Solved

Python not connected message for restricted users

Posted on 2014-10-09
17
203 Views
Last Modified: 2014-12-16
Hi

We are using  Windows 7  workstations and when the students go to the
http://www.codecademy.com/learn
Click Python - start Python

The loading wheel dosen stop , it keeps going and going. and it says not connected
As snapshot attached.
At the same time when i log in as administrator it works sucessfully .

the student internet access is through proxy servers and we use Microsoft ISA server 2006. I am not sure if i have to create \enable a GPO Or i have to make changed in ISA server.

Or if there is way of finding if any port is blocking  for  Python not to work
Any help much appreciated

Thanks
Python-Error.png
0
Comment
Question by:lianne143
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
ID: 40372283
May want to check out this in local machine but still good to know the error in the denial log from ISA to further troubleshoot any rule blocking this
http://www.nirsoft.net/utils/cports.html
CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.

..or see "Troubleshooting HTTP 502: The Uniform Resource Locator (URL) does not use a recognized protocol"  http://technet.microsoft.com/en-us/library/bb794799.aspx

..or due to authenticated traffic req btw proxy related error (407 Proxy Authentication required) or (502 Proxy Error ( The ISA Server denied the specified Uniform Resource Locator (URL). http://www.isaserver.org/articles-tutorials/general/Troubleshooting_ISA_authentication_issues.html

other related info -  "Common issues in client authentication"
http://technet.microsoft.com/en-us/library/cc302664.aspx
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 50 total points
ID: 40372313
There is javascript on that page that connects to Facebook and Google and maybe some other sites.  Are any of those sites blocked for your users?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
ID: 40372343
also couple of point to note:
- DNS resolution is extremely vital for ISA Server. Also, if you would like to allow or deny certain destinations and they give a different result when doing a forward and reverse DNS lookup, you will have to be very carefully with the network object types (FQDN or IP address) you use in the element To of the access rules.

- if ISA Server is unable to authenticate the user for whatever reason, that means that no credentials at all are presented to the ISA Server, then any request from that user will be denied by the first rule requiring user authentication, regardless if it is an allow or a deny rule. In fact, this situation is the first case that an allow rule actually will deny a request.

- check out the the ISA log and you should find a number of requests allowed by rule #1 (for example) but also a lot of requests denied by rule #1. If you look further into the log, you should find the information Blocked by the HTTP Security filter: URL contains an extension which is disallowed under the column Filter Information for the denied requests. So, those requests are actively blocked by the allow rule #1.

- Put Web and Server Publishing rules on the top of the list. According to the ISA help file, access rules that deny traffic are processed before publishing rules. Therefore, if a request matches an access rule, the request will be denied, even if a publishing rule would have allowed the request.

http://www.isaserver.org/articles-tutorials/articles/ISA2004_AccessRules.html

sidenote is codecademy has some checks too below
http://help.codecademy.com/customer/portal/articles/1417665-troubleshooting-guide
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 150 total points
ID: 40375127
You stated that is works we you log in as administrator. Is this the local admin or domain?  It should like a potential GP setting for IE.

While the user is logged in go a gpresult /v >c:\gpresult.txt Feel free to post the results if it does not contain sensitive information

Does the site require to be a member of the IE trusted sites?
0
 

Author Comment

by:lianne143
ID: 40378601
I had logged in as a domain admin. I will try adding the site in the trusted sites.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
ID: 40378920
also as the administrator to see if there were maybe group policy that redirect you to ISA Server and blocks you from surfing the Internet or any policy on the router. e.g. gpo may have stated  block Web sites for some users and not all.
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Restricting-Specific-Web-Sites-Internet-Explorer-Using-Group-Policy.html

Also good to know that there is the computer and the user gpo, so for the Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration:

Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

Note: When we configure Site to Zone assignment list GPO then users will not be able to add their own sites to any zone. Options to add sites on client machine will be greyed out.

Internet Explorer will read from the following registry for the sites deployed through Site to Zone assignment list:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
0
 

Author Comment

by:lianne143
ID: 40408230
Sorry guys , for the late reply.

I did some test We have three different proxy servers on our network.
1) admin proxy
2) staff proxy
3) student proxy

I logged is as administrator and Python works absolutely fine under admin proxy.

On the same PC I removed the admin proxy settings and changed the proxy settings to staff proxy- and Python works.

On the same again I removed the staff proxy settings and changed the proxy settings to student proxy- and Python doesn't work.

So not sure if the ISA server is blocking codeac ademy, please suggest how to go from here.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
ID: 40408320
Thanks it is worth reviewing the 3 x ISA policy and this already isolate nothing to do on the machine GPO per se or security setting. It is more on the ISA access policy esp if they are different server or VM instance. may want to focus specifically on outbound access rule or even the access rule order (step 3 onwards for the below "Troubleshooting Web Access for Internal Clients ")
http://technet.microsoft.com/en-us/library/bb794787.aspx
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:lianne143
ID: 40410846
Sorry Guys

I hope I am not confusing, trying to give as much information.
I have not made any changes and since my last post. I tested again now I did it is behaving differently.

I logged in as a staff and the (staff proxy) settings are picked from the GPO. Logged in as staff when I load python it doesn't load and with the same user I changed the proxy to (admin proxy) and still python don’t work.

I have another proxy server which by passes the proxy (ByPass), when I put this server setting the python works on a staff login.
But when I login as a domain administrator and the proxy settings for the domain administrator is (admin proxy) and python loads successfully.
Please suggest as what I need to do at this stage.
Thanks for your help
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 150 total points
ID: 40411238
Let's try the following.
1) From the student ISA server open the section to monitor active connections.
2) From a client workstation using the student ISA server as a proxy try to access the training site.
3) See if the monitor on the ISA shows any blocked connections.

Additional Questions:
-  IS there a firewall in-between the workstations and ISA servers?
0
 

Author Comment

by:lianne143
ID: 40412030
Just saw the post  and  away from work . I will try this tomorrow and post you the results.

There is no firewall between the workstations and ISA servers.

Thanks you so much
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
ID: 40412298
Probably let summarise the failed and working cases for clarity and see if we can isolate entirely to find root cause. (and let's be consistent in testing the same browser and same machine and clean cache btw each test attempt)

See below and confirm the status - Are all the error code the same for those failed scenarios.

*a) Staff > admin proxy  - Failed
b) Staff > staff proxy - Working
*c) Staff > student proxy - Failed?

d) Admin > admin proxy - Working
*e) Admin > staff proxy - Failed
*f) Admin > student proxy - Failed

*g) Student > admin proxy - Failed?
*h) Student > staff proxy - Failed?
i) Student > student proxy - Working?

j) Anything > Bypass proxy - Working
0
 

Author Comment

by:lianne143
ID: 40412827
Please see below the behaviour of Python. I have cleared cache all the times I try.

*a) Staff > admin proxy  - The wheel keeps spinning  and spinning (without the Not connected Error code )
*b) Staff > staff proxy – Failed- The wheel keeps spinning  and spinning (without the Not connected Error code )
*c) Staff > student proxy - Failed? – With “Not connected Error code”

d) Admin > admin proxy - Working
*e) Admin > staff proxy – Failed - The wheel keeps spinning and spinning (without the Not connected Error code)
*f) Admin > student proxy – Failed - With “Not connected Error code”



*i) Student > student proxy – failed

j) Anything > Bypass proxy – Working


When I login as student, due to the Group policy restrictions, I am not able to see the files menu in the IE11 and unable to change the proxy settings.

The proxy server for both admin and Staff is same and their IP as follows, but only the proxy settings change on the IE  for  Staff > staff proxy  
                       Admin>admin proxy.
The IP of Staff proxy is:  10.14.112.22.
The IP of admin proxy is: 10.14.112.22

For the students it is a different proxy server and the IP is 10.14.112.23

Bypass proxy server is  a different server as well  and the IP is 10.14.112.24

Thanks
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 150 total points
ID: 40414047
are you using a WPAD or proxy.pac file by any chance..
0
 

Author Comment

by:lianne143
ID: 40414260
I am not sure if we are using WPAD or proxy.pac , is there a way to find.

Thanks
0
 
LVL 61

Accepted Solution

by:
btan earned 300 total points
ID: 40414817
It seems like only privileged account to proxy is working (e.g. Admin > admin proxy - Working) and other all failed. Can also check the troubleshooting steps stated in below to cover the ground of checks
http://support.microsoft.com/kb/811087

Another as mentioned, is the automatic proxy detection. The various proxy combination which include explicit is well tabulated to differentiate btw PAC and WPAD - http://findproxyforurl.com/why-pacwpad/

- WPAD - browser guess the location of the PAC file through DHCP and DNS lookups. The WPAD standard uses wpad.dat.

- PAC - Specify the URL for a PAC file with a JavaScript function that determines the appropriate proxy for each URL. This method is more suitable for laptop users who need several different proxy configurations, or complex corporate setups with many different proxies.  PAC file is published to a HTTP server, and client user agents are instructed to use it, either by entering the URL in the proxy connection settings of the browser or through the use of the WPAD protocol.

But it may seems that you are in the explicit proxy.....unless maybe Admin can try set automatic, if DHCP and DNS is set properly,  the WPAD file (the proxy configuration file) will be downloaded  in the TIF (Temporary Internet Files) folder. You can easily copy/paste the file into a temp directory renaming it to have a .TXT extension.  From there you can load the file in notepad.exe to see that the file content and logic within.
(Do not open any files directly from the Temporary Internet Files folder)

Also good to check if there are exception list in browser proxy option that state to bypass certain URL or wildcard-ed URLs, likewise proxy handling all the various protocol etc...

The troubleshooting "Troubleshooting Automatic Detection " may be useful if using the WPAD etc..
a) A WPAD entry is configured in DHCP, but only users logged on as local administrators can successfully detect settings.
b) Web Proxy clients cannot detect automatic proxy settings.
c) Clients are experiencing delays of up to 10 seconds when making a request for a Web page, and using DHCP for automatic discovery. This is especially noticeable for Web requests from clients that are not configured as Firewall clients.
d) Clients cannot retrieve settings using WPAD.
0
 

Author Comment

by:lianne143
ID: 40449444
Sorry guys, I will look at this and post on the forum
Thanks
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now