ISA Server Java problem

cjohnson300
cjohnson300 used Ask the Experts™
on
I have an IP surveillance camera which I can connect to over the internet which works great everywhere but in the office.  We have an ISA server in the office and I have allowed everything I think is necessary and it still doesn't work.

I log in, the Java applet starts to load and then all I get is a white square where the camera's display should be.  I have been looking around and the best solution I can find relates to Authentication.  We are using Intergrated, and I read elsewhere that Java only supports Basic, is this the case?  I have connected to other Java applet websites without trouble in the past, is there more than one type/version?

Any help much appreciated
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Commented:
If it is authentication,..and it probably is,...it is a simple fix.
Configure the JRE to not use a proxy.  Use a "direct connection".  Do this by going to the Windows Control Panel and opening the Java icon.
Then install the Firewall Client on the workstation.  The FWC will do the authication on behalf of the JRE.    This requires that the ISA NOT be a single nic caching server,...it has to be a full duel nic ISA that runs with all of its abilities.  A single nic ISA is just a crippled mess in my opinion.
 

Author

Commented:
I've tried the setting the Java to use Direct Connection, but I didn't even get the white square, just an error saying it couldn't find a class file.  The Firewall Client was already installed
Most Valuable Expert 2011
Commented:
Yes,...but you didn't get the "white square",...which is probably a step forwards,...not backwards.
Try removing all proxy settings from the browser.
 
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most Valuable Expert 2011
Commented:
If that works,...put the setting back,...add the Camera's IP# to the Intranet Zone in the browser (click the Advanced button in the Zone).

Author

Commented:
Surely if I remove all proxy settings from the browser, it won't know how to get to the webpage in the first place
Most Valuable Expert 2011

Commented:
No the browser will not know,..that is the goal,..but the traffic will still go to the proxy.    It just will not use the Web Proxy Service,...it will use the Firewall Service instead.   This "test" takes control away from the browser and puts control in the hands of the FWC software.

Author

Commented:
It works!  But I'm slightly confused I must admit.  I thought the client needed to be installed and the web browser needed proxy settings for the browser to work?  What is the point of the web proxy service and configuring the browser to use the proxy if the firewall service can handle it all?  
Most Valuable Expert 2011

Commented:
ISA has three distinct services,...effectively three products in one.
1. A CERN Compliant Web Proxy Service
2. an industry standard Winsock Based Proxy Service (Firewall Service)
3. a regular NAT based firewall service (SecureNAT Service) that is like what you get with most traditional "hardware" firewalls.
You do not get everything with only one service.  It takes all three.  Due to poorly written web sites and poorly designed web componenets and applets,...some of them will not work properly with a CERN Web Proxy Service (even though they should),...but they will work with the Firewall Service (Winsock Proxy).
Removing the browser settings allowed the Applet to function over the WInsock Proxy (Firewall Service).  Now that we know that this works, you can put the browser's proxy settings back as they were and try adding the Site the the Intranet Zone in the Browser.
So do that,..put the browser settings back and see if it works when you add the Site to the Intranet Zone (not Internet Zone) and try again.  You may have to put both the FQDN and the IP# into the Zone.

Author

Commented:
Yes it does!  What is the signficance of putting the site into the Intranet Zone?
Most Valuable Expert 2011

Commented:
IE has certain behavors it follows in terms of when to send to the proxy and when not to.  Two big ones are:
1. If the URL has dots in it than it always sends to the proxy no matter what, no questions asked.  This is a big problem if the URL is using an IP# that may be internal to the LAN.  Now most people don't even know about this IE flaw because it only happens if IE has proxy settings and most poeple use Hardware NAT Firewalls which don't have proxy settings in IE,...hence the problem is never seen by them.
2. If the destination site is listed in the Intranet Zone it does not get sent to the proxy.
Now keep in mind that IE only knows about the Web Proxy Service.  It has no concept of the other two ISA Services,...it wouldn't know the Firewall Service or the SecureNAT Service if it tripped over them.  So when IE "thinks" that it is sending direct and not using a proxy all that really means is that it is not being sent to the Web Proxy Service,...which allows the ISA Firewall Service or the SecureNAT Service to intercept it and handle it.
So, since we know that this communication your having trouble with doesn't work with the Web Proxy Service, but does just fine with the Firewall Service (Winsock Proxy),...we have to convince IE to not send the traffic to the proxy with this particular Site.  This allows the Firewall Service via the Firewall Client Software on the local machine to intercept it and handle the flow.   So by putting this site's FQDN, and maybe the IP# too, into the Intranet Zone should allow this to happen.  If this does not work then you can try putting the same thing into the proxy exceptions list in the proxy settings,...but I think the Interanet Zone may work more dependably.

Author

Commented:
Thank you so much for your help.  A truly complete solution, backup up by obvious experience and genuine knowledge

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial