[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 315
  • Last Modified:

Windows 7 Networking

Hi,

I've got a bit of an odd problem with W7 in a corporate environment.

We have a fresh Active Directory child domain and started installing the first clients into the domain. The domain controllers in the domain are both DNS and DHCP servers. The clients are installed in another network and taken to the domain network where they are taken into AD.

About 60-70% of these clients have MASSIVE internet problems.  When a user attempts to access a website, it takes about 2 minutes for it to load - the browser sits there doing nothing. At the end of the delay, the site loads almost instantly. On the remaining 30-40%, browsing works without a problem.

The clients access the network over a proxy (MS ISA) in another domain (the users must authenticate themselves with credentials in the other domain).

I've tested DNS - a DNS query is answered almost instantly from all involved DNS servers. The client's event log is clean.

A wireshark TCP dump shows that the client contacts the web server immediatly after the user enters the URL in the browser - the client also receives an answer from the server. After the initial gets and response, NOTHING happens related to that connection on the network side. No single packet is found in the connection. Broadcasts and other traffic are logged meaning that the NIC works fine. After a long wait, traffic for the website continues and the site loads instantly.

No VPN software is installed on the computers; the clients are currently running McAfee 8.7 managed with an ePO server.

I've tried disabling Remote Differential Compression to no avail. I've also disabled IPv6 and QoS on the NIC side, reset the network settings and disabled TCP auto tuning.

I've confirmed the DHCP settings, checked Windows Updates and can't find the problem.

Does anyone have an idea what the problem could be? This is driving me and our users crazy.

/Wave
Jeremiah
0
eSourceONE
Asked:
eSourceONE
  • 8
  • 4
  • 3
  • +1
1 Solution
 
computerdoctorserviceCommented:
This is a shot in the dark, as it clearly won't be the solution for all problems, but we had a similar problem with ISA server with one particular client:

Everything appeared normal on the ISA server whenever we checked, but we ultimately manually set the Virtual Memory swap file to 2GB (The server had 512MB) and the problem was resolved.  In our case there was clearly a limit on the ISA server's abiliity to work quickly around a lack of memory.

You may have more users (we had 13 plus 4 site-to-site vpns) so you may need to increase it some more.  Give it a try.
0
 
eSourceONEAuthor Commented:
Hi,

thanks for the response.

The ISA Server currently has a 4GB pagefile; 4GB RAM, and 4 CPU cores. Most of those resources are still free. The Proxy is used for about 400 +/- users and only the new users experience problems.

S-2-S VPN is managed by a Checkpoint firewall cluster.

We've also tested internet access without the proxy (the clients were permitted internet access without proxy) - that was unsuccessful as well.
0
 
Keith AlabasterCommented:
How are the proxy settings set within the client browsers - autodetect? Manually set? WPAD/DNS? Group Policy? ISA firewall client?


0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
eSourceONEAuthor Commented:
Hi,

Proxy settings have been tested both in GPO and manual (currently, they are manual). However the client experiences the same problem when accessing the internet without the proxy.
0
 
Keith AlabasterCommented:
That was what I was trying to establish so that is fine.
How does your network for the child domain connect to the main network? Is this part of the same network but just using vlans to separate or is it a different infrastructure completely? Same building or geographically dispersed? A network topology map might be useful? How is the routing handled between the two networks or vlans?

Performing a tracert to an external ip, what route is the traffic taking? Is the one you would expect? Any form of high latency seen at any of the points?
What is the performance like if you access non-web-based external locations? For example, if you RDP'ed or telnet to an external location - is the performance showing the same forms of delay or just web sites?

For web sites, if you put in http://ip_address does the delay show the same as http://web_site_name?

0
 
eSourceONEAuthor Commented:
The problem is currently only on HTTP traffic. DNS, telnet, CIFS, RDP all work without a problem. Tracert takes the same route all others take. (Host -> Default-GW -> Proxy -> Firewall -> Router -> internet). Internally, we have access times of < / = 1 MS.

Networking wise, they are only separated by VLANs, no firewalls exist between the networks (they are in the process of a domain migration at the moment).

The problem is also not user specific.

Yeah, I tested google over IP and that wasn't any faster. The browser seems to stop working (the "wheel" thingy stops spinning and if you click in the windows it goes white).

We're currently trying another browser, but it would be unusual for that many installations to be corrupted...
0
 
Keith AlabasterCommented:
Agreed. But it is also unusual that the same result is achieved when you bypass the proxy.
Performance when operating on the parent domain is fine and connecting to these same sites?

0
 
computerdoctorserviceCommented:
If it's just new users (you said "only the new users experience problems"), could it be a permissions issue in AD?  For instance, if the ISA server is part of a different domain it must look up the child domain AD and if that DC is busy, delayed or temporarily unreachable it may introduce the delay.  Did you try allowing "All users" permissions in the ISA rule?
0
 
eSourceONEAuthor Commented:
I doubt that it's permissions, I've tried using one of my users with domain admin rights with no avail.

Yeah, I tend to think it's some sort of networking problem on the client itself. Normal network access is fine, I can copy files with pretty much maxing the 100 Mbit/s.

We just tested using Mozilla FF, and to my dismay it seems to work fine. We might have a bunch of buggy ie installations :-/ The machine's are running IE 8 atm. We can't go to 9 due to an application compatibility issue which is still being researched.

Reinstalling IE on a test machine now - will inform once I'm done.
0
 
eSourceONEAuthor Commented:
The old domain and new one aren't trusted, so the user authenticates himself on the proxy with the old user credentials.
0
 
Keith AlabasterCommented:
Not relevant if the user gets the same experience when the proxy is bypassed.
0
 
computerdoctorserviceCommented:
Keith - the proxy can be bypassed but the traffic can still pass through the ISA server.  Depends on the default gateway.  
eSourceONE -  I would say that if you allow all http traffic out through the ISA server using a rule that works on, say, an IP address range, then set the default gateway on the clients as the ISA server address, that would rule out AD comms issues.  If that does not work I will bow out.
0
 
eSourceONEAuthor Commented:
Hi,

after lots of trial and error, we were able to pinpoint the problem to Windows Defender and McAfee.

Thanks for the help!
0
 
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
eSourceONEAuthor Commented:
Hi,

after lots of trial and error, we were able to pinpoint the problem to Windows Defender and McAfee.

Thanks for the help!
0
 
eSourceONEAuthor Commented:
A/V Software
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 8
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now