• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Email Filter Failed Updates through ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Email Filter Failed Updates through ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Email Filter Failed Updates through ISA - 23.Jun.2009 10:15:07 AM   
nholman

 

Posts: 20
Joined: 13.Nov.2008
Status: offline
Hi guys

Having a seriousley annoying problem with Websense email filter updates - It cannot update through the ISA firewall at all. My version is Isa Standard 2006. I keep geting the this error in the log whenever i try to update however it works fine when i bypass the ISA. Can anyone shed any light on this error or has anyone else experience this error?
Failed Connection Attempt MSA5000 6/23/2009 12:21:24 PM
Log type: Web Proxy (Forward)
Status: 1359 An internal error occurred.
Rule: Web Access Only
Source: Internal (192.168.16.83)
Destination: External (static-204-15-69-70.websense.com 204.15.69.70:80)
Request: GET http://204.15.69.70/cgi-bin/GenLiveUpdate.dll?GetFile&CF9A93CC14E22C19DB01C9C3E5A64DD13E705FE5D0EA1AB2BB377E7D29B72D585F21A7AE624387D785ADCE3C96321DB3E3EA4F30BA2D725FEC648B2A9DA40382578FE8B19967D5FEC7B658F7B840AA
Filter information: Req ID: 056a5c0a; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40020000 (Response includes the CACHE-CONTROL: PRIVATE header. Response should not be cached.)
Processing time: 77969 ms
MIME type:
Post #: 1
RE: Email Filter Failed Updates through ISA - 8.Jul.2009 8:36:42 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Is the Websense client behind the firewall?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to nholman)
Post #: 2
RE: Email Filter Failed Updates through ISA - 8.Jul.2009 9:12:22 AM   
nholman

 

Posts: 20
Joined: 13.Nov.2008
Status: offline
Hi Tom

Thanks for the reply!
Yes, behind the firewall on our LAN. Nothing on the DMZ or anything like that.
Websense technical support havebeen looking at it and they are pointing the finger at the isa firewall.

(in reply to nholman)
Post #: 3
RE: Email Filter Failed Updates through ISA - 8.Jul.2009 11:02:58 AM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
It seems to me like either the HTTP filter is objecting to something or there is an authentication issue. Can you tell me if authentication is required on the access rule? Or if 'require all users to authenticate' is enabled for the web proxy listener?

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to nholman)
Post #: 4
RE: Email Filter Failed Updates through ISA - 8.Jul.2009 11:14:45 AM   
nholman

 

Posts: 20
Joined: 13.Nov.2008
Status: offline
Hi richard
access rule is for all users and web proxy filter is set to not require all users to authenticate.
I see you work for celestix..the box is an msa5000.

(in reply to richardhicks)
Post #: 5
RE: Email Filter Failed Updates through ISA - 8.Jul.2009 12:07:01 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
MSA5000...excellent choice! I have a fair amount of experience with Websense content filtering software, but not with their e-mail filtering software. I've not encountered any issues with Websense content filtering software obtaining updates from Websense when accessing through an ISA firewall, so I have to assume that the e-mail software is doing something a little different (that obviously ISA isn't happy with).

At this point it would be helpful to have a network trace taken from the host that is requesting the updates. That would hopefully allow us to identify the offending communication and hopefully resolve the issue. In the short term we can deploy a workaround to allow communication to Websense to bypass the HTTP filter. This will require that you create a new custom protocol for HTTP without the HTTP filter bound to it. You'll then need to create a deny rule for standard HTTP as well. Follow the instructions here - http://blogs.technet.com/isablog/archive/2006/09/25/why-do-i-need-a-deny-rule-to-make-an-allow-rule-for-a-custom-protocol-work-correctly.aspx.

If you have any questions or you'd like some assistance configuring this access, feel free to drop me a note or call our support line and one of us will gladly help.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to nholman)
Post #: 6
RE: Email Filter Failed Updates through ISA - 9.Jul.2009 6:58:51 AM   
nholman

 

Posts: 20
Joined: 13.Nov.2008
Status: offline
Hi richard

i'll give that a go and let you know how i get on.

(in reply to richardhicks)
Post #: 7
RE: Email Filter Failed Updates through ISA - 9.Jul.2009 7:06:46 AM   
nholman

 

Posts: 20
Joined: 13.Nov.2008
Status: offline
Hi richard
i did the following
Allow rule from email filter server to external without http/webproxy filtering enabled
Deny rule from email filter server to external with http/proxy filter enabled.

And by joe its working!!
so we've narrowed it down to the web proxy filter..am i ok to leave it like this? what could be the cause of this problem - problem with the proxy filter maybe?

thanks in advance

(in reply to nholman)
Post #: 8
RE: Email Filter Failed Updates through ISA - 9.Jul.2009 8:40:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Looks like you need Direct Access to that site. You might configure the rule to limit it to the specific site required, but otherwise, no problem.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to nholman)
Post #: 9
RE: Email Filter Failed Updates through ISA - 9.Jul.2009 9:01:55 AM   
nholman

 

Posts: 20
Joined: 13.Nov.2008
Status: offline
Hi Tom
Hwo would i go about doing direct access - i think i know but need to make sure.
The onyl problem is, since its doign updates over many ip's it might be difficult to use the direct access unless im wrong of course.

(in reply to tshinder)
Post #: 10
RE: Email Filter Failed Updates through ISA - 9.Jul.2009 12:18:52 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
I think what Tom means by 'direct access' is from that host to that specific site only.  You don't want other users to be able to access the Internet via that rule because the enhanced security provided by the HTTP filter has been disabled.  So, for that specific access rule specify your Websense e-mail server as the source and *.websense.com (or a more specific URL if possible) as the destination.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to nholman)
Post #: 11
RE: Email Filter Failed Updates through ISA - 9.Jul.2009 3:27:14 PM   
nholman

 

Posts: 20
Joined: 13.Nov.2008
Status: offline
Hi richard

I see what you and tom mean now. i'll try and make it more specific tomorrow then and see if still works ok.
I'll post and let you both know if its ok.
thanks

(in reply to richardhicks)
Post #: 12
RE: Email Filter Failed Updates through ISA - 10.Jul.2009 4:44:47 AM   
nholman

 

Posts: 20
Joined: 13.Nov.2008
Status: offline
Hi Richard / TOm

Ive ran into a bit of a problem
When creating those allow and deny rules and turning off the http/proxy filter off it has also turned off the web proxy filter for all other rules with http also?
From what i recall i thought each rule was independant of the other?

this is affecting our websense web filtering?
thanks

(in reply to nholman)
Post #: 13
RE: Email Filter Failed Updates through ISA - 10.Jul.2009 5:32:21 AM   
nholman

 

Posts: 20
Joined: 13.Nov.2008
Status: offline
or would i have to create a custom HTTP protocol and use that one on the one without the proxy filter?

(in reply to nholman)
Post #: 14
RE: Email Filter Failed Updates through ISA - 10.Jul.2009 8:00:17 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yep, define a custom HTTP protocol as per the ISA blog article...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to nholman)
Post #: 15
RE: Email Filter Failed Updates through ISA - 10.Jul.2009 9:54:01 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes, agree with Jason.

Need to disable the filter only for the single rule that allows access to the Websense update site.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Email Filter Failed Updates through ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts