• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Does SP1 Correct Problems you Are having? Give feedback here!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Does SP1 Correct Problems you Are having? Give feedback here! Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Does SP1 Correct Problems you Are having? Give feedbac... - 16.Jan.2002 3:13:00 AM   
jmunyan

 

Posts: 803
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline
Now that SP1 is out I am wondering how many of you have had a problematic situation corrected by way of installing the service pack.

Please leave feedback to this post explaining how SP 1 helped you, or conversly how SP 1 has failed to correct your problem.

For me SP1 fails to correct my SNAT mapping issue for multiple published mail servers. The default ip is still used.

Thanks for taking the time to respond,

John

Post #: 1
RE: Does SP1 Correct Problems you Are having? Give fee... - 16.Jan.2002 12:02:00 PM   
Guest
Hi john,
Well, ive been evaluating SP1 Beta for about 2 months now..and the first thing I notice is the minimal amount of fixes included since the Beta realease. What have MS been doing these last 2 months I ask!

Well, on the good side, it appears to partially fix the "VPN tunnel is connected but no traffic passes" problem. (I say partially, because now it appears that when it detects the downed line it will reconnect the VPN...still not perfect, but saves me having to do it every day! For that matter, how do you think it detects the downed line, via standard ping requests? (although I dont see anything like that in the logs or with a sniffer)).

I do notice is DOESNT fix the "Cant access internal resources published out via server publishing rules" issue...which MS guaranteed us would be in there. (And when is SP2 comming out we ask?)

Apart from that, it appears much the same as the beta...unless anyone can tell me otherwise?

Oh...I believe though the major fix of the SP is the FTP problem, where if you server publish out an FTP site then users behind a firewall get the "Data connection refused" or "Cant get directory listing" etc errors.

I'll let you know when I find more!
Cheers John

Oh, p.s i'll boot up a few VMware machines later and try the mail publishing issue...


------------------
Regards,
Jeremy
email: jeremy@cableserver.co.uk
www: www.cableserver.co.uk
MSN Messenger: jeremybcooke@hotmail.com

Two books I highly recommend:

(Click an image to see the book at amazon)

[This message has been edited by Stephen wheres my posts! (edited 16 January 2002).]


(in reply to jmunyan)
  Post #: 2
RE: Does SP1 Correct Problems you Are having? Give fee... - 16.Jan.2002 12:50:00 PM   
Guyver_fixer

 

Posts: 54
Joined: 2.Oct.2001
From: London
Status: offline
Dear all,

Its nice to know SP1 has finally come out and many are probably will want SP2. Good luck to you all.

Anyway, I have yet to install SP1 and will do this weekend. What I like to know if anyone has experienced my issue where users browsing normally that a blank page appears and when you refresh the page, all is well. Occassionally when trying to initate a POST command i.e. when sending data back from a web page, the browser comes back with a gateway connection failure page. The user has to refresh or "Go Back" and try again several times to successfully complete the POST. Have any of you experienced this?

Do you reckon SP1 will fix this. I am upstreaming my ISA server to my Checkpoint Firewall if that helps.

I have looked at the Microsoft Bug fixes article that may be related to this: Q297080, but I am unsure if this is right.

Keep me posted. My users have frequently having to refresh their browsers in order to get their web page to display.

Any advise would be very helpful and I do hope that SP1 solves this issue for me.

Thanks and kind regards

Paul Thompson
======================================
Rebooted and awaiting instructions
=======================================


(in reply to jmunyan)
Post #: 3
RE: Does SP1 Correct Problems you Are having? Give fee... - 16.Jan.2002 12:50:00 PM   
Guyver_fixer

 

Posts: 54
Joined: 2.Oct.2001
From: London
Status: offline
Dear all,

Have fun with SP1

Paul Thompson

[This message has been edited by Guyver_fixer (edited 16 January 2002).]


(in reply to jmunyan)
Post #: 4
RE: Does SP1 Correct Problems you Are having? Give fee... - 16.Jan.2002 4:06:00 PM   
drhkrz

 

Posts: 90
Joined: 15.Jan.2002
Status: offline
Hey guys,

I was really hoping it would fix the bandwidth control/bandwidth counters issues where the counters just stop working for different protocols. It didn't fix this problem I'm going to try and remove all the bandwidth rules and bandwidth priorities and recreate them and see if that fixes it.

Jeremy, what isues with server publishing and accessing internal resources is still not working? What protocol are you publishing?

Thanks!

Tom

------------------
Dr. H.
------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to jmunyan)
Post #: 5
RE: Does SP1 Correct Problems you Are having? Give fee... - 16.Jan.2002 4:17:00 PM   
AttilaKaanSalci

 

Posts: 18
Joined: 8.Jan.2002
From: Trieste,,ITALY
Status: offline
I have installed SP1 but didn't fixed my problem.
My ISA Array is behind a Checkpoint FW1, and I'm having problems with my WebProxy clients.
Accessing a private web site with ASP authentication, the ISA presents 407 Proxy auth required although the is Integrated Authentication on the ISA and the clients are already authenticated. The authentication mask , on the other hand doesn't authenticate (i.e. putting username, password, domain doesn't go).

Kaan


(in reply to jmunyan)
Post #: 6
RE: Does SP1 Correct Problems you Are having? Give fee... - 16.Jan.2002 7:04:00 PM   
jmunyan

 

Posts: 803
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline
quote:
Originally posted by Stephen wheres my posts!:
Hi john,
Well, ive been evaluating SP1 Beta for about 2 months now..and the first thing I notice is the minimal amount of fixes included since the Beta realease. What have MS been doing these last 2 months I ask!

Well, on the good side, it appears to partially fix the "VPN tunnel is connected but no traffic passes" problem. (I say partially, because now it appears that when it detects the downed line it will reconnect the VPN...still not perfect, but saves me having to do it every day! For that matter, how do you think it detects the downed line, via standard ping requests? (although I dont see anything like that in the logs or with a sniffer)).

I do notice is DOESNT fix the "Cant access internal resources published out via server publishing rules" issue...which MS guaranteed us would be in there. (And when is SP2 comming out we ask?)

Apart from that, it appears much the same as the beta...unless anyone can tell me otherwise?

Oh...I believe though the major fix of the SP is the FTP problem, where if you server publish out an FTP site then users behind a firewall get the "Data connection refused" or "Cant get directory listing" etc errors.

I'll let you know when I find more!
Cheers John

Oh, p.s i'll boot up a few VMware machines later and try the mail publishing issue...


The strange thing about the ftp fix is that I found no mention of it in the release notes per se.

John


(in reply to jmunyan)
Post #: 7
RE: Does SP1 Correct Problems you Are having? Give fee... - 17.Jan.2002 1:11:00 AM   
figme

 

Posts: 6
Joined: 15.Oct.2001
Status: offline
[QUOTE]Originally posted by Guyver_fixer:

Anyway, I have yet to install SP1 and will do this weekend. What I like to know if anyone has experienced my issue where users browsing normally that a blank page appears and when you refresh the page, all is well. Occassionally when trying to initate a POST command i.e. when sending data back from a web page, the browser comes back with a gateway connection failure page. The user has to refresh or "Go Back" and try again several times to successfully complete the POST. Have any of you experienced this?

QUOTE]

I thave this same problem . I will install sp1 and see if it will fix it.


(in reply to jmunyan)
Post #: 8
RE: Does SP1 Correct Problems you Are having? Give fee... - 17.Jan.2002 2:17:00 AM   
Guest
Hey Guys,
John, Im think MS have a bit of confusion in the release notes. In the Beta SP1 release notes, there is the list of Q article fixes which it says are included in the SP, but there is also another list of NEW fixes just in SP1, which have no seperate Q article release (section 9).

In the release notes for the Full SP1, that section appears to be missing, and been replaced with a sentence saying "see Q313249". However, Q313249 has a very small list of fixes...and excludes the SP1 only fixes.

I.E: Section 9 of the Beta release notes starts:
--------
9.0 ISA Server Bug Fixes
1. A VPN client in the DMZ, using L2TP, was unable to access the Internet server. This occurred because the code excluded this protocol for creating a filter.

2. When server publishing an FTP server on an ISA server with multiple IP addresses on the external interface using any IP other than the primary IP, the response to the client data connection went over the primary IP. This resulted in a connection failure for firewall clients.

3. POST requests did not utilize previously established proxy-server connections.
---
Snip
====
13. ISA Server dynamically selects a secondary connection port for a FTP server that is published
through ISA. This secondary connection, initiated by the server through ISA, does not come from port 20.
----------------

Note Sections 3 and 13 relate to the FTP problem, which my clients were experiencing.

Anyway...just a bit weird, thats all.

Tom,
The issue is where you server publish out (not web publish) a service (e.g HTTP Server), and an internal client cant access the site.

E.g, we map out about 80 websites using server publishign rules (need the IP's in the IIS logs, so cant use web publishing). We map our internal 10.3.1.x addresses to our external 194.x.x.x addresses. Internal users, who try to connect to 194.x.x.x just get a 404 error. PSS just said to put all the FQDN entries in the local DNS server, so the internal clients resolve the FQDN's to the internal IP's. However, creating a zone for each website is not feasible...anyway, the firewall shoudl be able to map them out.

This is not a blanket problem though, im still trying to figure out why it happens. Ive seen the same effect when publishign out SMTP and POP3 servers too.

I currently just use routing rules to redirect requests for the FQDN's to the internal IP's (although this then doesnt work with HTTPS).

Oh well...not big problems anyway, i'll make a couple more calls and see what the status of those problems is...will let you know!

------------------
Regards,
Jeremy Cooke
Got a time critical ISA / RRAS / Win2k related problem?
Email me for details of remote assistance, telephone advice, and on-site visits!
email: jeremy@cableserver.co.uk
www: www.cableserver.co.uk

Two books I highly recommend:

(Click an image to see the book at amazon)


(in reply to jmunyan)
  Post #: 9
RE: Does SP1 Correct Problems you Are having? Give fee... - 17.Jan.2002 2:49:00 AM   
jmunyan

 

Posts: 803
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline
quote:
Originally posted by figme:
[QUOTE]Originally posted by Guyver_fixer:

Anyway, I have yet to install SP1 and will do this weekend. What I like to know if anyone has experienced my issue where users browsing normally that a blank page appears and when you refresh the page, all is well. Occassionally when trying to initate a POST command i.e. when sending data back from a web page, the browser comes back with a gateway connection failure page. The user has to refresh or "Go Back" and try again several times to successfully complete the POST. Have any of you experienced this?

QUOTE]

I thave this same problem . I will install sp1 and see if it will fix it.


Since installing sp1 I have noticed that this behavior has croped up and happens fairly freequently.

John


(in reply to jmunyan)
Post #: 10
RE: Does SP1 Correct Problems you Are having? Give fee... - 17.Jan.2002 5:41:00 AM   
drhkrz

 

Posts: 90
Joined: 15.Jan.2002
Status: offline
Hi Jeremy,

I believe the reason why the internal clients can't access internal resources via a server publishing rule, "loop backing" back into the internal network is related to the NAT problem. If there's no proxy or application filter handling the request, it doesn't work. I don't know if MS thinks this is a problem or not. Would be interesting to see if that behavior has changed with SP1.

Thanks!

Tom

quote:
Originally posted by JeremyCooke:
Hey Guys,
John, Im think MS have a bit of confusion in the release notes. In the Beta SP1 release notes, there is the list of Q article fixes which it says are included in the SP, but there is also another list of NEW fixes just in SP1, which have no seperate Q article release (section 9).

In the release notes for the Full SP1, that section appears to be missing, and been replaced with a sentence saying "see Q313249". However, Q313249 has a very small list of fixes...and excludes the SP1 only fixes.

I.E: Section 9 of the Beta release notes starts:
--------
9.0 ISA Server Bug Fixes
1. A VPN client in the DMZ, using L2TP, was unable to access the Internet server. This occurred because the code excluded this protocol for creating a filter.

2. When server publishing an FTP server on an ISA server with multiple IP addresses on the external interface using any IP other than the primary IP, the response to the client data connection went over the primary IP. This resulted in a connection failure for firewall clients.

3. POST requests did not utilize previously established proxy-server connections.
---
Snip
====
13. ISA Server dynamically selects a secondary connection port for a FTP server that is published
through ISA. This secondary connection, initiated by the server through ISA, does not come from port 20.
----------------

Note Sections 3 and 13 relate to the FTP problem, which my clients were experiencing.

Anyway...just a bit weird, thats all.

Tom,
The issue is where you server publish out (not web publish) a service (e.g HTTP Server), and an internal client cant access the site.

E.g, we map out about 80 websites using server publishign rules (need the IP's in the IIS logs, so cant use web publishing). We map our internal 10.3.1.x addresses to our external 194.x.x.x addresses. Internal users, who try to connect to 194.x.x.x just get a 404 error. PSS just said to put all the FQDN entries in the local DNS server, so the internal clients resolve the FQDN's to the internal IP's. However, creating a zone for each website is not feasible...anyway, the firewall shoudl be able to map them out.

This is not a blanket problem though, im still trying to figure out why it happens. Ive seen the same effect when publishign out SMTP and POP3 servers too.

I currently just use routing rules to redirect requests for the FQDN's to the internal IP's (although this then doesnt work with HTTPS).

Oh well...not big problems anyway, i'll make a couple more calls and see what the status of those problems is...will let you know!


------------------
Dr. H.
------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to jmunyan)
Post #: 11
RE: Does SP1 Correct Problems you Are having? Give fee... - 18.Jan.2002 1:08:00 PM   
Jez

 

Posts: 367
Joined: 30.Jan.2002
From: Essex, England
Status: offline
Hey Guys...lets keep this going...any problems you got after SP1, let us know!

The only thing ive found so far is that my SMTP filter breaks...luckily I dont use it normally, but now I have to disable it to stop SMTP being bounced.

------------------
Regards,
Jeremy Cooke
Got a time critical ISA / RRAS / Win2k related problem?
Email me for details of remote assistance, telephone advice, and on-site visits!
email: jeremy@cableserver.co.uk
www: www.cableserver.co.uk

Two books I highly recommend:

(Click an image to see the book at amazon)


(in reply to jmunyan)
Post #: 12
RE: Does SP1 Correct Problems you Are having? Give fee... - 18.Jan.2002 5:01:00 PM   
font1975

 

Posts: 89
Joined: 26.Jul.2001
From: houston, texas, usa
Status: offline
Hi y'all

It seems SP1 has indeed fixed the FTP behind two firewalls problem. If the path to my FTP server was :

ftp client --> 3rd party FW (e.g. checkpoint) --> Internet --> ISA --> my FTP server :

then when ever you would do a directory listing the FTP client would hang. The previous workaround was to use a client that allowed Passive mode. But now I can use the Windows DOS FTP without any problems, YAY!

Jeremey, could you expand on your "SMTP filter breaks" issue? Are you using the message screener too or just the filter? So far I haven't noticed any issues with the filter itself, but I haven't fully tested that yet...

-Mark


(in reply to jmunyan)
Post #: 13
RE: Does SP1 Correct Problems you Are having? Give fee... - 18.Jan.2002 6:02:00 PM   
Xuser

 

Posts: 232
Joined: 29.Jan.2002
From: Canada
Status: offline
I used Eudora on my PC and now it won't send any mail at all. This happened after I installed SP1 and the Firewall Client. Geezzz...talk about fixing a problem and creating a new one ;-(

(in reply to jmunyan)
Post #: 14
RE: Does SP1 Correct Problems you Are having? Give fee... - 18.Jan.2002 11:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The message screener isn't the issue, but the SMTP filter. Apparently, it looks at the data portion of the packet and finds things it thinks are SMTP commands and shoots out SMTP Event messages to blocks the message. No data yet on what the exact problem might be.

HTH,
Tom

quote:
Originally posted by font1975:
Hi y'all

It seems SP1 has indeed fixed the FTP behind two firewalls problem. If the path to my FTP server was :

ftp client --> 3rd party FW (e.g. checkpoint) --> Internet --> ISA --> my FTP server :

then when ever you would do a directory listing the FTP client would hang. The previous workaround was to use a client that allowed Passive mode. But now I can use the Windows DOS FTP without any problems, YAY!

Jeremey, could you expand on your "SMTP filter breaks" issue? Are you using the message screener too or just the filter? So far I haven't noticed any issues with the filter itself, but I haven't fully tested that yet...

-Mark


------------------
Thomas W Shinder
------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to jmunyan)
Post #: 15
RE: Does SP1 Correct Problems you Are having? Give fee... - 18.Jan.2002 11:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi X,

Just restart the Firewall service to allow DNS queries to work again.

HTH,
Tom

quote:
Originally posted by Xuser:
I used Eudora on my PC and now it won't send any mail at all. This happened after I installed SP1 and the Firewall Client. Geezzz...talk about fixing a problem and creating a new one ;-(

------------------
Thomas W Shinder
------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to jmunyan)
Post #: 16
RE: Does SP1 Correct Problems you Are having? Give fee... - 19.Jan.2002 12:38:00 AM   
Doc

 

Posts: 34
Joined: 10.Nov.2001
From: UK - West London
Status: offline
didn't fix anything but instead broke my ftp server on the isa server itself, doesn't accept pasv connectins now unless i disable ip routing

(in reply to jmunyan)
Post #: 17
RE: Does SP1 Correct Problems you Are having? Give fee... - 19.Jan.2002 2:02:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Doc,

That's not a bug, that's a security feature. Its reminding you that its very poor security practice to put an FTP server on your firewall. I don't think PIX firewalls have built in public FTP servers, do they

HTH,
Tom

------------------
Thomas W Shinder
------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to jmunyan)
Post #: 18
RE: Does SP1 Correct Problems you Are having? Give fee... - 19.Jan.2002 2:51:00 AM   
Doc

 

Posts: 34
Joined: 10.Nov.2001
From: UK - West London
Status: offline
quote:
Originally posted by tshinder:
Hi Doc,

That's not a bug, that's a security feature. Its reminding you that its very poor security practice to put an FTP server on your firewall. I don't think PIX firewalls have built in public FTP servers, do they

HTH,
Tom


good point

but it was working before i applied sp1, strange

[This message has been edited by Doc (edited 19 January 2002).]


(in reply to jmunyan)
Post #: 19
RE: Does SP1 Correct Problems you Are having? Give fee... - 21.Jan.2002 5:51:00 PM   
modjo_matt

 

Posts: 7
Joined: 30.Aug.2001
From: Barcelona, Spain
Status: offline
I installed SP1 5 days ago. Since then I have had alot of reports from people trying to mail my domain that their mail is being returned. The error message looks like this:

SMTP error from remote mailer after end of data:
host host.domain.com [ip address]: 500 5.3.3 Unrecognized command


Is this ISA or is this Exchange??


(in reply to jmunyan)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Does SP1 Correct Problems you Are having? Give feedback here! Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts