Intranet Zone on every single involved PC within every single user profile on that PC. Obviously that is not very "pretty". This is somewhat along the same lines as what interjeet said although his method is probably less work since it is done centrally at the ISA. But option #3 avoids ever having to do any of that because IE will not ever send it to the proxy to begin with.
2. Never ever ever ever ever use IP#s in a URL. It horribly complicates things,...it does not make things "simpler" as the common wizdom of the industry thinks.
3. Configure the LAN to use Proxy Autodection via WPAD and have the firewall client installed on the workstation. The WPAD Script when received by IE will allow IE to make the proper decision and not send the request to the proxy.
1. Is not possible due to politics. 2. Is what I say as well, but being a little fish, I can't force the high ranking Government officials to use DNS names. 3. Will likely happen down the line when the old proxy is officially gone and ISA will be the default. Right now our users are load balanced between servers in an array and getting the array.dll file not the WPAD.dat, so I need to know if we can make it work in the meantime.
I cannot send the logs due to sensitivity, but I can tell you that ISA Server did not log ANYTHING from the client using the MS Network monitor. The request is obviolusly never even getting to the ISA server.
Using it on the local pc trying to access the site, I only received 3 IE packets which I can send if you need to see them.
I am 1000% convinced the people that set ISA up to begin with did it completely wrong as I have spent the last 6 months cleaning up their mistakes.
Hmm, that focuses me on how your clients are configured. Can you let me know the client configuration? I mean how are they configured to get to ISA?
Only 3 packets from client . Are they TCP packets? If yes, then that the initial TCP handshake packets between client and ISA? Are there any HTTP packets? If yes, check the request made by the client. Check the following fields in the packet
Source Destination Host
Do you see any response coming back from ISA? If there is then check if the FLAG is set for RESET.
Endusers get ISA through a user applied group policy to change the IE proxy to a general DNS name which is the load balancer. Which then reroutes the user to the array server closes to them.
It was 3 iexplore packets I saw on the client. TCP packets. 0 HTTP packets.
HMM. I just changed the proxy from the ISA address, to the manual ISA server IP address and port, and the IP resolution worked to the yahoo site and other sites I have trouble with.
< Message edited by dvizzle -- 6.May2009 10:08:34 AM >
Is it a Hardware load balancer in front of ISA Server Array? If yes, then you need to check it's configurations. As you tested ISA is working fine.... It's not always ISA
It is an isa issue though because the config script that is being pushed down by ISA includes this
} if(cDirectIPs == 0){ if(fIp) return "DIRECT";} else{ ip = host; if(fIp) ip = dnsResolve(host); var isIpAddr = /^(\d+.){3}\d+$/; if(isIpAddr.test(ip)){ for(i=0; i<cDirectIPs; i += 2){ if(isInNet(ip, DirectIPs, DirectIPs[i+1])) return "DIRECT";}} else if(isPlainHostName(host)) return "DIRECT";
Which looks like if the address is an ip range it is trying to go direct and not through ISA, so the direct connection is being blocked by a different firewall. I want my internal IP's to do direct, but public IP's to still go through ISA.
Are you running ISA with Single NIC? sorry if i have already asked this question.
AFAIK, this scripts applies to internal Traffic only mentioned on the internal NIC. Untl and unless you have a Single NIC ISA which actually involves all IP ranges.
If that's the case you need to do the following
Under Network > Internal > Properties > Web Browser Tab, uncheck the option "Directly access computers specified in the addresses tab" and click add to actually add your internal IP ranges which you want to access directly
Either way you can follow the steps mentioned above...
Directly access computers specified in domains tab CHECKED Directly access computers spefified in addresses tab CHECKED
We were told NOT to list IP's in the Web Browser list because we have domains listed, and ISA apparently has a problem if both IP's and domain names are in the web browser bypass list.
Again politics. Your legs are cut out underneath you before taking your first step but you have to magically make it work with the limited resources you have.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I always fight stuff like that. I've been here for 10 years and they ain't fired me yet. You'd be amazed at how you can change things if you are willing to assert yourself. If they tell me to do something that won't work or is a bad method,...I tell them that it won't work or is a bad method and if they want me to get it working then they have to get out of the way and let me do it the right way,...I cannot think of a single time in 10 years that I did not eventually "win". I'm the IT Person,..it's my job to determine the right way to do something and how to gets it done,...not theirs,...if they didn't want an IT Person then they shouldn't have hired one.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
An ISA running a single Nic (Hork mode) everything is Internal. The logic is that if something isn't supposed to use the ISA then don't configure the browser to use the ISA in the first place.
I don't think the Public IP#s are supposed to be in the Internal Network. ISA already is smart enough to know that anything not in its local subnet and is not otherwise specified with a Static Route will get sent to the ISA's Default Gateway which is going to be the Firewall most of the time.
Here are two links for dealing with a single-nic ISA:
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: dvizzle
It is an isa issue though because the config script that is being pushed down by ISA includes this
} if(cDirectIPs == 0){ if(fIp) return "DIRECT";} else{ ip = host; if(fIp) ip = dnsResolve(host); var isIpAddr = /^(\d+.){3}\d+$/; if(isIpAddr.test(ip)){ for(i=0; i<cDirectIPs; i += 2){ if(isInNet(ip, DirectIPs, DirectIPs[i+1])) return "DIRECT";}} else if(isPlainHostName(host)) return "DIRECT";
Which looks like if the address is an ip range it is trying to go direct and not through ISA, so the direct connection is being blocked by a different firewall. I want my internal IP's to do direct, but public IP's to still go through ISA.
This script looks wrong, even for a single NIC setup.
Surely everything points to the HLB at fault here, especially if you cannot see connections in the ISA logs or network traces?
If you manually configure a proxy server in IE and use the IP or computer name of the ISA server, does everything work ok?
Cheers
JJ
Already mentioned this, it does work via direct IP/port.
but the load balancer is just either rerouting to one of the ISA servers. It is not injecting anything into the array script which has the output noted above that seems to be trying DIRECT connections for all IP urls.
A HORK mode web proxy array....with an NLB in front of them...sheesh, I would hate to try & configure that. I would say no, go find someone else to do that.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> RE: Can't Access Websites By IP 
RE: Can't Access Websites By IP - 
. Are they TCP packets? If yes, then that the initial TCP handshake packets between client and ISA? Are there any HTTP packets? If yes, check the request made by the client. Check the following fields in the packet 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread