Link to home
Start Free TrialLog in
Avatar of livegirllove
livegirllove

asked on

10060: Connection timeout only on one website

I have SBS2003 R2 with ISA2004
One website timesout trying to connect.
dns is correct and resolves properly.  
From outside the lan I can connect fine.
From inside the LAN in I get the 10060 error from the SBS and all Workstations.
In ISA firewall HTTP protocol parameters I unchecked the Web Proxy with no change.
In IE I have allowed the site to bypass proxy.  no change
In IE I disabled proxy with no change.

The site im trying to connect to opens a couple popups for auth.  I have gotten as far as sporadically the main page will load but then the auth popups all get the 10060 error.  

I do notice that the site is a bitt sluggish and seems to be javascripty.

But regardless.  I need to figure out how to get it working through ISA short of yanking ISA out for a real firewall.
site is
http://login.greystonecs.com/arcashlink/login

The only thing I have noticed is that the site is a 12.x.x.x and the SBS is also in 12.x.x.x  
There are no outbound blocking rules enabled on the SBS.
Avatar of livegirllove
livegirllove

ASKER

Failed Connection Attempt XXXXSBS 9/24/2009 12:39:57 AM
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
Rule: Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)
Source: Local Host ( 192.168.16.1:0)
Destination: External ( 69.26.213.20:80)
Request: GET http://login.greystonecs.com/arcashlink/login 
Filter information: Req ID: 19ec73a7  
Protocol: http
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Object source: Internet Processing time: 21344
Cache info: 0x0 MIME type:  
Hello,

Open ISA management console, go the configuration node, then to the general node, click Define HTTP Compression Pereferences, and uncheck the enabled box, then make sure that your web proxy filter on the HTTP Protocol in unchecked
Apply the settings and wait 2 minutes and then things should work fine :)
i bet it is a dns issue. try to open the page with the local ip address instead of the name. if you do nslookup you would find out that it is resolved with the outside ip address instead of the local one. i'm using cisco firewall and there is an option dns doctoring. for isa i haven't clue how to fix that but there should be an option.
on the settings tab nothing is defined.

on content types compress the selected is checked and none of the content types are checked

on content inspection Decompress incoming packets IS checked.
I unchecked and applied the settings but I dont think thats the one you meant.

Any other ideas?
The web proxy fiter has been unchecked from HTTP protocol parameters.
Hitting the IP 12.49.224.50
gets me closer.  The main page has colors and the first popup actually loads the little globe icon.
However it immediately redirects to the real address and then just sits loading.
no failures in the monitoring yet, and no timeout yet.

heres the nslookup

C:\Documents and Settings\Administrator>nslookup
Default Server:  arcoasbs.arcoa.lan
Address:  192.168.16.1

> login.greystonecs.com
Server:  arcoasbs.arcoa.lan
Address:  192.168.16.1

Non-authoritative answer:
Name:    login1.greystonecs.com
Addresses:  12.49.224.50, 69.26.213.20
Aliases:  login.greystonecs.com

>
Did you try my solution ?
the issue is not with DNS, i have the same issue here and it was solved by doing my solution above
i think I did:

From:
"Open ISA management console, go the configuration node, then to the general node, click Define HTTP Compression Pereferences, and uncheck the enabled box"
I got to uncheck the enabled box but dont see any boxes for enable/disable.
this is what I see

my response to your post:
on the settings tab nothing is defined.

on content types compress the selected is checked and none of the content types are checked

on content inspection Decompress incoming packets IS checked.
I unchecked and applied the settings but I dont think thats the one you meant.
See attached
ISA-HTTP.png
Wait 2 minutes after applying and try and it will work
ah
you are on ISA2006
ISA2004 doesnt have that option:

Capture.PNG
but it "looks" to be disabled as no content types are being compressed afaik
any other ideas?
Capture.PNG
Hi,

Sorry, my bad
go to the add-in page on the left, click on the compression filter, properties, and uncheck the enabled box, then apply and restart the firewall service.

Thanks!
its greyed out?
Found this but it didnt enable the ption.
Ill restart the firewall and see if that kicks it.

It turns out that the Web Proxy Filter must be enabled for the HTTP protocol. Without this enabled, you loose the HTTP filter configuration menu. If you dont want to enable the Web Proxy filter, as it may not work well with some sites, enable it temporarily, change the HTTP filter setting and then disable it. The HTTP filter settings will still remain active. Problem solved.
I thought you know that :) sorry,
Once you deactivate the Web Proxy Filter, all your settings applied to HTTP Traffic are gone, unfortunately.
i reenabled the web proxy filter on http protocol.
restarted firewall service and ISA services.
Option is still greyed out under add-ins.
Should I reboot or is there some other way to make the option accessible?
ASKER CERTIFIED SOLUTION
Avatar of ksalameh
ksalameh
Flag of Jordan image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ah man, sorry.  2:30AM ;)
made the requested changes.  From a workstation the main pages loads but I get the same ISA message on the first popup.  Im going to reboot the server and the workstation and retest.
no change after reboot :(  I did test the site from 2 other SBS with ISA2004 and they have the same issue with the website so its not just this server.  
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
its a 2 nic box.
the External IP of the SBS is in a 12 range like the website.
Internally its a 192.168.16.x

I already forgot about the http filter. ;)  see the posts above.  I was misunderstanding.

I disabled the compression filter with no change.

So that said do you think:

 "If you want HTTP without the Filter create a new Protocol for port 80 and then don't add the Filter to it.  Create a new Access Rule for just this one site.  After that you have to do this...."

Is worth a try or do you have some other ideas?
In the end the problem is in the lousey "developers-gone-crazy" design of the site.  I cannot get to it with mine either.  There is some kind of problem with the scripting and componenets that they buried within the login pages.  They probably designed them in such a way that they won't work properly from behind proxys,...but may work fine from behind NAT boxes.

thanks for that.  I suspected as much.  I had the client contact them.

However it annoys me that I cant set ISA to totally ignore this site so that even if less secure or crappy web coding I can access it.

If I can get to it from outside ISA I should be able to somehow config ISA to pass it.
I don't think the problem is with you
I don't think the solution is with you
The problem is with the site designers
The solution is with the site designers
As I said:.....
In the end the problem is in the lousey "developers-gone-crazy" design of the site.  I cannot get to it with mine either.  There is some kind of problem with the scripting and componenets that they buried within the login pages.  They probably designed them in such a way that they won't work properly from behind proxys,...but may work fine from behind NAT boxes.
However it annoys me that I cant set ISA to totally ignore this site so that even if less secure or crappy web coding I can access it.
How would you get to the site through the ISA if the ISA ignores the site?  Of couse the ISA has to pay attention to it,...ISA is your means to get there.
You could try the custom HTTP protocol as I described,...but I doubt you will get anywhere with it.  If you go down that path,..don't gloss over what I said about it, pay attention to the details I gave the the article link I gave.
 
fair enough ;)

just for giggles though.

What is ISA doing thats blocking it.  If I can tell ISA to pass anything to/from that site without sniffing it, compressing it, proxying it etc it "should" get through I would think.  Sure it has to pass through the ISA NICS and be routed (and DNS is on the same box).

Ill try the custom protocol after hours just to verify to myself that I've done all I can.  My client is already aware that the problem is really at the webpage.

For this client its no problem to blame the website.  Next client may be a harder sell to tell them no the website is broken when they can access it just fine from home.  So although it may be broken and non standard it IS accessible by everyone that doesnt use ISA.  
ISA is not blocking it!
The design of the site's login page components networking abilities is failing when run through a proxy. A failing connection and a blocked connection are two different things.  It is like if your car's engine throws a rod through he side of the block,...the engine has failed,...it doesn't have anything to do with your ignition switch "blocking" you because it is or isn't the right key.
The site's page also have about three popup windows that a popup blocker can cause it to fail.
Here's something else to try.  I am at home and can't verify this,...but make sure the Firewall Client is installed on your workstation,...then remove all the proxy setting from your browser and try it.   Repeat this with Firefox without any proxy settings in firefox.
You could also try this as a SecureNAT Client instead of a Firewall Client,...but only if you rHTTP &  HTTPS Access Rules are "anonymous".
 
 
 
Thanks for the explaination.
I tried FF with same results.
tried removeing proxy in IE.  
Tried adding the site to the proxy pass list in IE.
I added the domain to popup blocker safe list as well.
Yea I like those 3 popups.  wtf is that, lol.
My client sent them a nastygram.  I guess they just updated that site specifically for my client and its worse than ever now.
I'm going to go ahead and close this with a split as ksalameh gave good answers as well.
Ok, sounds good. Good luck with things!
Did you try FF with all proxy settings removed?
One last thing to try in IE is to put the site domain *.greystonecs.com in the Intranet Zone.  That is Intranet, not Internet.  I suppose that is my last thought on it, I'm out of ideas.
yup tried FF with no proxy settings.
Ill try it in the internet zone.  currently its in trusted.
np, thanks for the ideas.
Not internet,...intranet zone.   You have to click the Advanced Button in that Zone to add a site.  Add it exactly as I spelled the domain, including the star
i got it.  I cant type and think at the same time ;)