Re: Can't access our DMZ websites via web proxy...?
From: Phillip Windell (_at_.)
Date: 11/30/04
- Next message: Phillip Windell: "Re: Can't access our DMZ websites via web proxy...?"
- Previous message: Phillip Windell: "Re: ISA 2004 Network Config"
- In reply to: RJ: "Can't access our DMZ websites via web proxy...?"
- Next in thread: Phillip Windell: "Re: Can't access our DMZ websites via web proxy...?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 30 Nov 2004 10:31:49 -0600
So your ISA is a "one legged" (one nic) caching server?
The problem is most likely your Firewall setup and it has nothing to do with
ISA.
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com "RJ" <ryanjjones@mail.com> wrote in message news:fb580c69.0411300800.1f7e442@posting.google.com... > Hello - thanks for reading this. > > We have a funny ISA problem and are struggling about where to look > next. > > Quick "Diagram" > > Internet > | > | > 123.123.123.123 > FIREWALL -------- DMZ > 10.1.30.1/16 10.254.0.0/16 > | | > ISA Server WebServer > 10.1.30.5 10.254.10.2 > | > Client PCs > > Hope that explains things! All internet traffic goes via the ISA > server. > > The webserver in the DMZ contains various websites. Internally, > www.site1.com; www.site2.com; www.site3.com etc all have address > 10.254.10.2, and the web server headers work out which site is to be > shown. The firewall allows HTTP between LAN and DMZ etc. > > If a client PC, with proxy setting manually set in browser, then none > of the websites on our DMZ webserver are shown. We get error "64 - > Host not available". However, if we disable the browser proxy > settings, and just use the ISA Firewall Client - then the websites all > work perfectly. > > However, clearly, both types of request go via the proxy server > itself...! One via the Web proxy, and one via the firewall proxy. > > Here are the logs from the ISA server:- > > Firewall logs (work) > ==================== > > 10.1.20.31 <MyUsername> iexplore.exe:3:5.1 Y 2004-11-30 15:21:22 fwsrv MYISASERVER - www.MyWebsite.com 123.123.123.123 - - - - - - GHBN 0 IT > Only Allow rule 611 0 > 10.1.20.31 <MyUsername> iexplore.exe:3:5.1 Y 2004-11-30 15:21:22 fwsrv MYISASERVER - www.MyWebsite.com 123.123.123.123 - - - - - - GHBN 0 IT > Only Allow rule 611 0 > 10.1.20.31 <MyUsername> iexplore.exe:3:5.1 Y 2004-11-30 15:21:22 fwsrv MYISASERVER - - 10.254.10.2 80 - - - 80 TCP Connect 0 IT > Only - 611 32016 > 10.1.20.31 <MyUsername> iexplore.exe:3:5.1 Y 2004-11-30 15:21:22 fwsrv MYISASERVER - www.MyWebsite.com 123.123.123.123 - - - - - - GHBN 0 IT > Only Allow rule 611 0 > 10.1.20.31 <MyUsername> iexplore.exe:3:5.1 Y 2004-11-30 15:21:22 fwsrv MYISASERVER - - 10.254.10.2 80 - - - 80 TCP Connect 0 IT > Only - 611 32017 > > Web Proxy Logs (doesn't work) > ============================= > > 10.1.20.31 <MYDOMAIN>\<MyUsername> Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1; .NET CLR > 1.1.4322) Y 2004-11-30 15:25:10 w3proxy MYISASERVER - www.MyWebsite.com 123.123.123.123 80 - 656 - http GET http://www.MyWebsite.com/index.html Inet 64 IT > Only Allow rule > 10.1.20.31 <MYDOMAIN>\<MyUsername> Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1; .NET CLR > 1.1.4322) Y 2004-11-30 15:25:14 w3proxy MYISASERVER - www.MyWebsite.com 123.123.123.123 80 - 400 - http GET http://www.MyWebsite.com/index.html Inet 64 IT > Only Allow rule > 10.1.20.31 <MYDOMAIN>\<MyUsername> Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1; .NET CLR > 1.1.4322) Y 2004-11-30 15:25:15 w3proxy MYISASERVER - www.MyWebsite.com 123.123.123.123 80 - 400 - http GET http://www.MyWebsite.com/index.html Inet 64 IT > Only Allow rule > 10.1.20.31 <MYDOMAIN>\<MyUsername> Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1; .NET CLR > 1.1.4322) Y 2004-11-30 15:25:15 w3proxy MYISASERVER - www.MyWebsite.com 123.123.123.123 80 15 400 - http GET http://www.MyWebsite.com/index.html Inet 64 IT > Only Allow rule > 10.1.20.31 <MYDOMAIN>\<MyUsername> Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1; .NET CLR > 1.1.4322) Y 2004-11-30 15:25:18 w3proxy MYISASERVER - www.MyWebsite.com 123.123.123.123 80 - 305 - http GET http://www.MyWebsite.com/about.html Inet 64 IT > Only Allow rule > > Now the rules should allow everything to work. > > - NSLOOKUP confirms correct (10.254.10.2) address on both the ISA > server and the client > - The firewall does not report anything (why should it - port 80 is > all that should leave the ISA server regardless of the method > - I've tried 10.1.0.0/16 in the LAT by itself, and also tried with > 10.254.0.0/16 in as well. (with and without 10.0.0.0/8) with no > difference. > - Rebooting doesn't help! > - When it works using firewall client, the webserver logs the > connection. When it fails with the web proxy, nothing is logged on > the web server. > - If logged onto the proxy server we try, WITH proxy enabled get "site > not found" and it goes to a search page. If the proxy is disabled, it > says "Cannot find server or DNS Error". BUT - NSLOOKUP does return > the expected results. > - 123.123.123.123 is external address of firewall, so it should divert > from here to DMZ as appropriate. > - ISA is used ONLY as a proxy server, not as a firewall. > > Please - any ideas?
- Next message: Phillip Windell: "Re: Can't access our DMZ websites via web proxy...?"
- Previous message: Phillip Windell: "Re: ISA 2004 Network Config"
- In reply to: RJ: "Can't access our DMZ websites via web proxy...?"
- Next in thread: Phillip Windell: "Re: Can't access our DMZ websites via web proxy...?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
