• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unable to connect to Web Proxy server address on array

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Unable to connect to Web Proxy server address on array Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unable to connect to Web Proxy server address on array - 7.Jul.2009 11:18:30 AM   
nickcleary

 

Posts: 5
Joined: 7.Jul.2009
Status: offline
Hi All

I've created a ISA 2006 Array on Vmware ESX 3.5.0.

The array is on a 10.70.x.x subnet and the majority of our users are on a 10.22.x.x.

All users on the 10.70 section can connect to the Proxy address without problems however those on the 10.22 cannot. They can however connect to each individual ISA server address and browse through those.

I have added a persistant route to each server for the other subnet but there I'm still unable to connect. The DNS entry has been added accordingly.

Apologies if more info is needed,

Thanks in Advance
Post #: 1
RE: Unable to connect to Web Proxy server address on array - 7.Jul.2009 9:50:52 PM   
varun25

 

Posts: 63
Joined: 24.Aug.2008
Status: offline
On the ISA, is10.22.X.X subnet specified as internal or external network?

Without adding the persistant route are you able to ping between the 2 subnets?

(in reply to nickcleary)
Post #: 2
RE: Unable to connect to Web Proxy server address on array - 8.Jul.2009 4:57:28 AM   
nickcleary

 

Posts: 5
Joined: 7.Jul.2009
Status: offline
The Internal network is set to 10.0.0.0- 10.255.255.255 and yes i can ping between them.

Nick

< Message edited by nickcleary -- 8.Jul.2009 5:53:47 AM >

(in reply to varun25)
Post #: 3
RE: Unable to connect to Web Proxy server address on array - 8.Jul.2009 11:48:02 AM   
Boedus

 

Posts: 195
Joined: 8.Sep.2006
Status: offline
The way I understand your problem is that both those IP are on the same network actually.
Really NIC/IP should be on a different network.
Make sure you are using a 8 bits mask in that case,such as below:
10.70.0.0/255.0.0.0
10.20.0.0/255.0.0.0

In that case they are on a different network.

Also ideally routes should be set before ISA is installed. Nothing is preventing you from installing them afterwards, but usually doing it initially will help you avoiding to have IP issues.
Make sure the routes are working fine as well, before you install ISA. It is difficult to troubleshoot routing issues on a firewall.

HTH


quote:

ORIGINAL: nickcleary

The Internal network is set to 10.0.0.0- 10.255.255.255 and yes i can ping between them.

Nick


< Message edited by Boedus -- 8.Jul.2009 11:50:44 AM >

(in reply to nickcleary)
Post #: 4
RE: Unable to connect to Web Proxy server address on array - 8.Jul.2009 12:12:14 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
You mentioned that users from the 10.20.x.x network can communicate with each array member individually, but not with the array as a whole. Do you have NLB enabled?

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to nickcleary)
Post #: 5
RE: Unable to connect to Web Proxy server address on array - 9.Jul.2009 5:35:28 AM   
nickcleary

 

Posts: 5
Joined: 7.Jul.2009
Status: offline
Yes, NLB is enabled on the internal NIC w\ Multicast as they are on VMware.

Thanks

Nick

(in reply to richardhicks)
Post #: 6
RE: Unable to connect to Web Proxy server address on array - 9.Jul.2009 6:11:12 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: Boedus

Make sure you are using a 8 bits mask in that case,such as below:
10.70.0.0/255.0.0.0
10.20.0.0/255.0.0.0

In that case they are on a different network.




Surely with an 8 bit mask, those subnets are actually on the same network?

If you want to differentiate them as different networks, you would need a 16 bit mark - no?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Boedus)
Post #: 7
RE: Unable to connect to Web Proxy server address on array - 9.Jul.2009 6:14:04 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: nickcleary

Hi All

I've created a ISA 2006 Array on Vmware ESX 3.5.0.

The array is on a 10.70.x.x subnet and the majority of our users are on a 10.22.x.x.

All users on the 10.70 section can connect to the Proxy address without problems however those on the 10.22 cannot. They can however connect to each individual ISA server address and browse through those.

I have added a persistant route to each server for the other subnet but there I'm still unable to connect. The DNS entry has been added accordingly.

Apologies if more info is needed,

Thanks in Advance


If you are using multicast NLB and you have clients on remote networks, you will need to add static ARP entries on the router.

This is discussed in more detail in Question 10 from here:

http://blog.msfirewall.org.uk/2008/10/resource-guide-for-using-microsoft-nlb.html

Cheers

JJ

P.S. Mentioning multicast NLB in your original post would have helped

< Message edited by Jason Jones -- 9.Jul.2009 6:15:41 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to nickcleary)
Post #: 8
RE: Unable to connect to Web Proxy server address on array - 9.Jul.2009 6:53:32 AM   
Boedus

 

Posts: 195
Joined: 8.Sep.2006
Status: offline
quote:

ORIGINAL: Jason Jones

quote:

ORIGINAL: Boedus

Make sure you are using a 8 bits mask in that case,such as below:
10.70.0.0/255.0.0.0
10.20.0.0/255.0.0.0

In that case they are on a different network.




Surely with an 8 bit mask, those subnets are actually on the same network?

If you want to differentiate them as different networks, you would need a 16 bit mark - no?

Cheers

JJ


Yep I meant to write 16 initially :-)
Thanks for correcting me.

(in reply to Jason Jones)
Post #: 9
RE: Unable to connect to Web Proxy server address on array - 9.Jul.2009 6:57:32 AM   
nickcleary

 

Posts: 5
Joined: 7.Jul.2009
Status: offline
Thanks for your help guys, I'll attempt to add the static ARP entries today and let you know

Nick

(in reply to Boedus)
Post #: 10
RE: Unable to connect to Web Proxy server address on array - 13.Jul.2009 9:23:31 AM   
nickcleary

 

Posts: 5
Joined: 7.Jul.2009
Status: offline
I think the issue may be down to the Virtual IP having a different MAC address on each server. I was under the impression ISA changed this accordingly, how can i do this manually?

Thanks

(in reply to nickcleary)
Post #: 11
RE: Unable to connect to Web Proxy server address on array - 13.Jul.2009 11:23:24 AM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
In multicast mode each host retains it's original MAC address.  The MAC address is overwritten when NLB is in unicast mode (default).  Regardless, you may still need a static ARP entry with VMWare, but I'm not sure.  I've never configured NLB on VMWare myself, so perhaps others might have more insight to this.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to nickcleary)
Post #: 12
RE: Unable to connect to Web Proxy server address on array - 15.Jul.2009 6:42:34 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: nickcleary

I think the issue may be down to the Virtual IP having a different MAC address on each server. I was under the impression ISA changed this accordingly, how can i do this manually?

Thanks


No, you need static ARPs!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to nickcleary)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Unable to connect to Web Proxy server address on array Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts