Re: Site2Site VPN - Web page requests returns FWX_E_TERMINATING

You have to separate in you mind the concept of the VPN -vs- the Internet
Traffic even though they both use the ISA and even though the VPN works over
the Internet.

Everything that works over the VPN is private *local* traffic. Geography is
irrelevant.

Therefore you have to make sure that everything that happens with that Web
Application has to be properly treated as local private traffic on the LAN.
Your problem "element" needs to be examined in detail to make sure that
everything involving it and the Client using it must be treated a local
traffic. It appearantly is not,...if you look at the Log entries you posted
you will see that the Web Proxy is involved,...but it should not be
involved.

I see one problem right off the top. It is using http://10.10.3.9 . Well,
never ever ever ever use IP# in links in websites. IP# have "dots" in
them,...this causes them to be interpreted [incorrectly] by Internet
Explorer as FQDNs,...and all FQDNs are treated by Internet Explorer as
Internet Locations and it will *blindly* send them to the proxy if IE
posseses proxy settings,...but if IE does not have proxy settings this does
not occur. Using IP#s in URLs does *not* simplify things as most people
think,...it makes things *more* undependable and unpredictable. You can
verify this be removing all proxy settings from IE and then try the Web
Application again.

There are measures to deal with it, and there is at least one article
explaining how to deal with it,..but the best thing is to not create the
situation in the first place. Use *names* in the URLs that consistantly and
dependably resolve to the correct address. You also need to make sure that
all Domain Names used on the LAN are correctly configured into the correct
Network Definitions. The same has to be true for what might be used in any
Absolute Links (as opposed to Relative Links) that are embedded into the
Site.

There may be other things to consider but this is the best I know to do for
the moment.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

"Peter-Paul" <PeterPaul@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7F8858D9-3B17-48C8-AA9F-388C22797C1D@xxxxxxxxxxxxxxxx
We are experiencing some strange behaviour with a web based application
for
our users in the Branch office site.
The branch site is connected using a ISA to ISA site to site VPN and there
is a firewall rule applied which allows ALL traffic to pass in both
directions. The network policy is set to route the traffic.

From a VPN site the behaviour we are seeing is:
We open the web application: http://server/app.
We receive the application login form and continue to login.
The application opens and we can browse most ellements.
When we try to use a specific element the client receives the following
message:

Error Code 64: Host not available
Background: The gateway or proxy server lost connection to the Web server
When I review ISA monitoring logs at the branchsite I see the same error.
When I review the ISA logs at the HQ site I see:

Log type: Web Proxy (Forward)
Status: 0xc0040001 FWX_E_TERMINATING
Rule: VPN to Den Haag
Source: VPNFR ( 192.168.254.3:0)
Destination: Internal (APPServer 10.10.3.9:80)
Request: GET http://10.10.3.9/app/timeclaimWeek.aspx?week=200833
Filter information: Req ID: 0d69305d; Compression:None
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Object source: Internet Processing time: 110
Cache info: 0x41040010 MIME type:

The web application works well for all users within the HQ site, however
when it passes the ISA FW it stops working.






.

Relevant Pages

  • Re: Site2Site VPN - Web page requests returns FWX_E_TERMINATING
    ... have?Firewall client or Web proxy clients?If you are using FWC is normal ... to use proxy locally and create an exception for your web site. ... in them,...this causes them to be interpreted by Internet ... Understanding the ISA 2004 Access Rule Processing ...
    (microsoft.public.isa.vpn)
  • RE: Configuring ISA 2004 for outbound MS VPN access
    ... internal users to connect to an external VPN server through Microsoft ... Internet Security and Acceleration (ISA) Server 2004. ... remote VPN network is not in the local ISA server's LAT (for ISA 2004, ... Joining Networks over the Internet with a Gateway to Gateway VPN: ...
    (microsoft.public.windows.server.sbs)
  • Re: Exception list problem in internet explorer in the Local Netwo
    ... But I don't want that the requests to the internal web sites in the local ... network go to the ISA proxy. ... However I never use GPO for proxy settings it is too rigid and does seem to have ... We use the ISA proxy server to go to internet in the local network. ...
    (microsoft.public.isa.clients)
  • Re: weird gateway to gateway vpn issue
    ... but then the vpn ... web sites from site B I have to disconnect the gateway to gateway ... has a domain controller that connects over the internet through ... to the internet through their local ISA server at any one time. ...
    (microsoft.public.isa.vpn)
  • RE: GPO that forces users to use a proxy server.
    ... through your web proxy is not only manageable, ... to hardwire your browswer or force VPN connections to your corporate LAN, ... > we know where users are surfing with our business assets (laptops). ... > proxy sever for there internet access in the company, ...
    (Focus-Microsoft)