Can't Access Websites By IP (Full Version)

All Forums >> [ISA 2006 Firewall] >> General



Message


dvizzle -> Can't Access Websites By IP (4.May2009 4:20:20 PM)

Using ISA 2006.

Trying to browse to websites by IP address and get IE timeout error.
I do live monitoring of the session in ISA and never even see any connection trying to be initiated.

I can ping the site from local pc and ISA server itself. Can also do nslookup.

If I use the DNS name, it browses fine and I see the traffic in ISA.
If I use IP, I get http timeout. No log in ISA, no ISA error page.

Any suggestions?




SteveMoffat -> RE: Can't Access Websites By IP (4.May2009 4:23:48 PM)

Stop trying to browse by IP?




inderjeet -> RE: Can't Access Websites By IP (4.May2009 7:31:16 PM)

How are your clients configured to access ISA? Are you sure using the right IP for that website?




dvizzle -> RE: Can't Access Websites By IP (5.May2009 9:17:07 AM)

Some of the geniuses we work with see DNS as this fancy fad that will be over soon enough. Still, I know how stupid it sounds, but there are a few sites that need to be browsed by IP.

The IP is correct. I can browse to the website direct via IP using a direct connection to the internet that does not go through ISA, as well as going through the old proxy which we are setting ISA up to replace.

It is confusing since I can ping and tracert it from the ISA server and the desktop, but I am getting no traffic in the ISA log nor an ISA error message, just the IE timeout message.




SteveMoffat -> RE: Can't Access Websites By IP (5.May2009 9:49:50 AM)

Are these external websites? DMZ websites? Do you publish them?




inderjeet -> RE: Can't Access Websites By IP (5.May2009 9:50:24 AM)

It should work with IP as well. I have tried that on my ISA Server and it works with IP....

Can you collect some network traces on ISA and the test client machine at the same time? Save both the traces as .CAP file and send me at isaissues@yahoo.com also, Let me know the time you did the test, Client IP from where you did the test, and the Internal IP of ISA.

I can only tell after looking into the logs




SteveMoffat -> RE: Can't Access Websites By IP (5.May2009 9:53:12 AM)

Sounds to me like it's their own websites they can't access. Haven't added the IP into the public name feild of the pub rule. Bad practice that.




SteveMoffat -> RE: Can't Access Websites By IP (5.May2009 9:54:50 AM)

Can you get  to http://69.147.76.15/




dvizzle -> RE: Can't Access Websites By IP (5.May2009 11:37:43 AM)

These are public IP's as well as internal IP's.

I cannot access http://69.147.76.15/ using ISA as the proxy. I see no logging either.




inderjeet -> RE: Can't Access Websites By IP (5.May2009 11:53:09 AM)

Internal IPs should go directly not through your proxy. This is configured in Local Address Table (LAT) in ISA under Network > Internal > Properties > Web Browser Tab and also you may check the box "Directly access computers specified in the address tab" under the same Tab

Whereas, for external i would need the logs as mentioned in my above post.




dvizzle -> RE: Can't Access Websites By IP (5.May2009 12:29:36 PM)

quote:

ORIGINAL: inderjeet

Internal IPs should go directly not through your proxy. This is configured in Local Address Table (LAT) in ISA under Network > Internal > Properties > Web Browser Tab and also you may check the box "Directly access computers specified in the address tab" under the same Tab

Whereas, for external i would need the logs as mentioned in my above post.


That solved the internal issue but it does not resolve public IP's.

I'm not sure what logs you need since ISA isn't generating anything when I'm doing a live monitor while trying to establish the connection.

Thank you for the help so far.




inderjeet -> RE: Can't Access Websites By IP (5.May2009 12:44:51 PM)

Install Network Monitor 3.2 on ISA and the client. Then enable tracing on both. Then test opening a website. Stop traces on both and save them as .CAP files. Send those to me at the email mentioned above. Send me below information as well

1. ISA's Internal IP
2. Client IP (do Ipconfig /all >c:\ipconfig.txt)
3. Time you did the test

Send me the .CAP files and the TXT file mentioend above in point number 2




dvizzle -> RE: Can't Access Websites By IP (5.May2009 2:25:24 PM)

It is a production enviornment being used by 20k users. Please let me know what you need me to use in the filters in order to only collect and capture the most necessary info since I don't want to wait 2 hours for it to finish parsing.




inderjeet -> RE: Can't Access Websites By IP (5.May2009 2:46:02 PM)

Filter it for HTTP and from client machine




dvizzle -> RE: Can't Access Websites By IP (5.May2009 3:37:29 PM)

ISA server got back nothing.

Client received a few frames. What should I be looking for specifically?




SteveMoffat -> RE: Can't Access Websites By IP (5.May2009 4:03:34 PM)

Can you give me an example of one of the web IP's that will not work?




dvizzle -> RE: Can't Access Websites By IP (5.May2009 4:12:27 PM)

Anything in a public IP range.

Another user asked me to try http://69.147.76.15/ which did not work when ISA is being used. If the proxy is changed, it works fine and takes me to the Yahoo home page.




pwindell -> RE: Can't Access Websites By IP (5.May2009 4:55:48 PM)

Sorry guys,..but everyone is running off in every direction but where you need to go. Although inderjeet came real close.

1. This only happens when the Site is on the LAN, and should be direclty accessed in the first place.

2. The root of the problem is IE, not ISA.  IE does not handle IP#s in the URL properly when it has proxy settings at the same time.

3. IE has had this problem since the days of cavemen.

There are three official solutions. Number 3 is the best one and the most flexible, it just takes a little more work to setup initially, however it solves a lot of other issues that you do not even know that you have yet or will have later.

1.  Add the IP# to the Intranet Zone on every single involved PC within every single user profile on that PC.  Obviously that is not very "pretty".  This is somewhat along the same lines as what interjeet said although his method is probably less work since it is done centrally at the ISA.  But option #3 avoids ever having to do any of that because IE will not ever send it to the proxy to begin with.

2. Never ever ever ever ever use IP#s in a URL.  It horribly complicates things,...it does not make things "simpler" as the common wizdom of the industry thinks.

3. Configure the LAN to use Proxy Autodection via WPAD and have the firewall client installed on the workstation.  The WPAD Script when received by IE will allow IE to make the proper decision and not send the request to the proxy.




inderjeet -> RE: Can't Access Websites By IP (5.May2009 4:57:21 PM)

Hi,

Do the tracing again on both machines. From client first test with website name and then with IP. Can you send me the logs? It's difficult to tell what to see in logs...





inderjeet -> RE: Can't Access Websites By IP (5.May2009 5:06:45 PM)

quote:

3. Configure the LAN to use Proxy Autodection via WPAD and have the firewall client installed on the workstation.  The WPAD Script when received by IE will allow IE to make the proper decision and not send the request to the proxy.


Hey Phillip,

That is the whole issue. The requests are anyhow not going to the proxy with http://PUBLICIP [:(]




Page: [1] 2 3   next >   >>