Solved

ISA 2000 is blocking downloading manual patches

Posted on 2004-08-24
20
334 Views
Last Modified: 2010-04-09
I need to be able to download manual patches (olk1004.exe) (http://download.microsoft.com/download/outlook2002/olk1004/1/w98nt42kme/en-us/olk1004.exe) I get the error on the page:

The Web site cannot be found.....due to its identification configuration settings

Background:
This error indicates that the gateway could not find the IP address of the Web site your are trying to access.

ISA Server: server-name.domainname.ext


I assume I have a rule or something stopping it.  I have stopped the http 1.1 through the proxy.

We do have the server set as a proxy using 8080.  the client is installed.  USing dhcp.

Any help would be greatly appreciated.  Thanks.

Marcia

I'm sorry, I moved this to Security.
0
Comment
Question by:mporter05
  • 9
  • 8
  • 2
  • +1
20 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 11886590
Can you resolve names from your clinet using nslookup?
Do you have any software (firewall client or web client from ISA) installed on your clients?
0
 

Author Comment

by:mporter05
ID: 11887607
Yes, I can resolve names, pings, etc.  the ISA firewall client is installed on the workstations.  I do get the same error when I disable the client firewall though.

0
 
LVL 35

Expert Comment

by:Bembi
ID: 11896066
In general, I would not use any ISA client, if you do not have reasons for that. With Secure-NAT (no software), you have the greatest flexibility. Disabling Firewall client will not really do the same as uninstalling!!

Nevertheless, check what you have set within your site and content rule on ISA. There you can block or allow exe files (Http-Content tab / applications).
Second option is, that you have used the URL lock down tool (on W2K). If you have installed MS SUS Server, the Lock-Down tool (URLScan) is installed automatically. This tool may also responsible for blocking out exe files (and a lot more extensions).
Also check your ISA folder content types, where are the definitions for i.e. "application" file types. If you use a site and content rule, which allows everything, this do not mean automatically, that really everything is allowed, only defined policy objects are allowed in that case (like the definitions within the content groups or the protocol definitions).

.....due to its identification configuration settings
points me to the content group definitions... / site and content rules

0
 

Author Comment

by:mporter05
ID: 11896527
The Site and content Rules are set to no restrictions.  That was the first thing I thought of.  Out of despair, I removed the others and set it to allow anyone to do anything anytime.  Not good, but...didn't solve the problem.

0
 
LVL 35

Expert Comment

by:Bembi
ID: 11896630
Have you installed Microsoft Software Update Service?
Have you checked the content of the folder policy object - content groups - group "applications"? On the tab content-types should be the extension ".exe" within the list.
0
 

Author Comment

by:mporter05
ID: 11898602
Hi!  SUS has never been installed.  We use SMS 2003.  It is installed on another Win 2003 server.  The .exe ext. is in the Application content group.  I have noticed that I was able to download Sun's Java Runtime environment, but I still can't download any of MS's stuff.  Maybe that provides a clue.  I've gone thu ISA, I have nothing specific to MS.  I did have MS listed in the Trusted Sites in IE.  I removed them, it made no difference.  I see nothing else the delinates MS from any other downloadable source.

I'm stumped.  Are you?

Thanks for your help.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 11901112
Some more ideas.

Try first, if you can download other exe files - from microsoft or from other vendors to verify, that this usually work on your machine. You get usually a dialog to open or download, if you get this dialog, everything should be o.k. Make sure the target is .EXE, not .MSI. Try this with several different targets.

If this works in most cases with other vendors but not with microsoft, then there is either a routing problem with the download server of MS, nothing to do with ISA as long as you have not set some routing rules within ISA, which may redirect requests to MS.

Also take notice of your external connection. Within Internet Explorer, you can set "Passive FTP", what may be helpful, if you have a DSL line.

download.micrososoft com is an alias name for a server farm. Go to the dos console and type nslookup download.microsoft.com. Try to use one of the IP addresses within your link instead of the name to check, if this has something to do with one of the name.

Routing issues in mind, try to ping download.microsoft.com and also try tracert download.microsoft.com. Also try to download with a SecureNat Client (without any software) to bypass ISA or the ISA machine itself.

Another option are local or group policy settings within your domain. If you have a clean client, try to do the same from there. Otherwise try, if you have the same result, if you try to download from another client or from one of the servers.
0
 
LVL 7

Expert Comment

by:JJ2
ID: 11903159
I guess there's nothing wrong with your ISA, it's Microsoft's download link in US that has something wrong with it.

Try it from this other link:
http://download.microsoft.com/download/Outlook2002/olk1004/1/W98NT42KMe/DE/olk1004.exe

Try it also from this site and choose the  olk1004.exe  :
http://softserv.murdoch.edu.au/pub/mswin/Updates/Outlook2002/
0
 

Author Comment

by:mporter05
ID: 11905885
The first link didn't work, same ISA error.  The 2nd link would work, but the difference was I'm assuming some FTP type download.  I didn't do it because it looked suspicious.  What was the difference between the two sites?
0
 

Author Comment

by:mporter05
ID: 11905965
When I did nslookup download.microsoft.com, it returned my internalserver info and ip address, then timed out.  the same thing happens when I ping and tracert to microsoft.  I heard that MS stopped people from doing that though.

I can ping some places but not all, some do timeout.

For some reason, we can't bring up yahoo.com either.  It gives the same ISA error we get with microsoft.

Is there a way to easily remove (backup isa first) all settings, and start over?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 35

Expert Comment

by:Bembi
ID: 11906371
This sounds like problems with your name resolution. I can ping, tracert, nslookup these addresses without any errors. Also I can retrieve the file from the link above (through my ISA).

Please cehck your system against the following usual configuration:

Server ISA:
Internal NIC:
- Internal IP Address, Mask, no gateway address
- points to internal WINS and DNS, TCPIP over NetBios active
External NIC:
- External (or dedicated ip rage for ISA -- Router connection) IP Address, Mask
- Internal DNS, no WINS, TCPIP over NetBios not active

Common Settings
- The Gateway address (default gateway) can be set on on of the NICs, within a RRAS static route or by setting a static route with the route command. There can be only one default gateway
- The internal DNS is configured with forwarders, whcih are pointing to external DNS servers (usually of your provide). DNS can be ISA server

Clients:
- Internal IP Address, Mask, default gateway points to ISA
- points to internal WINS and DNS, TCPIP over NetBios active


ISA configuration (affecting routing)
- Internal address range must be set within LAT, domain within LDT
- ISA must resolve names (DNS port 53) - check with nslookup otherwise make sure, you have paket filters for name resolution.
- DNS (if not ISA) must be able to resolve names.

What sometimes may be an issue is the ISA cache. Just clear it.
0
 

Author Comment

by:mporter05
ID: 11909263
Im pretty sure my nics are set properly.  I've gone thru those so many times.

My internal ip is 10.0.0.1, sub of 255.255.255.0, nada in gateway, dns is 10.0.0.1
my wan nic is 192.168.3.101, 255.255.255.0, 192.168.3.100 (gateway, router address), dns=10.0.0.1

The LAT looks fine.  The LDT shows *.mydomain.local.  Is tht correct?


There is a packet filter called SBS DNSLookupPreDefined that uses has port 53.

Should the LDT show the FQDN of my server or ip?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 11912734
Are you able to hit the Web site in question from the ISA Box?   Is it only the internal clients that fail?  

If your ISA box can't find the site, use the following command from a DOS prompt:
ping download.microsoft.com

You should get this (or something similiar)
Pinging download.microsoft.com.c.footprint.net [208.172.48.253] with 32 bytes of data:

Reply from 208.172.48.253: bytes=32 time=50ms TTL=244
Reply from 208.172.48.253: bytes=32 time=51ms TTL=244
Reply from 208.172.48.253: bytes=32 time=60ms TTL=244
Reply from 208.172.48.253: bytes=32 time=50ms TTL=244


If you get this:
Unknown host download.microsoft.com

Then your DNS is not working.   That means your ISA server cannot resolve the name.  Check the ISA's DNS entries.   Make sure they are correct , the correct address, try using the NSLOOKUP tool to test some resolutions.  

If your ISA does resolve the name and it's only the internal clients that fail,  then you probably need to look at the DNS protocol rule on the ISA, or even the DNS that is delivered to the clients via DHCP.  




0
 
LVL 35

Expert Comment

by:Bembi
ID: 11915756
LAT should include 10.0.0.1 - 10.0.0.255 or 10.0.0.1 - 10.255.255.255
LAT schould NOT include 192.168.0.1 - 192.168.255.255 (by be set by default), this rage is external in your case
LDT is correct

The other setting are looking also great.

The packet filter for SBS is set by default and for the configuration, I described.

Can not find the information, if you tried to access the site by the ISA itself (with and without proxy settings).
Also, I assume that your browser settings are pointing to http://yourserver 8080, right?
Jave you cleared the cache? See: http://www.isatools.org/ , there is a small batch for that.
Also try to use other DNS forwarders, it may be that they are too slow.
Have you set something for reverse lookup or anything else within DNS? Round Robin etc.?

Note, checking the things on your ISA itself helps to determine, if this is an ISA issue or simply a connetivity issue. ISA server itself, especially commands from the DOS Box, are only restricted by paket filters. If ISA works, but the client not, the it points to an ISA issue, if both are not working, it points mostly to a more general problem.

Also load issues may be relevant, if you have a slow internet line and there is other traffic on the line.
Also never install any ISA client software on ISA itself.

0
 

Author Comment

by:mporter05
ID: 11931642
OK....Sorry for the delay in getting back to you.  I took Friday off work.

Ping from the ISA server and the clients both give :"Ping request could not find host download.microsoft.com.  Please check the name and try again."

Clearing the cache made the error come up faster.

My DNS forwards are the DNS numbers provided by my ISP

Round Robin is NOT enabled

nslookup
Default Server:  jcp-server.acbfparentadvocates.local
Adress:  10.0.0.1

>name
Server:  jcp-server.acbparentadvocates.local
Address:  10.0.0.1

*** jcp-server.acbfparentadvocates.local can't find name:  Non-existent domain

The *** line, non-existent domain I assume is a clue.  The clue, I'm not sure.




0
 
LVL 7

Expert Comment

by:JJ2
ID: 11950078
The WAN NIC (external interface) DNS entries ( primary & secondary ) should be the DNS ip addresses of the ISP (internet service provider) and not the 10.0.0.1 (because the DNS 10.0.0.1 is your internal LANs DNS).
---------------------------------------------------------------------------------------------------
Open the DNS in your ISA.
Right click the DNS, choose properties, then click Monitoring tab.
Check the boxes for Simple & Recursive query, then click Test Now.
If the result is PASS... ( i don't have further comment)
If the result is FAIL...
-Go to Interface tab
Please verify that the external interface ip address (192.168.3.101) of the ISA is included. To make it appear automatically, Select the radio button for ALL IP Addresses...and the external ip address will automatically appear.
Then go back to the monitoring tab and redo the testing again, it should show a PASS result.
0
 

Author Comment

by:mporter05
ID: 11967015
OK....Yippee Yi Yeah...

The original problem was solved, on to other things now.  I can now manually download patches again.

Since this is my first question, I don't know how the points work.  Bembi helped me tons in fine tuning and taking baby steps towards the problem--was able to download some but not Microsoft.

By adding the ISP DNS to my WAN Nic, I was able to download the initial link mentioned.

I'll submit my next question as a new one--relating to Windows Update not working and Security ActiveX warning.

Thanks to all.
0
 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
ID: 11977811
OK, great.

You can select the Accept Button behind every topic to assign points, or, if you want to splitt the points, click on the SPLIT Button at the end of this page. Then you can distribute your points to more than one answer.
0
 

Author Comment

by:mporter05
ID: 12447377
Thanks to both of you.  I don't know how to split the points, I have no accept button or a SPLIT button.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 12447699
You are welcome. Just for your next question:

http://www.experts-exchange.com/help.jsp#hs5
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now