[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 224
  • Last Modified:

ISA 2004 - Slow or failed downloads for some / most users

Since swapping from ISA 2000 onto new hardware and fresh install of W2K3 and ISA 2004 (all SP and Patches applied)
Some users have had repeated failed downloads - looks like a timeout issue - however other users (myself included) seem Fine.
We do seem to get more than usual DNS lookup errors on browsing normal pages as well but the downloads is the most obvious effect.

Cant seem to see any answers on the m$ sites or Internet. Im surprised that not more people are having problem.
If we switch back to the old server it all works fine.


Any Help????
0
kevquinlan
Asked:
kevquinlan
  • 8
  • 7
1 Solution
 
kevquinlanAuthor Commented:
Sorry i though all patches were applied - however just noticed this one - sound like my problem - will try it and get back to the forum for info if it works (or not)

Update for HTTP Issues for Microsoft Internet Security and Acceleration (ISA) Server 2004 with Service Pack 2 (KB 916106)
Date last published: 4/24/2006
Download size: 1.8 MB  
0
 
Keith AlabasterCommented:
try downsizing your MTU.
0
 
Keith AlabasterCommented:
How is the dns setup? The patch may help but i think you will find the two issues are part of the same problem.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
kevquinlanAuthor Commented:
Your right the patch made no difference - however there is no MTU set on the Adapter in the registry - should i just create a key and pop the same value as on the XP clients (514)
0
 
kevquinlanAuthor Commented:
DNS is pointing to our external ISP via a 4Mb leased line - it can be a little sluggish at times but it seemed like the old version of ISA put up with it and just waited but the new version is less forgiving!
0
 
Keith AlabasterCommented:
Hold on the MTU... Lets sort your DNS issues first then deal with whats left.

Can you clarify please?
How is dns configured for ISA. External interface? internal interface?
On isa2000 you needed DNS installed on ISA itself reall (in cache mode) but on isa2004 its better not to be running the DNS service but to utilise the DNS on the DC's. Personally I do not assign a dns entry on the external ISA interface. I set the ISA internal interface to point to the internal domain dns servers and they do the lookups for me using their forwarders.

A 4Mb leased line 'should' be blistering....

How are your clients connected to ISA?
SecureNAT? Web Proxy? Isa firewall client? Transparent Proxy? If ISA firewall client, did you replace the ISA2000 client with the ISA2004 client?


0
 
kevquinlanAuthor Commented:
ISA is setup on 1 interface. We are using it for webproxy only
All clients are webproxy - although most connections register as SecureNat as well (Is this normaL?).

We use it on our DMZ so it doesn't refer to internal DNS - just points to the ISPs DNS Servers in the Network interface settings

Strange how the downloading problems seems to only affect some people and not others?


0
 
Keith AlabasterCommented:
OK. So the box only has one NIC.
What is between the ISA server and your internal users? A router? A firewall?

If you do the download from the ISA server itsself, I assume it works perfectly everytime?
0
 
kevquinlanAuthor Commented:
Cisco Pix Firewall between users and DMZ / ISA
Downloading from ISA is blisteringly fast
Downloading from about half the clients is also very fast - however the rest are unable to download any more than a coupe of Mb without it hanging and failing.

No fancy groups setup for large downloads or anything, All HTTP traffic is allowed for all users
0
 
kevquinlanAuthor Commented:
Also no new rules or changes on firewall for the new ISA - it was a direct replacement for the old ISA 2000.
0
 
Keith AlabasterCommented:
Are you natting between the internal clients and the isa (through the PIX) or routing?

ISA needs to know ALL of the IP addresses that are approaching it for proxying; are they in the LAT?

Open the ISA GUI,
click on configuration - networks
Double click on internal. Select addresses.
Does this contain ALL of the ip addresses and subnets in the inside networks? This includes the DMZ subnet remember.
0
 
kevquinlanAuthor Commented:
Internal Clients are Routed to the ISA - The ISA Servers IP is then Natted by Pix on the way out.

On the LAT the ISA is aware of all our internal Subnets (10.0.0.1 to 10.255.255.255)
0
 
Keith AlabasterCommented:
needs to be 10.0.0.0 - 10.255.255.255 on the LAt even though the 10.0.0.0 is actually the network ID in the same way you have included the broadcast address at 10.255.255.255 although this is unlikely to be your issue.

SecureNAT clients are work stations that have their default gateways pointing at the internal interface of the ISA. As you only have the one NIC, I am a little confused as SecureNAT should not be an option when installed on an ISA box that has used the single interface network template.

So ISA is also routing to the external device (as PIX is doing the NAT).

open the GUI
click on monitoring - logging.
click on start query
do a download from a 'good' user and a 'bad' user. What do you see in the logs?



0
 
kevquinlanAuthor Commented:
Used this tool -
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

fixed the issues it raised (added a registry entry and changed rules to remove reference to external)
Rebooted and all worked fine !

Wish M$ had the above tool when i first started looking!!!!

cheers Keith for your patience.
0
 
Keith AlabasterCommented:
NP. :)
0
 
CetusMODCommented:
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now