ISA 2000 is blocking downloading manual patches

I need to be able to download manual patches (olk1004.exe) ( I get the error on the page:

The Web site cannot be found.....due to its identification configuration settings

This error indicates that the gateway could not find the IP address of the Web site your are trying to access.

ISA Server: server-name.domainname.ext

I assume I have a rule or something stopping it.  I have stopped the http 1.1 through the proxy.

We do have the server set as a proxy using 8080.  the client is installed.  USing dhcp.

Any help would be greatly appreciated.  Thanks.


I'm sorry, I moved this to Security.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

BembiConnect With a Mentor CEOCommented:
OK, great.

You can select the Accept Button behind every topic to assign points, or, if you want to splitt the points, click on the SPLIT Button at the end of this page. Then you can distribute your points to more than one answer.
Can you resolve names from your clinet using nslookup?
Do you have any software (firewall client or web client from ISA) installed on your clients?
mporter05Author Commented:
Yes, I can resolve names, pings, etc.  the ISA firewall client is installed on the workstations.  I do get the same error when I disable the client firewall though.

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

In general, I would not use any ISA client, if you do not have reasons for that. With Secure-NAT (no software), you have the greatest flexibility. Disabling Firewall client will not really do the same as uninstalling!!

Nevertheless, check what you have set within your site and content rule on ISA. There you can block or allow exe files (Http-Content tab / applications).
Second option is, that you have used the URL lock down tool (on W2K). If you have installed MS SUS Server, the Lock-Down tool (URLScan) is installed automatically. This tool may also responsible for blocking out exe files (and a lot more extensions).
Also check your ISA folder content types, where are the definitions for i.e. "application" file types. If you use a site and content rule, which allows everything, this do not mean automatically, that really everything is allowed, only defined policy objects are allowed in that case (like the definitions within the content groups or the protocol definitions).

.....due to its identification configuration settings
points me to the content group definitions... / site and content rules

mporter05Author Commented:
The Site and content Rules are set to no restrictions.  That was the first thing I thought of.  Out of despair, I removed the others and set it to allow anyone to do anything anytime.  Not good, but...didn't solve the problem.

Have you installed Microsoft Software Update Service?
Have you checked the content of the folder policy object - content groups - group "applications"? On the tab content-types should be the extension ".exe" within the list.
mporter05Author Commented:
Hi!  SUS has never been installed.  We use SMS 2003.  It is installed on another Win 2003 server.  The .exe ext. is in the Application content group.  I have noticed that I was able to download Sun's Java Runtime environment, but I still can't download any of MS's stuff.  Maybe that provides a clue.  I've gone thu ISA, I have nothing specific to MS.  I did have MS listed in the Trusted Sites in IE.  I removed them, it made no difference.  I see nothing else the delinates MS from any other downloadable source.

I'm stumped.  Are you?

Thanks for your help.
Some more ideas.

Try first, if you can download other exe files - from microsoft or from other vendors to verify, that this usually work on your machine. You get usually a dialog to open or download, if you get this dialog, everything should be o.k. Make sure the target is .EXE, not .MSI. Try this with several different targets.

If this works in most cases with other vendors but not with microsoft, then there is either a routing problem with the download server of MS, nothing to do with ISA as long as you have not set some routing rules within ISA, which may redirect requests to MS.

Also take notice of your external connection. Within Internet Explorer, you can set "Passive FTP", what may be helpful, if you have a DSL line.

download.micrososoft com is an alias name for a server farm. Go to the dos console and type nslookup Try to use one of the IP addresses within your link instead of the name to check, if this has something to do with one of the name.

Routing issues in mind, try to ping and also try tracert Also try to download with a SecureNat Client (without any software) to bypass ISA or the ISA machine itself.

Another option are local or group policy settings within your domain. If you have a clean client, try to do the same from there. Otherwise try, if you have the same result, if you try to download from another client or from one of the servers.
I guess there's nothing wrong with your ISA, it's Microsoft's download link in US that has something wrong with it.

Try it from this other link:

Try it also from this site and choose the  olk1004.exe  :
mporter05Author Commented:
The first link didn't work, same ISA error.  The 2nd link would work, but the difference was I'm assuming some FTP type download.  I didn't do it because it looked suspicious.  What was the difference between the two sites?
mporter05Author Commented:
When I did nslookup, it returned my internalserver info and ip address, then timed out.  the same thing happens when I ping and tracert to microsoft.  I heard that MS stopped people from doing that though.

I can ping some places but not all, some do timeout.

For some reason, we can't bring up either.  It gives the same ISA error we get with microsoft.

Is there a way to easily remove (backup isa first) all settings, and start over?
This sounds like problems with your name resolution. I can ping, tracert, nslookup these addresses without any errors. Also I can retrieve the file from the link above (through my ISA).

Please cehck your system against the following usual configuration:

Server ISA:
Internal NIC:
- Internal IP Address, Mask, no gateway address
- points to internal WINS and DNS, TCPIP over NetBios active
External NIC:
- External (or dedicated ip rage for ISA -- Router connection) IP Address, Mask
- Internal DNS, no WINS, TCPIP over NetBios not active

Common Settings
- The Gateway address (default gateway) can be set on on of the NICs, within a RRAS static route or by setting a static route with the route command. There can be only one default gateway
- The internal DNS is configured with forwarders, whcih are pointing to external DNS servers (usually of your provide). DNS can be ISA server

- Internal IP Address, Mask, default gateway points to ISA
- points to internal WINS and DNS, TCPIP over NetBios active

ISA configuration (affecting routing)
- Internal address range must be set within LAT, domain within LDT
- ISA must resolve names (DNS port 53) - check with nslookup otherwise make sure, you have paket filters for name resolution.
- DNS (if not ISA) must be able to resolve names.

What sometimes may be an issue is the ISA cache. Just clear it.
mporter05Author Commented:
Im pretty sure my nics are set properly.  I've gone thru those so many times.

My internal ip is, sub of, nada in gateway, dns is
my wan nic is,, (gateway, router address), dns=

The LAT looks fine.  The LDT shows *.mydomain.local.  Is tht correct?

There is a packet filter called SBS DNSLookupPreDefined that uses has port 53.

Should the LDT show the FQDN of my server or ip?
Are you able to hit the Web site in question from the ISA Box?   Is it only the internal clients that fail?  

If your ISA box can't find the site, use the following command from a DOS prompt:

You should get this (or something similiar)
Pinging [] with 32 bytes of data:

Reply from bytes=32 time=50ms TTL=244
Reply from bytes=32 time=51ms TTL=244
Reply from bytes=32 time=60ms TTL=244
Reply from bytes=32 time=50ms TTL=244

If you get this:
Unknown host

Then your DNS is not working.   That means your ISA server cannot resolve the name.  Check the ISA's DNS entries.   Make sure they are correct , the correct address, try using the NSLOOKUP tool to test some resolutions.  

If your ISA does resolve the name and it's only the internal clients that fail,  then you probably need to look at the DNS protocol rule on the ISA, or even the DNS that is delivered to the clients via DHCP.  

LAT should include - or -
LAT schould NOT include - (by be set by default), this rage is external in your case
LDT is correct

The other setting are looking also great.

The packet filter for SBS is set by default and for the configuration, I described.

Can not find the information, if you tried to access the site by the ISA itself (with and without proxy settings).
Also, I assume that your browser settings are pointing to http://yourserver 8080, right?
Jave you cleared the cache? See: , there is a small batch for that.
Also try to use other DNS forwarders, it may be that they are too slow.
Have you set something for reverse lookup or anything else within DNS? Round Robin etc.?

Note, checking the things on your ISA itself helps to determine, if this is an ISA issue or simply a connetivity issue. ISA server itself, especially commands from the DOS Box, are only restricted by paket filters. If ISA works, but the client not, the it points to an ISA issue, if both are not working, it points mostly to a more general problem.

Also load issues may be relevant, if you have a slow internet line and there is other traffic on the line.
Also never install any ISA client software on ISA itself.

mporter05Author Commented:
OK....Sorry for the delay in getting back to you.  I took Friday off work.

Ping from the ISA server and the clients both give :"Ping request could not find host  Please check the name and try again."

Clearing the cache made the error come up faster.

My DNS forwards are the DNS numbers provided by my ISP

Round Robin is NOT enabled

Default Server:  jcp-server.acbfparentadvocates.local

Server:  jcp-server.acbparentadvocates.local

*** jcp-server.acbfparentadvocates.local can't find name:  Non-existent domain

The *** line, non-existent domain I assume is a clue.  The clue, I'm not sure.

The WAN NIC (external interface) DNS entries ( primary & secondary ) should be the DNS ip addresses of the ISP (internet service provider) and not the (because the DNS is your internal LANs DNS).
Open the DNS in your ISA.
Right click the DNS, choose properties, then click Monitoring tab.
Check the boxes for Simple & Recursive query, then click Test Now.
If the result is PASS... ( i don't have further comment)
If the result is FAIL...
-Go to Interface tab
Please verify that the external interface ip address ( of the ISA is included. To make it appear automatically, Select the radio button for ALL IP Addresses...and the external ip address will automatically appear.
Then go back to the monitoring tab and redo the testing again, it should show a PASS result.
mporter05Author Commented:
OK....Yippee Yi Yeah...

The original problem was solved, on to other things now.  I can now manually download patches again.

Since this is my first question, I don't know how the points work.  Bembi helped me tons in fine tuning and taking baby steps towards the problem--was able to download some but not Microsoft.

By adding the ISP DNS to my WAN Nic, I was able to download the initial link mentioned.

I'll submit my next question as a new one--relating to Windows Update not working and Security ActiveX warning.

Thanks to all.
mporter05Author Commented:
Thanks to both of you.  I don't know how to split the points, I have no accept button or a SPLIT button.
You are welcome. Just for your next question:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.