Question

Connecting to Website through ISA is very slow

Asked by: Delthrox

Hello Everyone,

At our company's network connecting to a website is extremely slow. It can take up to 30 seconds before he connects to the website. After that the speeds are good.

I suspect it is the ISA server causing this. We don't have anything special configurated in the ISA. Only the standard rulings + OWA.

I hope someone has an idea what could be causing this.

Thnx in advance

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-23 at 23:28:57ID24675714
Tags

isa

,

website

,

speed

,

slow

Topics

Windows Network Security

,

MS Forefront-ISA

,

Network Software Firewalls

Participating Experts
2
Points
50
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. ISA to anything
    i am working at a laboratory right now, where we use expensive instruments that are hooked up to computers. They are old enough that they use ISA cards. Recently, we purchases a lot of new computers, and we want to hook up the instruments to the new computers. There are pci c...
  2. OWA and Isa-server on same SBS200-computer
    I have a server running SBS2000. On this same server I am running ISA2000 and Exchange2000. ISA is listening on port 80, IIS on a different port. All my websites are redirected through ISA through Destionation-sets and Web Publishing Rules. This all works fine. Now I have do...
  3. OWA Behind ISA problem
    I run Exchange 2000 and OWA on the same server. I run ISA 2000 on a seperate server and publish OWA thru web publishing rule (the destination set directs all OWA traffic to the Exchange server). It works fine for over a year. The last couple of weeks a problem has been o...
  4. Limiting OWA Access With ISA
    Hi Everybody, We have an Exchange 2003 environment that has been in place for a little over a month now. We are still actively migrating users from our Domino 5 server. Our next batch of migrations includes users that have no permanent desks. Currently, when we have finishe...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: keith_alabasterPosted on 2009-08-23 at 23:31:30ID: 25165966

provide the outputs of an ipconfig /all from the ISA server please

 

by: wiscomPosted on 2009-08-23 at 23:42:39ID: 25166004

Hi,

Check your DNS settings. If possible change with other servers to see it's going better ....

A/

 

by: DelthroxPosted on 2009-08-23 at 23:48:18ID: 25166026

Here are the outputs of the ipconfig /all:


Windows IP-configuratie

   Hostnaam  . . . . . . . . . . . . : SSLISA01
   Primair DNS-achtervoegsel. . . . .: schoollyndensteyn.local
   Knooppunttype: . . . . . . . . . .: onbekend
   IP-routering ingeschakeld. . . . .: ja
   WINS-proxy ingeschakeld . . . . . : nee
   DNS-achtervoegselzoeklijst. . . . : schoollyndensteyn.local

Ethernet-adapter LAN-verbinding:

   Verbindingsspec. DNS-achtervoegsel:
   Beschrijving . . . . . . . . . . .: HP NC320i PCIe Gigabit Server Adapter
   Fysiek adres. . . . . . . . . . . : 00-1A-4B-0B-22-50
   DHCP ingeschakeld:. . . . . . . . : nee
   IP-adres. . . . . . . . . . . . . : 192.168.100.1
   Subnetmasker. . . . . . . . . . . : 255.255.255.0
   Standaard-gateway . . . . . . . . :
   DNS-servers . . . . . . . . . . . : 192.168.100.10

Ethernet-adapter LAN-verbinding 2:

   Verbindingsspec. DNS-achtervoegsel:
   Beschrijving . . . . . . . . . . .: HP NC320T PCIe Gigabit Server Adapter
   Fysiek adres. . . . . . . . . . . : 00-19-BB-CE-97-C0
   DHCP ingeschakeld:. . . . . . . . : nee
   IP-adres. . . . . . . . . . . . . : 10.0.0.152
   Subnetmasker. . . . . . . . . . . : 255.255.255.0
   Standaard-gateway . . . . . . . . : 10.0.0.138
   DNS-servers . . . . . . . . . . . : 194.104.6.66
                                       194.104.9.99

 

by: DelthroxPosted on 2009-08-23 at 23:51:15ID: 25166040

I also just noticed that everyone shows up anonymous in the logs of the isa. Could this have something to do with it??

 

by: keith_alabasterPosted on 2009-08-24 at 09:04:21ID: 25169682

Unfortunately I have to be at work during the day time so could not get back to this since my initial post this morning. Your config is completely incorrect for an ISA server setup. ISA should have no knowledge about ISP dns settings for example.

This gives me a problem - You have now accepted an answer in my zone that, whilst working for you, has an answer that is completely against best-practice,  against the setup and help guides provided for ISA, and would be the wrong solution to provide to any other person who asks a similar question and future and finds this post.

Keith ISA MVP

 

by: keith_alabasterPosted on 2009-08-24 at 11:00:49ID: 25170725

Will do :)

 

by: keith_alabasterPosted on 2009-08-24 at 11:08:53ID: 25170803

Delthrox,

ISA should not know about the external DNS - the main reasoning behind this being that ISA will then not be open to poisoned DNS injection and other such attacks. A second reason is based upon the publishing of internal services to the internet - this can cause a real issue unless you have split-brain dns implementations.

The ISA external NIC should either have NO dns entry in it all all OR should have the same inrternal DNS entry as the ones you have placed on the internal ISA nic. This forces ISA to use the same DNS resolvers as all your internal servers and clients ensuring consistency.

The ISP's (or any other public DNS service provider you want to use) should be set within the forwarders tab of your internal DNS servers - you can find this in the DNS mmc snap-in under administrative tools. it is worth being aware of this for all of your internal servers and clients also - none of these should have ANY reference to external DNS ip addresses. this approach makes sure that all servers and clients look to your dns servers first. If they cannot resolve the name then they contact the ip addresses set in the forwarders tab.

This approach also supports the different controls required when you have published services that you make available for both internal and external users.

Keith

 

by: DelthroxPosted on 2009-08-25 at 01:51:47ID: 31619748

Thank you for posting this response. I should have listened to you instead of him :( :$.

I have corrected my mistake and everything is working great.

 

by: keith_alabasterPosted on 2009-08-25 at 05:34:33ID: 25176797

You are welcome. Please note that the previous suggestions you were given are absolutely fine and bang on the button - except when ISA Server is involved, and then everything changes.

Finally, the reason why you see Anonymous is because this is by design.
If you have used the All Users authentication policy then you are stating that you do not care who uses that rule and that anyone is 'authorised' for it. ISA sees this and decides that if YOU do not care, then it doesn't either and so logs the source IP address and the user as anonymous.

If you have elected to use authenticated users only or an AD group then it is slightly different. For example, you - as a user - decide to access a web site through your browser. ISA receives the request, checks its rules and decides it is allowed. At this point, ISA sees this as an anonymous request from a source IP address and writes an anonymous log entry. ISA also sees that the rule is ONLY allowed by an AD group, for example. ISA now sends a request back to you asking for your credentials. Your web browser responds, ISA checks the cerdentials and then either allows or denies the request as per the AD group membership list. This time, ISA will write a second log entry with the users credentials rather than anonymous.

it is worth being aware of this as it is another key area. It is also why FTP clients often fail when using ISA. For example, a web browser has the capability of passing, upon request, the users credentials. An FTP client does NOT and so will work fine when the All Users (anonymous) access is used. However, if you use the AD group approach described above, it will fail because when ISA asks you for your credentials the ftp client will not know how to respond.

The way around this is to use the ISA Firewall Client. This acts as a wrapper, for want of a better expression, around the ftp client and other simialr sorts of 'dumb' apps. The ISA firewall client 'listens' for credential requests from the ISA Server and sends them back to ISA on behalf of the FTP or like-minded application.

This is one of the main reasons why we tend to put different requirements etc into their own rules ie one rule for outbound http, another for outbound smtp, another for DNS etc. It allows the granular control of which rules use All Users (personally I NEVER use that option) and which need AD or selective access to be granted.

I know this sounds like a diatribe but is core knowledge if you are going to get any more than about 10% return on investment from the ISA product. There is very little it cannot do once you know and understand the product.

Keith - ISA MVP

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...