Appears that our ISA 2k4 setup may almost be close to completion. Here is the setup:
External NIC = 220.127.116.11 /26 Internal NIC = 18.104.22.168 /26 Clients NIC = 192.168.125.100 /24
Every NIC for ISA is on its own network, we have put the client workstations on the 'Client network' and the servers on the 'internal network' So far traffic/policy is working pleasureful between the internal/external/client networks.
Except that when client workstations broadcast what i believe is a name query to 192.168.125.255, ISA denies the conection (port 138) with a result code of:
What then happens is when viewing a file such as a .doc that is stored on a network file server, the connection is lost (ISA produces the 0xc0040014 code) and Word, asks the user to reconnect to the server or exit.
So, I created a Lmhosts file for workstations that #PRE and #DOM the fileservers and also has \0x1b \0x1d entries for a DC.
The workstations still wanted to broadcast (bypassing lmhosts file?) but nbtstat -c shows that indeed the lmhosts file is being parsed correctly (determined by life -1)
Finally, would someone be kind to let me know how isa can allow the 192.168.125.255 broadcast traffic? I'm going to regedit ISA to enable it as a WINS Proxy to see if that helps, in the mean time, thank you for your time!
when clients 192.168.x.x. are accessing internal 128.208.125.x
However by changing the broadcast address in the registry to 22.214.171.124, ISA passes the broadcasts and the client workstations appear to hold their connections to MS Word documents longer. Originally was timing out ~5 seconds to 5 minutes. Now seems to time out more often when saving, rather than just during typing, or viewing of the file.
I'm now going to try editing keepalivetime & sessionkeepalive time in the registry on client workstations to see if it will keep communications with ISA (when MS Word/documents are open) active.
quote:Originally posted by tshinder: Why not just disable NetBIOS on the clients and use DNS? Or how about just using a WINS server to get rid of the broadcasts, and finally, disable the dreaded browser service on all hosts.
Hello, yes disabling NetBIOS on the clients also appears to work, however a machine we connect to via trust, is still on NT 4.0 so traffic to that machine isn't able to only use port 445
Browser service is already disabled on client workstations, WINS server already in place as well.
Lex, thanks a lot for your link! So far looks good, i'll relay a little more when a little more tests are run.