ISA Server is blocking my program from working.

Posted on 2005-03-07
Medium Priority
Last Modified: 2010-04-09
I've spent 3 days working on this problem and it will sure help our Library if I can get this program to work thru the ISA firewall. We have 3 tcp/ip enabled time clocks. One of the time clocks located in a remote location. I had great difficulting trying to get it to work thru the firewall so I just put them all on the outside of the firewall. This has worked for several months with no problems. Now for the problem....

We have been pulling reports from the time clock in excel format and the manually rounding in/out times to the quarter hour. This is very time consuming for our staff of 50+. I wrote an application using an API that appears to use the http protocol. This API pulls a report from the time clock then my application does all the rounding.

I have a pc with an internal & external interface. I normally keep the external disabled for security reasons. For testing the application I can turn on the external NIC and the program works just fine. If I disable the external interface and try to use it thru the ISA 2000 firewall then I get a "can't connect" errors. It's fairly generic, actually it says "failed".

Just in the chance that someone else has worked with an IGuard system... but if not I'm including a link to a network monitor capture file in PDF format that shows a successful transmission using the external nic.


Question by:CubeRoot
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Expert Comment

ID: 13483143
Checked the capture...I can see that the http responce. Assume you are sniffing near the server.. Okie can you check the connectivity between ur node and the server. Need more info like the network address,etc,,,..If you are sure about the connectivity n subnets n allll..then have a look in to the ISA config..Does this allows ur external nic ip address;Any NAT there..??

Author Comment

ID: 13486389
I've got a little more information now. I think I can get around the problem but it will require me to do more programming. I'd rather just figure out why ISA is upset and correct the current problem.

After comparing Network Monitor Packets. I've noticed that ISA server is getting upset at an invalid request.
(This is response packet 11)
00000:  00 50 70 AA 29 33 00 11 11 0B C3 16 08 00 45 00   .Ppª)3....Ã...E.
00010:  05 DC 91 48 40 00 80 06 75 90 A5 8A 86 14 C0 A8   .Ü‘H@.€.u¥Š†.À¨
00020:  01 FC 00 50 0D EE C1 3D 98 16 D1 E4 DB 1B 50 10   .ü.P.îÁ=˜.ÑäÛ.P.
00030:  FF 35 0E 7D 00 00 48 54 54 50 2F 31 2E 31 20 34   ÿ5.}..HTTP/1.1 4
00040:  30 30 20 42 61 64 20 52 65 71 75 65 73 74 20 28   00 Bad Request (
00050:  20 54 68 65 20 64 61 74 61 20 69 73 20 69 6E 76    The data is inv
00060:  61 6C 69 64 2E 20 20 29 0D 0A 56 69 61 3A 31 2E   alid.  )..Via:1.
00070:  31 20 47 41 54 45 57 41 59 0D 0A 43 6F 6E 6E 65   1 GATEWAY..Conne
00080:  63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 50 72   ction: close..Pr

I believe the request is the following:

HTTP: GET Request (from client using port 3566)
    HTTP: Request Method = GET
    HTTP: Uniform Resource Identifier = /Admins/ex050308.txt?FileFormat=.txt&ReportForma
    HTTP: Protocol Version = VKTP/1.0
00000:  00 11 11 0B C3 16 00 50 70 AA 29 33 08 00 45 00   ....Ã..Ppª)3..E.
00010:  00 A9 FD C4 40 00 80 06 0E 47 C0 A8 01 FC A5 8A   .©ýÄ@.€..GÀ¨.ü¥Š
00020:  86 14 0D EE 00 50 D1 E4 DA 51 C1 3D 98 16 50 18   †..î.PÑäÚQÁ=˜.P.
00030:  FF FF EE DE 00 00 47 45 54 20 2F 41 64 6D 69 6E   ÿÿîÞ..GET /Admin
00040:  73 2F 65 78 30 35 30 33 30 38 2E 74 78 74 3F 46   s/ex050308.txt?F
00050:  69 6C 65 46 6F 72 6D 61 74 3D 2E 74 78 74 26 52   ileFormat=.txt&R
00060:  65 70 6F 72 74 46 6F 72 6D 61 74 3D 41 74 74 65   eportFormat=Atte
00070:  6E 64 61 6E 63 65 26 48 65 61 64 69 6E 67 3D 59   ndance&Heading=Y
00080:  65 73 26 49 44 3D 36 36 30 33 26 50 65 72 69 6F   es&ID=6603&Perio
00090:  64 3D 4C 61 73 74 25 32 30 57 65 65 6B 26 43 6F   d=Last%20Week&Co
000A0:  6D 6D 61 6E 64 3D 45 78 70 6F 72 74 20 56 4B 54   mmand=Export VKT
000B0:  50 2F 31 2E 30 0D 0A                              P/1.0..    

Follow up to srikrishnak's questions. The successful transmissions are done when i'm on the same subnet( communcating to The unsuccessful transmissions are done with I'm communicating from nat( thru the ISA firewall to the external subnet(

All normal http communications work fine thru the firewall. I can even open a web browser and pull requests from the time clock( thru the firewall.

I believe if there is an answer to this problem it is an ISA setting. Something to do with either sessions or handing http requests. I noticed something called a viking request which i'm not familiar with.


Author Comment

ID: 13491027
I would still be interested in a solution to my firewall problem. I have started on a workaround just in case. My work around is to build a browser into my application that will pull the data using the vb webbrowser control. Then save the contents. I made a simple program using the webbrowser control and it's close but I immediately came across an authenication problem. I get the login prompt, the kind that is generated by a 401 error. Is there a way I can password the credentials across and avoid the popup box? The transaction of the username & password needs to be invisible to the user.
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.


Author Comment

ID: 13497980
I went ahead and added the webbrowser control to a form and I'm using it to pull the data. The only downside that I'm having at the moment is.. I'm getting an authentication prompt before I can pull the data from the website. I could live with this but it would be very helpful if there was a way I can forcefully pass the authenticiation information to the server to avoid the popup authentication box generated by the 401 error.
LVL 12

Expert Comment

ID: 13502790
Hmmm...really a bouncer....

Expert Comment

ID: 13539323
Try for trouble shouting disabling all rules in ISA and make for both site and content rules and protocol rules an any, any rule

Author Comment

ID: 13544470
I'll try that when I get a chance, although I don't think there is currently a rule blocking it. I did put allow all rules in but I didn't disable any blocking rules. I don't think there are any blocking rules that are in conflict.

I'm starting to believe that this API component that I was using is sending out some type of invalid packet that ISA is not going to allow to pass thru the system.

Author Comment

ID: 13547754
>> Then save the contents. I made a simple program using the webbrowser control and it's close but I immediately came across an authenication problem. I get the login prompt, the kind that is generated by a 401 error. Is there a way I can password the credentials across and avoid the popup box? The transaction of the username & password needs to be invisible to the user.

I solved my application problem. Apparently IE blocks this command directly but the webbrowser control for VB allows the following command.


I was able to pass the username & password as a preauthorization and avoid the popup 401 error message. I'll still checkout the firewall rules but this pretty much solves my problem. I want to thank all that tried to help.

Please only respond if you think you have a good reason that ISA would be blocking the IGuard API. It would still be nice to take advantage of the API functions.

Accepted Solution

RomMod earned 0 total points
ID: 15479570
The question has been PAQ'd and the 500 points have been refunded.

Community Support Moderator

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question