Question

10060: Connection timeout only on one website

Asked by: livegirllove

I have SBS2003 R2 with ISA2004
One website timesout trying to connect.
dns is correct and resolves properly.  
From outside the lan I can connect fine.
From inside the LAN in I get the 10060 error from the SBS and all Workstations.
In ISA firewall HTTP protocol parameters I unchecked the Web Proxy with no change.
In IE I have allowed the site to bypass proxy.  no change
In IE I disabled proxy with no change.

The site im trying to connect to opens a couple popups for auth.  I have gotten as far as sporadically the main page will load but then the auth popups all get the 10060 error.  

I do notice that the site is a bitt sluggish and seems to be javascripty.

But regardless.  I need to figure out how to get it working through ISA short of yanking ISA out for a real firewall.
site is
http://login.greystonecs.com/arcashlink/login

The only thing I have noticed is that the site is a 12.x.x.x and the SBS is also in 12.x.x.x  
There are no outbound blocking rules enabled on the SBS.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-24 at 00:34:41ID24757552
Topics

MS Forefront-ISA

,

Networking Hardware Firewalls

Participating Experts
3
Points
500
Comments
32

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. ISA2004 install fails on new install of SBS2003
    Hi, I have just loaded up an oem copy of SBS2003 onto a newly built server. This is the latest release, so includes all SP1 patches and ISA2004. When I come to run the ISA 2004 server install from disk 7, the install fails part way through with the following message.... &q...
  2. FTP Read only behind ISA2004
    hi all, seem to be having trouble uploading files to an external FTP site from any client machine behind sbs2003 (isa2004) Can logon to ftp site read only even though i have removed ftp read only check box in ISA server access policy rules for both inbound and outbound access...
  3. Slow internet on SBS2003 and ISA2004
    I have been running ISA2004 on an SBS 2003 machine for some time now. ISA is set up for standard configurations based on the SBS install and all have been dandy for about a year now. Recently my internet started going very slowly. I first started to restart the modem in ca...
  4. Unable to send email, but can receive. SBS2003 ISA…
    SBS2003 SP2 ISA2004 SP3 I can receive emails but when i try to send email they never arrive?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: livegirllovePosted on 2009-09-24 at 00:42:59ID: 25410821

Failed Connection Attempt XXXXSBS 9/24/2009 12:39:57 AM
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
Rule: Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)
Source: Local Host ( 192.168.16.1:0)
Destination: External ( 69.26.213.20:80)
Request: GET http://login.greystonecs.com/arcashlink/login
Filter information: Req ID: 19ec73a7  
Protocol: http
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Object source: Internet Processing time: 21344
Cache info: 0x0 MIME type:  

 

by: ksalamehPosted on 2009-09-24 at 01:17:28ID: 25410991

Hello,

Open ISA management console, go the configuration node, then to the general node, click Define HTTP Compression Pereferences, and uncheck the enabled box, then make sure that your web proxy filter on the HTTP Protocol in unchecked
Apply the settings and wait 2 minutes and then things should work fine :)

 

by: egyptcoPosted on 2009-09-24 at 01:20:07ID: 25411010

i bet it is a dns issue. try to open the page with the local ip address instead of the name. if you do nslookup you would find out that it is resolved with the outside ip address instead of the local one. i'm using cisco firewall and there is an option dns doctoring. for isa i haven't clue how to fix that but there should be an option.

 

by: livegirllovePosted on 2009-09-24 at 01:24:39ID: 25411038

on the settings tab nothing is defined.

on content types compress the selected is checked and none of the content types are checked

on content inspection Decompress incoming packets IS checked.
I unchecked and applied the settings but I dont think thats the one you meant.

Any other ideas?
The web proxy fiter has been unchecked from HTTP protocol parameters.

 

by: livegirllovePosted on 2009-09-24 at 01:32:17ID: 25411086

Hitting the IP 12.49.224.50
gets me closer.  The main page has colors and the first popup actually loads the little globe icon.
However it immediately redirects to the real address and then just sits loading.
no failures in the monitoring yet, and no timeout yet.

heres the nslookup

C:\Documents and Settings\Administrator>nslookup
Default Server:  arcoasbs.arcoa.lan
Address:  192.168.16.1

> login.greystonecs.com
Server:  arcoasbs.arcoa.lan
Address:  192.168.16.1

Non-authoritative answer:
Name:    login1.greystonecs.com
Addresses:  12.49.224.50, 69.26.213.20
Aliases:  login.greystonecs.com

>

 

by: ksalamehPosted on 2009-09-24 at 01:53:12ID: 25411165

Did you try my solution ?
the issue is not with DNS, i have the same issue here and it was solved by doing my solution above

 

by: livegirllovePosted on 2009-09-24 at 01:55:31ID: 25411178

i think I did:

From:
"Open ISA management console, go the configuration node, then to the general node, click Define HTTP Compression Pereferences, and uncheck the enabled box"
I got to uncheck the enabled box but dont see any boxes for enable/disable.
this is what I see

my response to your post:
on the settings tab nothing is defined.

on content types compress the selected is checked and none of the content types are checked

on content inspection Decompress incoming packets IS checked.
I unchecked and applied the settings but I dont think thats the one you meant.

 

by: ksalamehPosted on 2009-09-24 at 01:55:55ID: 25411179

See attached

 

by: ksalamehPosted on 2009-09-24 at 01:57:04ID: 25411181

Wait 2 minutes after applying and try and it will work

 

by: livegirllovePosted on 2009-09-24 at 02:01:28ID: 25411208

ah
you are on ISA2006
ISA2004 doesnt have that option:

 

by: livegirllovePosted on 2009-09-24 at 02:02:59ID: 25411213

but it "looks" to be disabled as no content types are being compressed afaik
any other ideas?

 

by: ksalamehPosted on 2009-09-24 at 02:13:44ID: 25411270

Hi,

Sorry, my bad
go to the add-in page on the left, click on the compression filter, properties, and uncheck the enabled box, then apply and restart the firewall service.

Thanks!

 

by: livegirllovePosted on 2009-09-24 at 02:16:21ID: 25411286

its greyed out?

 

by: livegirllovePosted on 2009-09-24 at 02:19:18ID: 25411299

Found this but it didnt enable the ption.
Ill restart the firewall and see if that kicks it.

It turns out that the Web Proxy Filter must be enabled for the HTTP protocol. Without this enabled, you loose the HTTP filter configuration menu. If you dont want to enable the Web Proxy filter, as it may not work well with some sites, enable it temporarily, change the HTTP filter setting and then disable it. The HTTP filter settings will still remain active. Problem solved.

 

by: ksalamehPosted on 2009-09-24 at 02:21:49ID: 25411311

I thought you know that :) sorry,
Once you deactivate the Web Proxy Filter, all your settings applied to HTTP Traffic are gone, unfortunately.

 

by: livegirllovePosted on 2009-09-24 at 02:24:14ID: 25411323

i reenabled the web proxy filter on http protocol.
restarted firewall service and ISA services.
Option is still greyed out under add-ins.
Should I reboot or is there some other way to make the option accessible?

 

by: livegirllovePosted on 2009-09-24 at 02:25:42ID: 25411327

see attached

 

by: ksalamehPosted on 2009-09-24 at 02:37:06ID: 25411380

You can't disable the HTTP filter from the add-ins page, i want you to disable the compression filter from the add-ins page.
As for the HTTP Filter, uncheck the checkbox in the first image you sent (not the one greyed out)

The site should work after that.

regards,
Khaled

 

by: livegirllovePosted on 2009-09-24 at 02:50:32ID: 25411437

ah man, sorry.  2:30AM ;)
made the requested changes.  From a workstation the main pages loads but I get the same ISA message on the first popup.  Im going to reboot the server and the workstation and retest.

 

by: livegirllovePosted on 2009-09-24 at 03:18:07ID: 25411585

no change after reboot :(  I did test the site from 2 other SBS with ISA2004 and they have the same issue with the website so its not just this server.  

 

by: pwindellPosted on 2009-09-24 at 14:27:59ID: 25418148

Forget disabling the HTTP Filter.  
There are a whole lot more things that require it be there, then things that don't work with it.
It probably is not the problem anyway
Most likely it is the Compression Filter,..disable it at  MMC-->Servername-->Configuration--->Add-ins-->Web Filters-->Compressions Filter.  

If you want HTTP without the Filter create a new Protocol for port 80 and then don't add the Filter to it.  Create a new Access Rule for just this one site.  After that you have to do this....

Why do I need a deny rule to make an allow rule for a custom protocol work correctly?
http://blogs.technet.com/isablog/archive/2006/09/25/why-do-i-need-a-deny-rule-to-make-an-allow-rule-for-a-custom-protocol-work-correctly.aspx

In the end the problem is in the lousey "developers-gone-crazy" design of the site.  I cannot get to it with mine either.  There is some kind of problem with the scripting and componenets that they buried within the login pages.  They probably designed them in such a way that they won't work properly from behind proxys,...but may work fine from behind NAT boxes.

Now, on to what is the final nail in the coffin.......

The only thing I have noticed is that the site is a 12.x.x.x and the SBS is also in 12.x.x.x  
There are no outbound blocking rules enabled on the SBS.

You can run public IP Ranges on your LAN that you do not own.  This is a perfect example.  If you run the same range on your LAN that they use, you are screwed,...just plain screwed,...ain't never gonna work.  If you were using proper a RFC Private  address range on your LAN then you could never have this problem.


 

 

by: livegirllovePosted on 2009-09-24 at 14:32:38ID: 25418196

its a 2 nic box.
the External IP of the SBS is in a 12 range like the website.
Internally its a 192.168.16.x

I already forgot about the http filter. ;)  see the posts above.  I was misunderstanding.

I disabled the compression filter with no change.

So that said do you think:

 "If you want HTTP without the Filter create a new Protocol for port 80 and then don't add the Filter to it.  Create a new Access Rule for just this one site.  After that you have to do this...."

Is worth a try or do you have some other ideas?

 

by: livegirllovePosted on 2009-09-24 at 14:39:07ID: 25418271

In the end the problem is in the lousey "developers-gone-crazy" design of the site.  I cannot get to it with mine either.  There is some kind of problem with the scripting and componenets that they buried within the login pages.  They probably designed them in such a way that they won't work properly from behind proxys,...but may work fine from behind NAT boxes.

thanks for that.  I suspected as much.  I had the client contact them.

However it annoys me that I cant set ISA to totally ignore this site so that even if less secure or crappy web coding I can access it.

If I can get to it from outside ISA I should be able to somehow config ISA to pass it.

 

by: pwindellPosted on 2009-09-24 at 14:39:30ID: 25418277

I don't think the problem is with you

I don't think the solution is with you

The problem is with the site designers

The solution is with the site designers

As I said:.....

In the end the problem is in the lousey "developers-gone-crazy" design of the site.  I cannot get to it with mine either.  There is some kind of problem with the scripting and componenets that they buried within the login pages.  They probably designed them in such a way that they won't work properly from behind proxys,...but may work fine from behind NAT boxes.

 

by: pwindellPosted on 2009-09-24 at 14:44:37ID: 25418327

However it annoys me that I cant set ISA to totally ignore this site so that even if less secure or crappy web coding I can access it.

How would you get to the site through the ISA if the ISA ignores the site?  Of couse the ISA has to pay attention to it,...ISA is your means to get there.

You could try the custom HTTP protocol as I described,...but I doubt you will get anywhere with it.  If you go down that path,..don't gloss over what I said about it, pay attention to the details I gave the the article link I gave.

 

by: livegirllovePosted on 2009-09-24 at 14:50:06ID: 25418363

fair enough ;)

just for giggles though.

What is ISA doing thats blocking it.  If I can tell ISA to pass anything to/from that site without sniffing it, compressing it, proxying it etc it "should" get through I would think.  Sure it has to pass through the ISA NICS and be routed (and DNS is on the same box).

Ill try the custom protocol after hours just to verify to myself that I've done all I can.  My client is already aware that the problem is really at the webpage.

For this client its no problem to blame the website.  Next client may be a harder sell to tell them no the website is broken when they can access it just fine from home.  So although it may be broken and non standard it IS accessible by everyone that doesnt use ISA.  

 

by: pwindellPosted on 2009-09-24 at 15:37:37ID: 25418660

ISA is not blocking it!

The design of the site's login page components networking abilities is failing when run through a proxy. A failing connection and a blocked connection are two different things.  It is like if your car's engine throws a rod through he side of the block,...the engine has failed,...it doesn't have anything to do with your ignition switch "blocking" you because it is or isn't the right key.

The site's page also have about three popup windows that a popup blocker can cause it to fail.

Here's something else to try.  I am at home and can't verify this,...but make sure the Firewall Client is installed on your workstation,...then remove all the proxy setting from your browser and try it.   Repeat this with Firefox without any proxy settings in firefox.

You could also try this as a SecureNAT Client instead of a Firewall Client,...but only if you rHTTP &  HTTPS Access Rules are "anonymous".

 

 

by: livegirllovePosted on 2009-09-24 at 15:49:15ID: 25418727

Thanks for the explaination.
I tried FF with same results.
tried removeing proxy in IE.  
Tried adding the site to the proxy pass list in IE.
I added the domain to popup blocker safe list as well.
Yea I like those 3 popups.  wtf is that, lol.
My client sent them a nastygram.  I guess they just updated that site specifically for my client and its worse than ever now.
I'm going to go ahead and close this with a split as ksalameh gave good answers as well.

 

by: pwindellPosted on 2009-09-24 at 17:23:36ID: 25419245

Ok, sounds good. Good luck with things!

Did you try FF with all proxy settings removed?

One last thing to try in IE is to put the site domain *.greystonecs.com in the Intranet Zone.  That is Intranet, not Internet.  I suppose that is my last thought on it, I'm out of ideas.

 

by: livegirllovePosted on 2009-09-24 at 17:25:57ID: 25419263

yup tried FF with no proxy settings.
Ill try it in the internet zone.  currently its in trusted.
np, thanks for the ideas.

 

by: pwindellPosted on 2009-09-24 at 18:14:52ID: 25419461

Not internet,...intranet zone.   You have to click the Advanced Button in that Zone to add a site.  Add it exactly as I spelled the domain, including the star

 

by: livegirllovePosted on 2009-09-24 at 18:16:19ID: 25419469

i got it.  I cant type and think at the same time ;)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...