I have SBS2003 R2 with ISA2004
One website timesout trying to connect.
dns is correct and resolves properly.
From outside the lan I can connect fine.
From inside the LAN in I get the 10060 error from the SBS and all Workstations.
In ISA firewall HTTP protocol parameters I unchecked the Web Proxy with no change.
In IE I have allowed the site to bypass proxy. no change
In IE I disabled proxy with no change.
The site im trying to connect to opens a couple popups for auth. I have gotten as far as sporadically the main page will load but then the auth popups all get the 10060 error.
I do notice that the site is a bitt sluggish and seems to be javascripty.
But regardless. I need to figure out how to get it working through ISA short of yanking ISA out for a real firewall.
site is
http://login.greystonecs.c
The only thing I have noticed is that the site is a 12.x.x.x and the SBS is also in 12.x.x.x
There are no outbound blocking rules enabled on the SBS.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Hello,
Open ISA management console, go the configuration node, then to the general node, click Define HTTP Compression Pereferences, and uncheck the enabled box, then make sure that your web proxy filter on the HTTP Protocol in unchecked
Apply the settings and wait 2 minutes and then things should work fine :)
i bet it is a dns issue. try to open the page with the local ip address instead of the name. if you do nslookup you would find out that it is resolved with the outside ip address instead of the local one. i'm using cisco firewall and there is an option dns doctoring. for isa i haven't clue how to fix that but there should be an option.
on the settings tab nothing is defined.
on content types compress the selected is checked and none of the content types are checked
on content inspection Decompress incoming packets IS checked.
I unchecked and applied the settings but I dont think thats the one you meant.
Any other ideas?
The web proxy fiter has been unchecked from HTTP protocol parameters.
Hitting the IP 12.49.224.50
gets me closer. The main page has colors and the first popup actually loads the little globe icon.
However it immediately redirects to the real address and then just sits loading.
no failures in the monitoring yet, and no timeout yet.
heres the nslookup
C:\Documents and Settings\Administrator>nslo
Default Server: arcoasbs.arcoa.lan
Address: 192.168.16.1
> login.greystonecs.com
Server: arcoasbs.arcoa.lan
Address: 192.168.16.1
Non-authoritative answer:
Name: login1.greystonecs.com
Addresses: 12.49.224.50, 69.26.213.20
Aliases: login.greystonecs.com
>
i think I did:
From:
"Open ISA management console, go the configuration node, then to the general node, click Define HTTP Compression Pereferences, and uncheck the enabled box"
I got to uncheck the enabled box but dont see any boxes for enable/disable.
this is what I see
my response to your post:
on the settings tab nothing is defined.
on content types compress the selected is checked and none of the content types are checked
on content inspection Decompress incoming packets IS checked.
I unchecked and applied the settings but I dont think thats the one you meant.
See attached
ISA Compression
ah
you are on ISA2006
ISA2004 doesnt have that option:
screeny
but it "looks" to be disabled as no content types are being compressed afaik
any other ideas?
screeny2
Found this but it didnt enable the ption.
Ill restart the firewall and see if that kicks it.
It turns out that the Web Proxy Filter must be enabled for the HTTP protocol. Without this enabled, you loose the HTTP filter configuration menu. If you dont want to enable the Web Proxy filter, as it may not work well with some sites, enable it temporarily, change the HTTP filter setting and then disable it. The HTTP filter settings will still remain active. Problem solved.
see attached
screen2
screen
Forget disabling the HTTP Filter.
There are a whole lot more things that require it be there, then things that don't work with it.
It probably is not the problem anyway
Most likely it is the Compression Filter,..disable it at MMC-->Servername-->Configura
If you want HTTP without the Filter create a new Protocol for port 80 and then don't add the Filter to it. Create a new Access Rule for just this one site. After that you have to do this....
Why do I need a deny rule to make an allow rule for a custom protocol work correctly?
http://blogs.tec
In the end the problem is in the lousey "developers-gone-crazy" design of the site. I cannot get to it with mine either. There is some kind of problem with the scripting and componenets that they buried within the login pages. They probably designed them in such a way that they won't work properly from behind proxys,...but may work fine from behind NAT boxes.
Now, on to what is the final nail in the coffin.......
The only thing I have noticed is that the site is a 12.x.x.x and the SBS is also in 12.x.x.x
There are no outbound blocking rules enabled on the SBS.
You can run public IP Ranges on your LAN that you do not own. This is a perfect example. If you run the same range on your LAN that they use, you are screwed,...just plain screwed,...ain't never gonna work. If you were using proper a RFC Private address range on your LAN then you could never have this problem.
its a 2 nic box.
the External IP of the SBS is in a 12 range like the website.
Internally its a 192.168.16.x
I already forgot about the http filter. ;) see the posts above. I was misunderstanding.
I disabled the compression filter with no change.
So that said do you think:
"If you want HTTP without the Filter create a new Protocol for port 80 and then don't add the Filter to it. Create a new Access Rule for just this one site. After that you have to do this...."
Is worth a try or do you have some other ideas?
In the end the problem is in the lousey "developers-gone-crazy" design of the site. I cannot get to it with mine either. There is some kind of problem with the scripting and componenets that they buried within the login pages. They probably designed them in such a way that they won't work properly from behind proxys,...but may work fine from behind NAT boxes.
thanks for that. I suspected as much. I had the client contact them.
However it annoys me that I cant set ISA to totally ignore this site so that even if less secure or crappy web coding I can access it.
If I can get to it from outside ISA I should be able to somehow config ISA to pass it.
I don't think the problem is with you
I don't think the solution is with you
The problem is with the site designers
The solution is with the site designers
As I said:.....
In the end the problem is in the lousey "developers-gone-crazy" design of the site. I cannot get to it with mine either. There is some kind of problem with the scripting and componenets that they buried within the login pages. They probably designed them in such a way that they won't work properly from behind proxys,...but may work fine from behind NAT boxes.
However it annoys me that I cant set ISA to totally ignore this site so that even if less secure or crappy web coding I can access it.
How would you get to the site through the ISA if the ISA ignores the site? Of couse the ISA has to pay attention to it,...ISA is your means to get there.
You could try the custom HTTP protocol as I described,...but I doubt you will get anywhere with it. If you go down that path,..don't gloss over what I said about it, pay attention to the details I gave the the article link I gave.
fair enough ;)
just for giggles though.
What is ISA doing thats blocking it. If I can tell ISA to pass anything to/from that site without sniffing it, compressing it, proxying it etc it "should" get through I would think. Sure it has to pass through the ISA NICS and be routed (and DNS is on the same box).
Ill try the custom protocol after hours just to verify to myself that I've done all I can. My client is already aware that the problem is really at the webpage.
For this client its no problem to blame the website. Next client may be a harder sell to tell them no the website is broken when they can access it just fine from home. So although it may be broken and non standard it IS accessible by everyone that doesnt use ISA.
ISA is not blocking it!
The design of the site's login page components networking abilities is failing when run through a proxy. A failing connection and a blocked connection are two different things. It is like if your car's engine throws a rod through he side of the block,...the engine has failed,...it doesn't have anything to do with your ignition switch "blocking" you because it is or isn't the right key.
The site's page also have about three popup windows that a popup blocker can cause it to fail.
Here's something else to try. I am at home and can't verify this,...but make sure the Firewall Client is installed on your workstation,...then remove all the proxy setting from your browser and try it. Repeat this with Firefox without any proxy settings in firefox.
You could also try this as a SecureNAT Client instead of a Firewall Client,...but only if you rHTTP & HTTPS Access Rules are "anonymous".
Thanks for the explaination.
I tried FF with same results.
tried removeing proxy in IE.
Tried adding the site to the proxy pass list in IE.
I added the domain to popup blocker safe list as well.
Yea I like those 3 popups. wtf is that, lol.
My client sent them a nastygram. I guess they just updated that site specifically for my client and its worse than ever now.
I'm going to go ahead and close this with a split as ksalameh gave good answers as well.
Business Accounts
Answer for Membership
by: livegirllovePosted on 2009-09-24 at 00:42:59ID: 25410821
Failed Connection Attempt XXXXSBS 9/24/2009 12:39:57 AM
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)
Source: Local Host ( 192.168.16.1:0)
Destination: External ( 69.26.213.20:80)
Request: GET http://login.greystonecs.c
Filter information: Req ID: 19ec73a7
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Object source: Internet Processing time: 21344
Cache info: 0x0 MIME type: