• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Can't Access Websites By IP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> RE: Can't Access Websites By IP Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Can't Access Websites By IP - 5.May2009 5:12:50 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
If it is a public IP# that is truely on the actual External side of the ISA then I think he has more than one problem.

The internal IP# are never supposed to hit the ISA (when handled properly) so the ISA is irrelevant.  But the Public IP# have to go through the ISA and so if they fail it is for completely different reasons than the private IP#s.  

Sorry, I don't really have any suggestions for that unless these are SSL sites,...in which case that just won't work with IP#s because the IP# does not match the "Common Name" in the Certificate assigned to the Site.  Which further demonstrates my point that using IP#s horribly complicates things,...does not make things "simpler" as the common wizdom of the industry thinks.

_____________________________

Phillip Windell

(in reply to inderjeet)
Post #: 21
RE: Can't Access Websites By IP - 5.May2009 5:22:53 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
I agree Phillip. I had him resolved the Internal IP issue through LAT in ISA but just waiting for his logs to check. He is using the IP for Yahoo and that too on HTTP so makes me think twice on to why isn't that working....



_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to pwindell)
Post #: 22
RE: Can't Access Websites By IP - 6.May2009 9:39:43 AM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
First, thanks to everyone with the help and suggestions so far so I'll try to go through them:

quote:

There are three official solutions. Number 3 is the best one and the most flexible, it just takes a little more work to setup initially, however it solves a lot of other issues that you do not even know that you have yet or will have later.

1. Add the IP# to the Intranet Zone on every single involved PC within every single user profile on that PC. Obviously that is not very "pretty". This is somewhat along the same lines as what interjeet said although his method is probably less work since it is done centrally at the ISA. But option #3 avoids ever having to do any of that because IE will not ever send it to the proxy to begin with.

2. Never ever ever ever ever use IP#s in a URL. It horribly complicates things,...it does not make things "simpler" as the common wizdom of the industry thinks.

3. Configure the LAN to use Proxy Autodection via WPAD and have the firewall client installed on the workstation. The WPAD Script when received by IE will allow IE to make the proper decision and not send the request to the proxy.


1. Is not possible due to politics.
2. Is what I say as well, but being a little fish, I can't force the high ranking Government officials to use DNS names.
3. Will likely happen down the line when the old proxy is officially gone and ISA will be the default. Right now our users are load balanced between servers in an array and getting the array.dll file not the WPAD.dat, so I need to know if we can make it work in the meantime.


I cannot send the logs due to sensitivity, but I can tell you that ISA Server did not log ANYTHING from the client using the MS Network monitor. The request is obviolusly never even getting to the ISA server.

Using it on the local pc trying to access the site, I only received 3 IE packets which I can send if you need to see them.

I am 1000% convinced the people that set ISA up to begin with did it completely wrong as I have spent the last 6 months cleaning up their mistakes.

(in reply to inderjeet)
Post #: 23
RE: Can't Access Websites By IP - 6.May2009 9:54:45 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Hmm, that focuses me on how your clients are configured. Can you let me know the client configuration? I mean how are they configured to get to ISA?

Only 3 packets from client . Are they TCP packets? If yes, then that the initial TCP handshake packets between client and ISA? Are there any HTTP packets? If yes, check the request made by the client. Check the following fields in the packet

Source
Destination
Host

Do you see any response coming back from ISA? If there is then check if the FLAG is set for RESET.



_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dvizzle)
Post #: 24
RE: Can't Access Websites By IP - 6.May2009 10:06:27 AM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
Endusers get ISA through a user applied group policy to change the IE proxy to a general DNS name which is the load balancer. Which then reroutes the user to the array server closes to them.

It was 3 iexplore packets I saw on the client. TCP packets.
0 HTTP packets.


HMM. I just changed the proxy from the ISA address, to the manual ISA server IP address and port, and the IP resolution worked to the yahoo site and other sites I have trouble with.

< Message edited by dvizzle -- 6.May2009 10:08:34 AM >

(in reply to inderjeet)
Post #: 25
RE: Can't Access Websites By IP - 6.May2009 10:46:10 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Is it a Hardware load balancer in front of ISA Server Array? If yes, then you need to check it's configurations. As you tested ISA is working fine.... It's not always ISA

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dvizzle)
Post #: 26
RE: Can't Access Websites By IP - 6.May2009 11:04:50 AM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
It is an isa issue though because the config script that is being pushed down by ISA includes this

}
if(cDirectIPs == 0){
if(fIp)
return "DIRECT";}
else{
ip = host;
if(fIp)
ip = dnsResolve(host);
var isIpAddr = /^(\d+.){3}\d+$/;
if(isIpAddr.test(ip)){
for(i=0; i<cDirectIPs; i += 2){
if(isInNet(ip, DirectIPs, DirectIPs[i+1]))
return "DIRECT";}}
else if(isPlainHostName(host))
return "DIRECT";


Which looks like if the address is an ip range it is trying to go direct and not through ISA, so the direct connection is being blocked by a different firewall. I want my internal IP's to do direct, but public IP's to still go through ISA.

(in reply to inderjeet)
Post #: 27
RE: Can't Access Websites By IP - 6.May2009 11:24:31 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Are you running ISA with Single NIC? sorry if i have already asked this question.

AFAIK, this scripts applies to internal Traffic only mentioned on the internal NIC. Untl and unless you have a Single NIC ISA which actually involves all IP ranges.

If that's the case you need to do the following

Under Network > Internal > Properties > Web Browser Tab, uncheck the option "Directly access computers specified in the addresses tab" and click add to actually add your internal IP ranges which you want to access directly

Either way you can follow the steps mentioned above...

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to dvizzle)
Post #: 28
RE: Can't Access Websites By IP - 6.May2009 11:53:41 AM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
Single NIC yes.

Addresses tab only has internal private ranges.

Web Browser has

Directly access computers specified in domains tab CHECKED
Directly access computers spefified in addresses tab CHECKED

We were told NOT to list IP's in the Web Browser list because we have domains listed, and ISA apparently has a problem if both IP's and domain names are in the web browser bypass list.

(in reply to inderjeet)
Post #: 29
RE: Can't Access Websites By IP - 6.May2009 12:04:48 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Ahhh...HORK mode....worst way to deploy any ISA machine.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to dvizzle)
Post #: 30
RE: Can't Access Websites By IP - 6.May2009 12:09:27 PM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
Again politics. Your legs are cut out underneath you before taking your first step but you have to magically make it work with the limited resources you have.

(in reply to SteveMoffat)
Post #: 31
RE: Can't Access Websites By IP - 6.May2009 12:35:37 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I always fight stuff like that.  I've been here for 10 years and they ain't fired me yet.  You'd be amazed at how you can change things if you are willing to assert yourself.  If they tell me to do something that won't work or is a bad method,...I tell them that it won't work or is a bad method and if they want me to get it working then they have to get out of the way and let me do it the right way,...I cannot think of a single time in 10 years that I did not eventually "win".  I'm the IT Person,..it's my job to determine the right way to do something and how to gets it done,...not theirs,...if they didn't want an IT Person then they shouldn't have hired one.

_____________________________

Phillip Windell

(in reply to dvizzle)
Post #: 32
RE: Can't Access Websites By IP - 6.May2009 3:35:51 PM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
Checking around, can someone tell me if this is right;

My Enterprise Networks -> Enterprise Internal

Range is set up for:
0.0.0.1 - 126.255.255.255
128.0.0.0 - 255.255.255.254

and all my Enterprise rules are basically

From: Enterprise Internal
To: Enterprise Internal

This seems really lazy?

Shouldn't Enterprise Internal be my internal IP range, and External network be the public IP ranges, and all my rules be set up:

From Enterprise Internal
To: External

????

(in reply to pwindell)
Post #: 33
RE: Can't Access Websites By IP - 6.May2009 4:21:20 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
An ISA running a single Nic (Hork mode) everything is Internal.  The logic is that if something isn't supposed to use the ISA then don't configure the browser to use the ISA in the first place.

I don't think the Public IP#s are supposed to be in the Internal Network.  ISA already is smart enough to know that anything not in its local subnet and is not otherwise specified with a Static Route will get sent to the ISA's Default Gateway which is going to be the Firewall most of the time.

Here are two links for dealing with a single-nic ISA:

The features and limitations of a single-homed ISA Server 2004 computer
http://support.microsoft.com/kb/838364/en-us
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/single_adapter.mspx




_____________________________

Phillip Windell

(in reply to dvizzle)
Post #: 34
RE: Can't Access Websites By IP - 6.May2009 6:11:37 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: dvizzle

It is an isa issue though because the config script that is being pushed down by ISA includes this

}
if(cDirectIPs == 0){
if(fIp)
return "DIRECT";}
else{
ip = host;
if(fIp)
ip = dnsResolve(host);
var isIpAddr = /^(\d+.){3}\d+$/;
if(isIpAddr.test(ip)){
for(i=0; i<cDirectIPs; i += 2){
if(isInNet(ip, DirectIPs, DirectIPs[i+1]))
return "DIRECT";}}
else if(isPlainHostName(host))
return "DIRECT";


Which looks like if the address is an ip range it is trying to go direct and not through ISA, so the direct connection is being blocked by a different firewall. I want my internal IP's to do direct, but public IP's to still go through ISA.

 
This script looks wrong, even for a single NIC setup.

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to dvizzle)
Post #: 35
RE: Can't Access Websites By IP - 6.May2009 6:14:34 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Surely everything points to the HLB at fault here, especially if you cannot see connections in the ISA logs or network traces?

If you manually configure a proxy server in IE and use the IP or computer name of the ISA server, does everything work ok?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Jason Jones)
Post #: 36
RE: Can't Access Websites By IP - 7.May2009 10:29:07 AM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
quote:

ORIGINAL: Jason Jones

Surely everything points to the HLB at fault here, especially if you cannot see connections in the ISA logs or network traces?

If you manually configure a proxy server in IE and use the IP or computer name of the ISA server, does everything work ok?

Cheers

JJ


Already mentioned this, it does work via direct IP/port.

but the load balancer is just either rerouting to one of the ISA servers. It is not injecting anything into the array script which has the output noted above that seems to be trying DIRECT connections for all IP urls.

Using Load Balanced Proxy URL: DOES NOT work
Using ISA http://ISASERVER:8080/array.dll?Get.Routing.Script as proxy DOES NOT WORK
Using ISA IP port number WORKS

< Message edited by dvizzle -- 7.May2009 12:05:13 PM >

(in reply to Jason Jones)
Post #: 37
RE: Can't Access Websites By IP - 7.May2009 11:38:05 AM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
Where is Array.script being generated from and how can I edit it to not go direct to external range IP addresses?

(in reply to dvizzle)
Post #: 38
RE: Can't Access Websites By IP - 7.May2009 12:15:08 PM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
Using Load Balanced Proxy URL: DOES NOT work
Using ISA http://ISASERVER:8080/array.dll?Get.Routing.Script as proxy DOES NOT WORK
Using ISA IP port number WORKS

I checked my HLB, and it is set up to forward to http://ISASERVER:8080/array.dll?Get.Routing.Script

which doesn't work. The reason for using that is because it has the address of the other server as the failover address.

(in reply to dvizzle)
Post #: 39
RE: Can't Access Websites By IP - 7.May2009 1:07:24 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
A HORK mode web proxy array....with an NLB in front of them...sheesh, I would hate to try & configure that. I would say no, go find someone else to do that.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to dvizzle)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> RE: Can't Access Websites By IP Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts