ISA Server 2006 Web proxy issue
Hello,
I have the following setup
Workstation <----> ISA Server <----> VPN tunnel <-----> Sonicwall <------> Webserver
From the 'Workstation' I am trying to open a webpage which is running on the 'Webserver' vi HTTP and the page does not open. I can ping and telnet to port 80 on the workstation to the webserver. If I am in the same LAN as the webserver I can open the page without a problem from any machine but as soon the traffic flows through the ISA server I see an error page saying that Web proxy was not able to reach the host which is of course nonsens because there is other traffic flowing through the tunnel as well. I do not want the ISAServer to do any chaching or anything - I want the ISA server to direclty forward the traffic to the webserver and that is it.
Can someone please help and let me know what I need to change on the ISA server to get that to work?
Thank you
Mc2120
Please see below the error message:
==========================
Failed Connection Attempt ISASERVER 3/5/2010 3:51:51 PM
Log type: Web Proxy (Forward)
Status: 10065 A socket operation was attempted to an unreachable host.
Rule: Internal -> VPN tunnel
Source: Internal (192.168.10.144)
Destination: Concretio (192.168.2.10:80)
Request: GET http://192.168.2.10/
Filter information: Req ID: 0b796958; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; FDM; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 62921 ms
MIME type:
I have the following setup
Workstation <----> ISA Server <----> VPN tunnel <-----> Sonicwall <------> Webserver
From the 'Workstation' I am trying to open a webpage which is running on the 'Webserver' vi HTTP and the page does not open. I can ping and telnet to port 80 on the workstation to the webserver. If I am in the same LAN as the webserver I can open the page without a problem from any machine but as soon the traffic flows through the ISA server I see an error page saying that Web proxy was not able to reach the host which is of course nonsens because there is other traffic flowing through the tunnel as well. I do not want the ISAServer to do any chaching or anything - I want the ISA server to direclty forward the traffic to the webserver and that is it.
Can someone please help and let me know what I need to change on the ISA server to get that to work?
Thank you
Mc2120
Please see below the error message:
==========================
Failed Connection Attempt ISASERVER 3/5/2010 3:51:51 PM
Log type: Web Proxy (Forward)
Status: 10065 A socket operation was attempted to an unreachable host.
Rule: Internal -> VPN tunnel
Source: Internal (192.168.10.144)
Destination: Concretio (192.168.2.10:80)
Request: GET http://192.168.2.10/
Filter information: Req ID: 0b796958; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; FDM; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 62921 ms
MIME type:
Verify that your Network Rule for site to site VPN route does not use NAT, which will cause the VPN to fail. The network relationship should be ROUTE.
http://technet.microsoft.com/en-us/library/cc302456.aspx
http://technet.microsoft.com/en-us/library/cc302456.aspx
ASKER
Hello JJ2,
I verified that the rule is exisiting and that routing is configured between the two networks. I would have been suprised if that would have been the error since the tunnel is up and traffic is flowing through it. From the workstation I can telnet to the webserver on port 80 but if I try to open the webpage then it fails. For some reason isa server is blocking this traffic.
Thank you
Mc2102
I verified that the rule is exisiting and that routing is configured between the two networks. I would have been suprised if that would have been the error since the tunnel is up and traffic is flowing through it. From the workstation I can telnet to the webserver on port 80 but if I try to open the webpage then it fails. For some reason isa server is blocking this traffic.
Thank you
Mc2102
ASKER
I alos found the following entry in the
To allow HTTP proxy or NAT traffic to the remote Site-to-Site Summary if the tunnel:
==========================
the remote site configuration must contain the local
site tunnel end-point IP address.
==========================
The remote firewall is a sonicwall. So I added the public IP of the ISA Server as a local IP to the tunnel config and the tunnel still comes up but it did not make any change. I am still not able to open the webpage on the webserver from the workstation and I still receive the same error.
To allow HTTP proxy or NAT traffic to the remote Site-to-Site Summary if the tunnel:
==========================
the remote site configuration must contain the local
site tunnel end-point IP address.
==========================
The remote firewall is a sonicwall. So I added the public IP of the ISA Server as a local IP to the tunnel config and the tunnel still comes up but it did not make any change. I am still not able to open the webpage on the webserver from the workstation and I still receive the same error.
ASKER
I am still looking into this issue and I just discovered that if I try to ping the webserver from the ISA server then I do not see a reply but instead I see 'Negotiating IP Security.'
Is that normal? Could that be reslated to the issue?
Is that normal? Could that be reslated to the issue?
The 'Negotiating IP Security" is due to IPSEC.
Take a look on this article:
http://support.microsoft.com/kb/885348/
Take a look on this article:
http://support.microsoft.com/kb/885348/
Just a follow-up on "Negotiating IP Security"...
Verify that in the ISA Server has Sonicwall's external IP address added to the Addresses tab of the Remote Site.
Verify on the Sonicwall, that the ISA Server's external IP address is added.
Verify that in the ISA Server has Sonicwall's external IP address added to the Addresses tab of the Remote Site.
Verify on the Sonicwall, that the ISA Server's external IP address is added.
ASKER
Hello JJ2,
Thanks for the regerences but I am not trying to install a SSL VPN concentrator behind a the ISA - I am tying to get my HTTP traffic through the tunnel. But the reference is good because we are thinking about buying such a SSL VPN concentrator and install it behind the ISA server. : )
Thank you
Thanks for the regerences but I am not trying to install a SSL VPN concentrator behind a the ISA - I am tying to get my HTTP traffic through the tunnel. But the reference is good because we are thinking about buying such a SSL VPN concentrator and install it behind the ISA server. : )
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER