imkazi
asked on
ISA 2004 (Error Code 64: Host not available) gives intermittent and random error.
Dear Experts!!
Before I start, I would like to mention that I tried the solution from an expert article "Q_21483635.html", but no luck. We have even opened a case with Microsoft PSS, and its been 10days now without any breakthrough. We have an ISA 2004 Server with Service Pack 2 running on Windows Server 2003.
The problem is explained below..........
When user browse the Web Page. It will open for two or three pages. Intermittently, it will not open, and we need to click refresh for browsing. This happen very often. While checking in ISA logging Query we can see the Allowed user (By checking PC’s IP) as anonymous User and access was denied. If the same User when refreshes the browser they can able to browse and in ISA logging Monitor we are able to see the particular user's login name.
Error Message:
Technical Information (for support personnel)
· Error Code 64: Host not available
· Background: The gateway or proxy server lost connection to the Web server.
· Date: 3/11/2006 8:12:21 AM
· Server: prxycity1.internal.com
· Source: Remote server
Just to eliminate doubts on network side, we tried accessing the internet directly without the Proxy server, and things work normal, but with ISA the error keeps coming randomly.
Please help.
Before I start, I would like to mention that I tried the solution from an expert article "Q_21483635.html", but no luck. We have even opened a case with Microsoft PSS, and its been 10days now without any breakthrough. We have an ISA 2004 Server with Service Pack 2 running on Windows Server 2003.
The problem is explained below..........
When user browse the Web Page. It will open for two or three pages. Intermittently, it will not open, and we need to click refresh for browsing. This happen very often. While checking in ISA logging Query we can see the Allowed user (By checking PC’s IP) as anonymous User and access was denied. If the same User when refreshes the browser they can able to browse and in ISA logging Monitor we are able to see the particular user's login name.
Error Message:
Technical Information (for support personnel)
· Error Code 64: Host not available
· Background: The gateway or proxy server lost connection to the Web server.
· Date: 3/11/2006 8:12:21 AM
· Server: prxycity1.internal.com
· Source: Remote server
Just to eliminate doubts on network side, we tried accessing the internet directly without the Proxy server, and things work normal, but with ISA the error keeps coming randomly.
Please help.
Can you switch off the cache temporarily so that you have to access the site directly each time?
ASKER
In fact, the cache was switched off initially after the ISA was installed. After the problem appeared, we noticed that the cache is not switched ON, and that's when we switched it ON hoping the problem might go away. Anyways, I shall try switching off the cache again tomorrow morning. Right now its midnight here in Kuwait.
One more thing I'd like to mention that we notice that this problem appears seldom during off peak hours. So it may be because of Network congestion. But what's confusing is that during peak hours if we access the internet directly bypassing the proxy, then the problem does not appear. So we cant really be sure its network congestion.
Next two days we are into weekend here. So i'm not sure we can repro the problem. Anyways will keep you updated.
One more thing I'd like to mention that we notice that this problem appears seldom during off peak hours. So it may be because of Network congestion. But what's confusing is that during peak hours if we access the internet directly bypassing the proxy, then the problem does not appear. So we cant really be sure its network congestion.
Next two days we are into weekend here. So i'm not sure we can repro the problem. Anyways will keep you updated.
No problem. Its 9.25PM in the UK so I will be calling it a day soon also. let me know when you want to try a few things and I'll be here.
regards
keith
regards
keith
The behaviour may go away if you change the following settings in the Web Publishing rule:
Unticked "forward the original host header"
Change "Requests appear to come from the original client"
to:
"Requests appear to come from ISA Server computer"
If you are not validating hostheaders you are not using the ISA as a gateway and the requests are split. The "Requests appear to come from the original client" is SNAT'ing.
Hope this help
IPKON Networks Ltd
Unticked "forward the original host header"
Change "Requests appear to come from the original client"
to:
"Requests appear to come from ISA Server computer"
If you are not validating hostheaders you are not using the ISA as a gateway and the requests are split. The "Requests appear to come from the original client" is SNAT'ing.
Hope this help
IPKON Networks Ltd
ASKER
We are not using any web publishing rules. The ISA is being used only for proxing outgoing internet sessions, and the error is coming up for internal clients trying to browse the internet. The template used for the setup was "Edge Firewall Mode".
ASKER
Sure thing Keith. Will let you know.
Regards,
imkazi
Regards,
imkazi
ASKER
We did a trace of the ISA logs and it looks more like a Network issue. The ISA Proxy server is behind a Juniper netscreen FW. Please check if the below analysis makes any sense.
TRACE ANALYSIS:
In ISA-internal.cap we can see ISA return the "502 Proxy Error (The specified network name is no longer available) ....Error 64: host not available" in 12 cases to different clients (this can be seen in frame 10771, 10855, 10949, 11070, 16175, 25161, 31367, 34219, 34555, 35009, 35579 and 35888). After locating these 12 errors in the ISA-internal.cap, I then looked at isa-ext.cap to see what is causing it. And all 12 cases show the same pattern in isa-ext.cap:
Example 1
----------------
In frame 8500, 8501 and 8502 ISA and the external web server establish a TCP connection. In frame 8503 ISA Server sends the GET request to www.rsasecurity.com on behalf of the Web Proxy client. The web server doesn't respond at all to this request, not even with a TCP ACK, so ISA (the TCP stack) will resend the GET request. In this particular case ISA resends it two more times (with 3 and 6 seconds intervals respectively). This can be seen in frame 8708 and 9066. Again the web server doesn't respond to these requests, but instead sends a TCP Reset to the last request ISA sent in frame 9066. This TCP reset can be seen in frame 9067. Because the web server resets the TCP connection, there is nothing ISA can do except send the "502 Proxy Error (The specified network name is no longer available) ....Error 64: host not available" back to the client.
Example 2
----------------
In frame 19562, 19563 and 19564 ISA and the external web server establish a TCP connection. In frame 19565 ISA Server sends the GET request to www.jaijaidin.com on behalf of the Web Proxy client. The web server doesn't respond at all to this request, not even with a TCP ACK, so ISA (the TCP stack) will resend the GET request. In this particular case ISA resends it three more times (with 3 and 6 and 12 seconds intervals respectively). This can be seen in frame 19923, 20334 and 21491. Again the web server doesn't respond to these requests, but instead sends a TCP Reset to the last request ISA sent in frame 21491. This TCP reset can be seen in frame 21493. Because the web server resets the TCP connection, there is nothing ISA can do except send the "502 Proxy Error (The specified network name is no longer available) ....Error 64: host not available" back to the client.
Regards,,
TRACE ANALYSIS:
In ISA-internal.cap we can see ISA return the "502 Proxy Error (The specified network name is no longer available) ....Error 64: host not available" in 12 cases to different clients (this can be seen in frame 10771, 10855, 10949, 11070, 16175, 25161, 31367, 34219, 34555, 35009, 35579 and 35888). After locating these 12 errors in the ISA-internal.cap, I then looked at isa-ext.cap to see what is causing it. And all 12 cases show the same pattern in isa-ext.cap:
Example 1
----------------
In frame 8500, 8501 and 8502 ISA and the external web server establish a TCP connection. In frame 8503 ISA Server sends the GET request to www.rsasecurity.com on behalf of the Web Proxy client. The web server doesn't respond at all to this request, not even with a TCP ACK, so ISA (the TCP stack) will resend the GET request. In this particular case ISA resends it two more times (with 3 and 6 seconds intervals respectively). This can be seen in frame 8708 and 9066. Again the web server doesn't respond to these requests, but instead sends a TCP Reset to the last request ISA sent in frame 9066. This TCP reset can be seen in frame 9067. Because the web server resets the TCP connection, there is nothing ISA can do except send the "502 Proxy Error (The specified network name is no longer available) ....Error 64: host not available" back to the client.
Example 2
----------------
In frame 19562, 19563 and 19564 ISA and the external web server establish a TCP connection. In frame 19565 ISA Server sends the GET request to www.jaijaidin.com on behalf of the Web Proxy client. The web server doesn't respond at all to this request, not even with a TCP ACK, so ISA (the TCP stack) will resend the GET request. In this particular case ISA resends it three more times (with 3 and 6 and 12 seconds intervals respectively). This can be seen in frame 19923, 20334 and 21491. Again the web server doesn't respond to these requests, but instead sends a TCP Reset to the last request ISA sent in frame 21491. This TCP reset can be seen in frame 21493. Because the web server resets the TCP connection, there is nothing ISA can do except send the "502 Proxy Error (The specified network name is no longer available) ....Error 64: host not available" back to the client.
Regards,,
Are you using the ISA firewall client or just the web proxy settings?
If you run the same access attempts on the ISA itself, do these same results get returned?
Have you installed the SP2 service pack yet?
If you run the same access attempts on the ISA itself, do these same results get returned?
Have you installed the SP2 service pack yet?
ASKER
We're using just web proxy settings.
Yes, the same error appears while accessing internet from ISA server itself.
Yes, we have upgraded to SP2 after the problem first appeared.
Yes, the same error appears while accessing internet from ISA server itself.
Yes, we have upgraded to SP2 after the problem first appeared.
In the gui, click on mintoiring - logging - click on start query.
What is being reported in the log itself?
What is the definition of the rule that is being used when you see this issue?
What is being reported in the log itself?
What is the definition of the rule that is being used when you see this issue?
ASKER
I have copied an excerpt of the log below. You may have to remove word wrap after copying to notepad to view properly. As yo may notice in the log, the same source IP is getting allowed, denied and failed connection attempts subsequently. During the allowed instance the login username shows corrently, during denied/failed instances the same IP shows the username as anonymous.
-------------------------- -------- Start of Log -------------------------- ---------- ---------- --------
Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) Yes Proxy www.technology-evaluation.com TCP GET image/gif Internet - - - - - - 3/25/2006 1:14:13 PM 0 1 1431 929 0x50801002 0xd80 3/25/2006 4:14:13 PM 10.27.3.4 66.201.244.33 80 http Allowed Connection Proxy Access 200 domkw\ai.damiri Internal External http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 1 4516 692 0x0 0x0 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Denied Connection 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. anonymous Internal http://www.technology-evaluation.com/a/crmXchange/crmxchange_logop.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 1 4516 696 0x0 0x80 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Denied Connection 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. anonymous Internal http://www.technology-evaluation.com/a/TEC/2004Dec-Outsourcing160x600.jpg?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 16 547 777 0x0 0x80 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Failed Connection Attempt 5 anonymous Internal http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) Yes Proxy www.technology-evaluation.com TCP GET image/gif Internet - - - - - - 3/25/2006 1:14:13 PM 0 16 1431 929 0x50801002 0xd80 3/25/2006 4:14:13 PM 10.27.3.4 66.201.244.33 80 http Allowed Connection Proxy Access 200 domkw\ai.damiri Internal External http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 1 547 777 0x0 0x0 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Failed Connection Attempt 5 anonymous Internal http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) Yes Proxy www.technology-evaluation.com TCP GET image/gif Internet - - - - - - 3/25/2006 1:14:13 PM 0 1 1431 929 0x50801002 0xd80 3/25/2006 4:14:13 PM 10.27.3.4 66.201.244.33 80 http Allowed Connection Proxy Access 200 domkw\ai.damiri Internal External http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 1 547 792 0x0 0x0 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Failed Connection Attempt 5 anonymous Internal http://www.technology-evaluation.com/a/crmXchange/crmxchange_logop.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MSN Messenger 7.5.0322) Yes Proxy 207.46.7.11 TCP POST application/x-msn-messenge r Internet - - - - - - 3/25/2006 1:14:14 PM 0 297 306 355 0x40000004 0xf80 3/25/2006 4:14:14 PM 10.27.4.135 207.46.7.11 80 http Allowed Connection Proxy Access 200 domkw\md.mostafa Internal External http://207.46.7.11/gateway/gateway.dll?SessionID=2027575288.27562 KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) Yes Proxy www.technology-evaluation.com TCP GET image/gif Internet - - - - - - 3/25/2006 1:14:14 PM 0 312 6393 944 0x50801002 0xd80 3/25/2006 4:14:14 PM 10.27.3.4 66.201.244.33 80 http Allowed Connection Proxy Access 200 domkw\ai.damiri Internal External http://www.technology-evaluation.com/a/crmXchange/crmxchange_logop.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:14 PM 0 1 547 796 0x0 0x0 3/25/2006 4:14:14 PM 10.27.3.4 10.15.1.11 80 http Failed Connection Attempt 5 anonymous Internal http://www.technology-evaluation.com/a/TEC/2004Dec-Outsourcing160x600.jpg?e= KCA1PRXY01 Web Proxy Filter
-------------------------- ---------- ---end of log -------------------------- ---------- --
--------------------------
Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) Yes Proxy www.technology-evaluation.com TCP GET image/gif Internet - - - - - - 3/25/2006 1:14:13 PM 0 1 1431 929 0x50801002 0xd80 3/25/2006 4:14:13 PM 10.27.3.4 66.201.244.33 80 http Allowed Connection Proxy Access 200 domkw\ai.damiri Internal External http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 1 4516 692 0x0 0x0 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Denied Connection 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. anonymous Internal http://www.technology-evaluation.com/a/crmXchange/crmxchange_logop.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 1 4516 696 0x0 0x80 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Denied Connection 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. anonymous Internal http://www.technology-evaluation.com/a/TEC/2004Dec-Outsourcing160x600.jpg?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 16 547 777 0x0 0x80 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Failed Connection Attempt 5 anonymous Internal http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) Yes Proxy www.technology-evaluation.com TCP GET image/gif Internet - - - - - - 3/25/2006 1:14:13 PM 0 16 1431 929 0x50801002 0xd80 3/25/2006 4:14:13 PM 10.27.3.4 66.201.244.33 80 http Allowed Connection Proxy Access 200 domkw\ai.damiri Internal External http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 1 547 777 0x0 0x0 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Failed Connection Attempt 5 anonymous Internal http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) Yes Proxy www.technology-evaluation.com TCP GET image/gif Internet - - - - - - 3/25/2006 1:14:13 PM 0 1 1431 929 0x50801002 0xd80 3/25/2006 4:14:13 PM 10.27.3.4 66.201.244.33 80 http Allowed Connection Proxy Access 200 domkw\ai.damiri Internal External http://www.technology-evaluation.com/images/arrow3.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:13 PM 0 1 547 792 0x0 0x0 3/25/2006 4:14:13 PM 10.27.3.4 10.15.1.11 80 http Failed Connection Attempt 5 anonymous Internal http://www.technology-evaluation.com/a/crmXchange/crmxchange_logop.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MSN Messenger 7.5.0322) Yes Proxy 207.46.7.11 TCP POST application/x-msn-messenge
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) Yes Proxy www.technology-evaluation.com TCP GET image/gif Internet - - - - - - 3/25/2006 1:14:14 PM 0 312 6393 944 0x50801002 0xd80 3/25/2006 4:14:14 PM 10.27.3.4 66.201.244.33 80 http Allowed Connection Proxy Access 200 domkw\ai.damiri Internal External http://www.technology-evaluation.com/a/crmXchange/crmxchange_logop.gif?e= KCA1PRXY01 Web Proxy Filter
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322) No Proxy www.technology-evaluation.com TCP GET - - - - - - 3/25/2006 1:14:14 PM 0 1 547 796 0x0 0x0 3/25/2006 4:14:14 PM 10.27.3.4 10.15.1.11 80 http Failed Connection Attempt 5 anonymous Internal http://www.technology-evaluation.com/a/TEC/2004Dec-Outsourcing160x600.jpg?e= KCA1PRXY01 Web Proxy Filter
--------------------------
ASKER
I forgot to answer your other query. The first rule of the "Firewall Policy Rule" is as follows,
Allow - All Outboud Traffic - From Internal/Local Host - To External/Internal - For Selected users.
Allow - All Outboud Traffic - From Internal/Local Host - To External/Internal - For Selected users.
ASKER
Its been a long day here. To answer your query right, there is no rule shown during the problem. The rule column is blank when anonymous user/denied connection/failed connection entries are logged!!
Regards,,
Regards,,
Is the browser on ISA set to use itself as a proxy or does the ISA go out directly on the external interface? try it both ways please.
If you allow the rule for ALL Users rather than selected users (just as a ttest), this removes the authentication (for ISA). Does this remove all the failed/denied messages in the log?
If you allow the rule for ALL Users rather than selected users (just as a ttest), this removes the authentication (for ISA). Does this remove all the failed/denied messages in the log?
ASKER
The browser on ISA is set to itself while testing. I also tested with ISA going directly and that works fine. Adding rule for ALL users still keeps the failed/denied messages, however, as per Microsoft these messages are normal in an integrated authentication setup. As per them, the local computer first tries to authenticate directly to the ISA which results in a denied/failed, who sees the user as anonymous, and then subsequently authenticates with the AD.
Agreed. So are you saying that the ISA server itself does not show the symptoms at all, or that ISA is fine when it does not use itself as proxy?
ASKER
I mean the ISA server DOES show the error when it uses itself as a proxy.
ASKER
And the ISA server is fine when it does not uses itself as a proxy.
Bizarre isn't it. You mention earlier that you are only using for proxying outgoing traffic; are you suing ISA as a firewall as well? I have never seen ISA set up as an edge device when it is caching/proxy only so this would be quite interesting.
If it is a firewall, do you get any different results if you install the ISA client on one workstation?
If it is a firewall, do you get any different results if you install the ISA client on one workstation?
ASKER
Yes I mention earlier that the ISA I have here is installed in the Edge Firewall mode, and at the moment i am using it as a proxy server. I haven't tried using the ISA client. I will give it a try.
Do you think it would make any difference if I put the ISA in Proxy-Only mode? Guess I should try that as well.
Do you think it would make any difference if I put the ISA in Proxy-Only mode? Guess I should try that as well.
It depends really.
My own experience is that when I have wanted to use authorisation, I have always used the ISA firewall client as this is predominantly the authenication controller. I have well in excess of 100 ISA installations behind me and I have never seen a proxy server installed with the edge firewall configuration.
To test the config, just backup the configuration and re-run the templates from configuration - networks. If it then works for you; great. If not, just reinstall the saved config.
i have installed many boxes in proxy only (plus disabled and additional NIC's) and stacks as edge or three-legged firewalls but I will be honest and say I have not seen your particular symptoms. I agree that testing the two ther configurations would be a worthwhile exercise.
My own experience is that when I have wanted to use authorisation, I have always used the ISA firewall client as this is predominantly the authenication controller. I have well in excess of 100 ISA installations behind me and I have never seen a proxy server installed with the edge firewall configuration.
To test the config, just backup the configuration and re-run the templates from configuration - networks. If it then works for you; great. If not, just reinstall the saved config.
i have installed many boxes in proxy only (plus disabled and additional NIC's) and stacks as edge or three-legged firewalls but I will be honest and say I have not seen your particular symptoms. I agree that testing the two ther configurations would be a worthwhile exercise.
ASKER
We installed a brand new machine with the Single Network Adaptor Template for the Proxy-only mode. And the same problem exists!! The same with Firewall Client as well.
It is truly bizzare. I am beginning to believe that it is something to do with the network outside the ISA, which makes the toubleshooting all the more complicated. And to top that, there is doubt as well, since there are no errors if internet is accessed directly.
Lets see...
It is truly bizzare. I am beginning to believe that it is something to do with the network outside the ISA, which makes the toubleshooting all the more complicated. And to top that, there is doubt as well, since there are no errors if internet is accessed directly.
Lets see...
OK.
1. thank you for trying it.
2. You obviously have a direct route to the internet (as you can bypass ISA) that is not displaying the issues. When you go directly, how is the traffic getting to the external router/firewall? Are the clients attached directly? Via a switch? Is this the same switch that the ISA is connected to?
From the info you give, it has to be the ISA server unless the network cable, port switch duplex/speed settings etc are mismatched/faulty.
What is ISA using as its DNS server? Apart from the issues you describe, what is the performance of ISA compared to going out directly?
1. thank you for trying it.
2. You obviously have a direct route to the internet (as you can bypass ISA) that is not displaying the issues. When you go directly, how is the traffic getting to the external router/firewall? Are the clients attached directly? Via a switch? Is this the same switch that the ISA is connected to?
From the info you give, it has to be the ISA server unless the network cable, port switch duplex/speed settings etc are mismatched/faulty.
What is ISA using as its DNS server? Apart from the issues you describe, what is the performance of ISA compared to going out directly?
ASKER
We have restricted direct access to the internet at the Firewall. For testing purpose I had allowed an IP and tested the direct access. The clients are connected at the access switch locally, and on separate switches on remote sites. The Firewall and Servers are connected to the Core switches.
The ISA is using a local DNS which is on the same subnet and the same switch physically. The local DNS is configured to forward to an external DNS for lookups it does not have. The performance of accessing through ISA as compared to accessing directly is slow.
We swapped the network cable, checked Switch Interface for any errors. Couldn't find anything wrong there.
The ISA is using a local DNS which is on the same subnet and the same switch physically. The local DNS is configured to forward to an external DNS for lookups it does not have. The performance of accessing through ISA as compared to accessing directly is slow.
We swapped the network cable, checked Switch Interface for any errors. Couldn't find anything wrong there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have news.
Though I still have to find out where exactly the problem lies. We shifted the ISA server to another ISP which is taking a different path (i.e. through a PIX), whereas the current ISP link is through the netscreen. So, I dont know yet if it is the ISP or the FW. I suspect the netscreen FW. It could be the number of sessions.
Anyways, atleast I know where to concentrate. For now, my ISA is working fine through the other path on the other ISP.
Thanks for all the advice. I'll just accept your last suggestion.
Bye,,
Though I still have to find out where exactly the problem lies. We shifted the ISA server to another ISP which is taking a different path (i.e. through a PIX), whereas the current ISP link is through the netscreen. So, I dont know yet if it is the ISP or the FW. I suspect the netscreen FW. It could be the number of sessions.
Anyways, atleast I know where to concentrate. For now, my ISA is working fine through the other path on the other ISP.
Thanks for all the advice. I'll just accept your last suggestion.
Bye,,
Thats kind of you. :) Good luck with it.
I have a problem in My ISA 2004 server.Intermittently the Internet connection goes down .the connection is getting restore when I move up and down the DNS I/P Address.
We have 4 DNS address out of which 2 s are Internal and 2s are external DNS I/P address.
Please Help.
We have 4 DNS address out of which 2 s are Internal and 2s are external DNS I/P address.
Please Help.
Create your own question - someone will look at it.
In my case it was a java application - looks like it does not play nice with Proxy.
The solution was to set java to use the same settings as IE, and more important to upgrade to java 1.6
The solution was to set java to use the same settings as IE, and more important to upgrade to java 1.6