• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

ISA Server is blocking my program from working.

I've spent 3 days working on this problem and it will sure help our Library if I can get this program to work thru the ISA firewall. We have 3 tcp/ip enabled time clocks. One of the time clocks located in a remote location. I had great difficulting trying to get it to work thru the firewall so I just put them all on the outside of the firewall. This has worked for several months with no problems. Now for the problem....

We have been pulling reports from the time clock in excel format and the manually rounding in/out times to the quarter hour. This is very time consuming for our staff of 50+. I wrote an application using an API that appears to use the http protocol. This API pulls a report from the time clock then my application does all the rounding.

I have a pc with an internal & external interface. I normally keep the external disabled for security reasons. For testing the application I can turn on the external NIC and the program works just fine. If I disable the external interface and try to use it thru the ISA 2000 firewall then I get a "can't connect" errors. It's fairly generic, actually it says "failed".

Just in the chance that someone else has worked with an IGuard system... but if not I'm including a link to a network monitor capture file in PDF format that shows a successful transmission using the external nic.


1 Solution
Checked the capture...I can see that the http responce. Assume you are sniffing near the server.. Okie can you check the connectivity between ur node and the server. Need more info like the network address,etc,,,..If you are sure about the connectivity n subnets n allll..then have a look in to the ISA config..Does this allows ur external nic ip address;Any NAT there..??
CubeRootAuthor Commented:
I've got a little more information now. I think I can get around the problem but it will require me to do more programming. I'd rather just figure out why ISA is upset and correct the current problem.

After comparing Network Monitor Packets. I've noticed that ISA server is getting upset at an invalid request.
(This is response packet 11)
00000:  00 50 70 AA 29 33 00 11 11 0B C3 16 08 00 45 00   .Ppª)3....Ã...E.
00010:  05 DC 91 48 40 00 80 06 75 90 A5 8A 86 14 C0 A8   .Ü‘H@.€.u¥Š†.À¨
00020:  01 FC 00 50 0D EE C1 3D 98 16 D1 E4 DB 1B 50 10   .ü.P.îÁ=˜.ÑäÛ.P.
00030:  FF 35 0E 7D 00 00 48 54 54 50 2F 31 2E 31 20 34   ÿ5.}..HTTP/1.1 4
00040:  30 30 20 42 61 64 20 52 65 71 75 65 73 74 20 28   00 Bad Request (
00050:  20 54 68 65 20 64 61 74 61 20 69 73 20 69 6E 76    The data is inv
00060:  61 6C 69 64 2E 20 20 29 0D 0A 56 69 61 3A 31 2E   alid.  )..Via:1.
00070:  31 20 47 41 54 45 57 41 59 0D 0A 43 6F 6E 6E 65   1 GATEWAY..Conne
00080:  63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 50 72   ction: close..Pr

I believe the request is the following:

HTTP: GET Request (from client using port 3566)
    HTTP: Request Method = GET
    HTTP: Uniform Resource Identifier = /Admins/ex050308.txt?FileFormat=.txt&ReportForma
    HTTP: Protocol Version = VKTP/1.0
00000:  00 11 11 0B C3 16 00 50 70 AA 29 33 08 00 45 00   ....Ã..Ppª)3..E.
00010:  00 A9 FD C4 40 00 80 06 0E 47 C0 A8 01 FC A5 8A   .©ýÄ@.€..GÀ¨.ü¥Š
00020:  86 14 0D EE 00 50 D1 E4 DA 51 C1 3D 98 16 50 18   †..î.PÑäÚQÁ=˜.P.
00030:  FF FF EE DE 00 00 47 45 54 20 2F 41 64 6D 69 6E   ÿÿîÞ..GET /Admin
00040:  73 2F 65 78 30 35 30 33 30 38 2E 74 78 74 3F 46   s/ex050308.txt?F
00050:  69 6C 65 46 6F 72 6D 61 74 3D 2E 74 78 74 26 52   ileFormat=.txt&R
00060:  65 70 6F 72 74 46 6F 72 6D 61 74 3D 41 74 74 65   eportFormat=Atte
00070:  6E 64 61 6E 63 65 26 48 65 61 64 69 6E 67 3D 59   ndance&Heading=Y
00080:  65 73 26 49 44 3D 36 36 30 33 26 50 65 72 69 6F   es&ID=6603&Perio
00090:  64 3D 4C 61 73 74 25 32 30 57 65 65 6B 26 43 6F   d=Last%20Week&Co
000A0:  6D 6D 61 6E 64 3D 45 78 70 6F 72 74 20 56 4B 54   mmand=Export VKT
000B0:  50 2F 31 2E 30 0D 0A                              P/1.0..    

Follow up to srikrishnak's questions. The successful transmissions are done when i'm on the same subnet( communcating to The unsuccessful transmissions are done with I'm communicating from nat( thru the ISA firewall to the external subnet(

All normal http communications work fine thru the firewall. I can even open a web browser and pull requests from the time clock( thru the firewall.

I believe if there is an answer to this problem it is an ISA setting. Something to do with either sessions or handing http requests. I noticed something called a viking request which i'm not familiar with.

CubeRootAuthor Commented:
I would still be interested in a solution to my firewall problem. I have started on a workaround just in case. My work around is to build a browser into my application that will pull the data using the vb webbrowser control. Then save the contents. I made a simple program using the webbrowser control and it's close but I immediately came across an authenication problem. I get the login prompt, the kind that is generated by a 401 error. Is there a way I can password the credentials across and avoid the popup box? The transaction of the username & password needs to be invisible to the user.
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

CubeRootAuthor Commented:
I went ahead and added the webbrowser control to a form and I'm using it to pull the data. The only downside that I'm having at the moment is.. I'm getting an authentication prompt before I can pull the data from the website. I could live with this but it would be very helpful if there was a way I can forcefully pass the authenticiation information to the server to avoid the popup authentication box generated by the 401 error.
Hmmm...really a bouncer....
Try for trouble shouting disabling all rules in ISA and make for both site and content rules and protocol rules an any, any rule
CubeRootAuthor Commented:
I'll try that when I get a chance, although I don't think there is currently a rule blocking it. I did put allow all rules in but I didn't disable any blocking rules. I don't think there are any blocking rules that are in conflict.

I'm starting to believe that this API component that I was using is sending out some type of invalid packet that ISA is not going to allow to pass thru the system.
CubeRootAuthor Commented:
>> Then save the contents. I made a simple program using the webbrowser control and it's close but I immediately came across an authenication problem. I get the login prompt, the kind that is generated by a 401 error. Is there a way I can password the credentials across and avoid the popup box? The transaction of the username & password needs to be invisible to the user.

I solved my application problem. Apparently IE blocks this command directly but the webbrowser control for VB allows the following command.


I was able to pass the username & password as a preauthorization and avoid the popup 401 error message. I'll still checkout the firewall rules but this pretty much solves my problem. I want to thank all that tried to help.

Please only respond if you think you have a good reason that ISA would be blocking the IGuard API. It would still be nice to take advantage of the API functions.
The question has been PAQ'd and the 500 points have been refunded.

Community Support Moderator

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now