Solved

Cannot get to specific website through ISA 2004

Posted on 2011-02-11
15
626 Views
Last Modified: 2012-05-11
Hello Experts.

We are running ISA 2004, and cannot get to the website http://inpix.ca if the ISA client is running, or if the settings are in the browser.  There is no problem getting to the website going directly through the gateway.  In IE it gives a timeout error, and the following is what I see in the logs:

2011-02-11      13:48:13      w3proxy      ISA      -      www.inpix.ca      209.44.116.101      80      21031      910      4482      http      TCP      GET      http://www.inpix.ca/index.php/      -      Inet      10060      0x6      URL Allow List      Req ID: 08e56d1a       Internal      External      0x40      Failed

When I run a logging query, I do not even see the connection attempt.

Any ideas?

Thanks in advance
0
Comment
Question by:lor1974
  • 9
  • 3
  • 3
15 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34871574
Can you resolve the webiste to ip from ISA box itself ?
0
 

Author Comment

by:lor1974
ID: 34871597
do you mean by pinging it?  If so, When I ping from the ISA server I see the IP but get host unreachable
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34871667
Actually I meant nslookup, but ping can resolve names.


please compare results ( nslookup from ISA  and nslookup from client machine)
are the two returned IPs identical ? If so then the problem is not in name resolving.

the idea behind that is wen you using webproxy, then the name will be resolved on the ISA server not on the client machine, but using default gateway ( secure nat), the name will be resolved using client machine.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:lor1974
ID: 34871699
I see the same response from both:

Non-authoritative answer
Name:    inpix.ca
Address:  209.44.116.101
0
 

Author Comment

by:lor1974
ID: 34871758
I ran a DNSreport on inpix.ca, and the A record 209.44.116.101 is the same as one of their NS records...is that normal?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34871970
Did you tried another browser ?
0
 

Author Comment

by:lor1974
ID: 34872010
same thing in firefox:

    * Error Code 10060: Connection timeout
    * Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
    * Date: 2/11/2011 3:32:44 PM
    * Server: isa.fcja.org
    * Source: Firewall
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34873774
Yes - you would expect an A record to match an NS record.

Post the output of an ipconfig /all from the ISA box.
0
 

Author Comment

by:lor1974
ID: 34873812
Windows IP Configuration

   Host Name . . . . . . . . . . . . : isa
   Primary Dns Suffix  . . . . . . . : fcja.org
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : fcja.org

Ethernet adapter DMZ - Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : NETGEAR FA311/312 PCI Adapter
   Physical Address. . . . . . . . . : 00-40-F4-3E-BA-15
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.100.69
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.1

Ethernet adapter Internal - Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controlle
r
   Physical Address. . . . . . . . . : 00-0F-FE-01-2F-2D
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.128.27
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.128.12
                                       192.168.128.5
   NetBIOS over Tcpip. . . . . . . . : Disabled
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34878343
Config looks fine so no issue there.
If you open a web browser on ISA itself and access the same site - same result? You were asked this earlier but I didn't see a response back.
If it works OK like this - do you also have the web proxy settings applied on the ISA web browser? If not, put them in and retest - same result?

0
 

Author Comment

by:lor1974
ID: 34879870
same result on isa...for whatever reason it cannot even get a ping response from the site.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34880129
Can you try a trace?   -    tracert www.inpix.ca
0
 

Author Comment

by:lor1974
ID: 34969831
When I run the trace from the ISA server I get the following:

Tracing route to inpix.ca [209.44.116.101]
over a maximum of 30 hops:

  1     1 ms     1 ms    <1 ms  x.x.x.x
  2     2 ms     1 ms     1 ms  172.16.0.85
  3    12 ms    12 ms    10 ms  BX5-NEWYORK83_POS11-0-0_core.net.bell.ca [64.23
.187.89]
  4     9 ms     9 ms     9 ms  nLayer_bx5-newyork83.net.bell.ca [67.69.246.90]

  5    61 ms    58 ms    60 ms  ae1-70g.cr1.nyc3.us.nlayer.net [69.31.95.153]
  6    62 ms    61 ms    59 ms  ae0-40g.cr1.nyc2.us.nlayer.net [69.31.95.122]
  7    17 ms    17 ms    17 ms  xe-1-3-1.cr1.mtl1.ca.nlayer.net [69.22.142.110]

  8     *        *        *     Request timed out.
  9    76 ms   177 ms    10 ms  209.44.125.128
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.


When I run it directly through the gateway:

Tracing route to inpix.ca [209.44.116.101]
over a maximum of 30 hops:

  1     8 ms    <1 ms    <1 ms  x.x.x.x
  2     2 ms     1 ms     1 ms  172.16.0.85
  3    15 ms    10 ms    12 ms  bxX5-newyork83_POS9-0-0.net.bell.ca [64.230.18
42]
  4     9 ms     9 ms     9 ms  nlayer_bx5-newyork83.net.bell.ca [67.69.246.90

  5     9 ms     9 ms     9 ms  ae1-70g.cr1.nyc3.us.nlayer.net [69.31.95.153]
  6     9 ms     9 ms     9 ms  ae0-40g.cr1.nyc2.us.nlayer.net [69.31.95.122]
  7    17 ms    17 ms    17 ms  xe-1-3-1.cr1.mtl1.ca.nlayer.net [69.22.142.110

  8     *        *        *     Request timed out.
  9   308 ms   266 ms   251 ms  209.44.125.128
 10   170 ms   173 ms   283 ms  ns1.inpix.tv [209.44.116.101]

Trace complete.
0
 

Accepted Solution

by:
lor1974 earned 0 total points
ID: 35072504
Not surprisingly, the problem ended up being that the External IP of the ISA server was being blocked by the site's firewall.  Should have been an easy thing to discover, but it took them 3 weeks to deal with it.

Thanks for all of your input
0
 

Author Closing Comment

by:lor1974
ID: 35120674
Turned out that there was no internal problem that needed solving.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
TMG 2010 with OWA - HTTP Attacks 3 489
MS Direct Access 3 638
Outlook 2013 asking for password 6 302
Multiple IP Address Block through a switch 7 117
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question