Proxy chain loop bug in ISA SP1

From: Al Blake (al_at_blakes.net)
Date: 03/22/04

• Next message: Tristan Kington [MS]: "Re: Proxy chain loop bug in ISA SP1"
• Previous message: Alexey Makarov: "Re: 2 Web-sites (one with SSL), 1 external IP"
• Next in thread: Tristan Kington [MS]: "Re: Proxy chain loop bug in ISA SP1"
• Reply: Tristan Kington [MS]: "Re: Proxy chain loop bug in ISA SP1"
• Reply: Christian Hagemann: "Re: Proxy chain loop bug in ISA SP1"
• Messages sorted by: [ date ] [ thread ]

---

Date: Tue, 23 Mar 2004 09:40:04 +1100

We have spent over a year diagnosing this problem. I have seen numerous
posts from others indicating they are encountering the same issue. Here is
the setup:

-SINGLE ISA Enterprise SP1 in AD. (no upstream/downstream proxies)
-SINGLE Internet connection on ISA box
-Publishing Ex2003 OWA through web publishing using SSL by name. Same
certificate installed on Ex2003 box and ISA server.
-ISA server has dns *only* bound on internal NIC pointing to Internet (LAN)
dns server
-Internal adapter is bound ahead of external adapter
-ISA server has hosts file containing hard-coded internal IPs of all
internal servers published via ISA (to bypass dns)
-1200 mailboxes on Ex2003 server - so potentially high traffic through web
publishing.
-We are a K12 school so traffic can be low (holidays) or high (term time)

when there is low traffic (holidays), despite users accessing their
mailboxes through OWA through ISA there are no problems. During the last
holiday we didnt have a single error on the ISA server (over two months).
Since the students have returned and traffic has ramped up on the ISA
server, once or twice a day we get:

ISA Server detected a proxy chain loop. There is a problem with the
configuration of the ISA Server routing policy.

After this has been logged in the event log (14141) all subsequent users to
the OWA service get 12206 errors and 500 (page unavailable). This can only
be cleared by restarting the web proxy service, which we have now automated
(stop then start after detecting the error 10 times). Checking the ISA web
proxy logs confirms this *only* occurs with the OWA publishing rule:

**** **** Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 2004-03-22
20:02:43 W3ReverseProxy FLUFFY - mail.cggs.act.edu.au - - 110 1388 - -
SEARCH http://mail.cggs.act.edu.au:443/exchange/****/Inbox/ - 12206
**** **** Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 2004-03-22
20:02:43 W3ReverseProxy FLUFFY - mail.cggs.act.edu.au 203.110.145.180 443
125 1364 3785 http SEARCH
http://mail.cggs.act.edu.au:443/exchange/****/Inbox/ Inet 500

etc etc until the service restarts. The issue is *NOT* related to a routing
error as the system works perfectly under low load (holidays) with no
configuration changes. Also, before hard-coding the name of the mail server
into the hosts file on the ISA server this problem used to occur 10-15 times
a day. Since hard-coding the server name this has reduced to approximately
once per day; but it hasn't stopped. This indicates that the problem is the
dns lookup functions of the web proxy service in ISA under high load.

I am not prepared to pay Microsoft another $500 to be told 're-install your
ISA server', which is what they told me last time. (We have reinstalled
twice incidentally). Also, if we dont web publish the OWA server but simply
directly publish the port we never get the proxy chain error, even though we
have 5 other servers published through web publishing. Again this confirms
that the problem is in a web publishing SSL under high load. (The reason we
want to stick with web publishing for OWA is because we need the logging we
can obtain that way).

Anyway, if anyone from M$ reads this perhaps they could confirm whether this
problem is in the fix-train for either an SP or the next version of ISA? If
there is anyone on ISA development that wants me to provide logs or carry
out testing to nail down the problem then I would be happy to do that - but
I am not paying another $500 for the priviledge.

To anyone else that is running into this issue; you are not alone, your
routing configuration is correct; its a problem in ISA, and let me know if
you find a 100% fix for this issue.

Al Blake, Canberra, Australia

---

• Next message: Tristan Kington [MS]: "Re: Proxy chain loop bug in ISA SP1"
• Previous message: Alexey Makarov: "Re: 2 Web-sites (one with SSL), 1 external IP"
• Next in thread: Tristan Kington [MS]: "Re: Proxy chain loop bug in ISA SP1"
• Reply: Tristan Kington [MS]: "Re: Proxy chain loop bug in ISA SP1"
• Reply: Christian Hagemann: "Re: Proxy chain loop bug in ISA SP1"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: odd owa issue ... Since you access the OWA from external thru ... On the SBS 2003 Server open the Server Management console. ... Please open the ISA management console, ... (microsoft.public.windows.server.sbs) Re: Proxy chain loop bug in ISA SP1 ... -SINGLE ISA Enterprise SP1 in AD. ... -Publishing Ex2003 OWA through web publishing using SSL by name. ... certificate installed on Ex2003 box and ISA server. ... (microsoft.public.isa.publishing) RE: ISA Error ID 21174 ... many remote services such as RDP, OWA and Companyweb no longer worked. ... in ISA server 2000 or 2004 web publishing rules. ... Which version is the ISA Server, ... (microsoft.public.windows.server.sbs) Re: Proxy chain loop bug in ISA SP1 ... -SINGLE ISA Enterprise SP1 in AD. ... -Publishing Ex2003 OWA through web publishing using SSL by name. ... certificate installed on Ex2003 box and ISA server. ... (microsoft.public.isa.enterprise) Re: Proxy chain loop bug in ISA SP1 ... -SINGLE ISA Enterprise SP1 in AD. ... -Publishing Ex2003 OWA through web publishing using SSL by name. ... certificate installed on Ex2003 box and ISA server. ... (microsoft.public.isa.enterprise)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.publishing  > 2004-03