Re: Firewall session disconnects after 2 minutes of inactivity

OK, your answers are really good, and give me some important elements to
work with.

I want to start by pointing out the following: HTTP keep-alives and anything
else related to the HTTP protocol and the web proxy service WON'T help you,
because the actual HOD session takes place on port 23000 using IBM's
terminal protocol, and that connection is governed by the firewall service
not by the web proxy service. The web proxy service in your case is only
involved in the early stage of the connection when the client downloads the
applet through HTTP. I thought this kind of setup to be your case even
before I posted the reply so that is exactly why I asked about any
subsequent connections after the applet download. So again, don't look for a
solution related to the HTTP traffic or the web proxy service because that
is not where your problem resides.

Second, I would like to ask you a very simple question, which might seem
idiotic at first but when you are troubleshooting a problem like that you
shouldn't assume anything. My question is: are you POSITIVE that this
disconnect after only 2 mins is not caused by a change in the server
settings on the other side? The HOD server I mean. It might have coincided
with your W2K3 SP1 installation and it could give you the impression that
SP1 is the problem when in fact it is something the provider of the
application changed on their end.

In other words... can you verify (for example, from a workstation connected
DIRECTLY to Internet, and not through ISA) that the disconnect only occurs
when the session takes place through the ISA Server?

The previous question aside, another suggestion for you: can you build a new
workstation (clean install of Windows 2000/XP Professional), WITHOUT the
firewall client installed, and give your app a try? This way the workstation
would behave like a simple SNAT client. We would do this as an intermediate
step to pinpoint the issue.

Please respond to the above and in the meantime I will search for more
relevant information about the way ISA2000 handles "idle" sessions.

Good luck,
Virgil




"Pedro Lima" <PedroLima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0E7B3D13-6234-4820-A3B4-C6FF49C58603@xxxxxxxxxxxxxxxx
> Ok...
>
> Let's answer your questions:
>
> Yes, I have ISA Server 2000 completely patched. I always check the
> download
> section on ISA server to be assured that I am up-to-date.
>
>> On the other hand, can you provide more information about that
>> application?
>
> It's IBM HOD (Host-on-Demand) terminal emulator, that works via web. It
> uses
> a java applet to load the terminal.
>
>> once it loads, does it do everything through HTTP or there are other
>> ports/protocols you had to configure in the ISA for the app to work?
>
> Is goes by HTTPS to load the page and then it uses port 23000 when the
> terminal is opened. Of course all these ports and packets filters are
> correctly set, or they would never have worked before. Notice that the
> system
> even connects fine now. The real problem is that idle sessions just
> remains
> open for two minutes. The guys who uses this app is not happy with it. It
> takes time for this applet to load, and he works with this all day long.
> Before SP1, he said he could pass at least 10 minutes without the session
> being killed.
>
>>how are your clients configured? What kind of browser do
>> they use?
>
> They use mostly Windows 2000 Professional, internet explorer 6 SP1 with
> all
> the patches applied. The problem could lie in the last applied patches on
> the
> client - that we all had to rush to install, because of zotob virus -, but
> unfortunately it's not the case, since I have one Win98 client without a
> recent patch that now faces the same problem (and didn't before). Again,
> the
> problem has 99% of chance of being on the server side.
>
> They also have microsoft Firewall client installed, and the browser
> configured to use a proxy server on port 8080. I have noticed that when
> the
> page first loads with HTTPS protocol, ISA Server uses a "Web Session" to
> it
> (Web Proxy Service). When the Java client is lauched, right before the
> emulator page come up, it uses the "Firewall Session" (Microsoft Firewall
> Service) to load the emulator. Right in this moment, the green arrow in
> the
> firewall client is activated. So... they can connect, use the system, etc.
> But, if they stop to do actions to look a report, or talk on the phone, or
> even print a report, bye - the session is gone and they have to
> reconnect -
> which takes time and pisses off the user.
>
> The HOD have a way to configure session settings, but this particular app
> disables everything (every setting is dimmed), which made it difficult to
> solve the problem. My hope is to find something that governs firewall
> session
> times, use of HTTP 1.1 keep-alive, etc, but I just couldn't find anything
> about it in technet and other available resources. After Win2K3 SP1
> (Windows
> Server 2003 SP1) this app behavior changed. I had even problems with VPN
> clients (they cound't access anything in the network - even a ping), that
> was
> just fixed thanks to a hotfix from MS - KB897651. Also, my gatekeeper is
> gone. Even logged on as an administrator, it says that I don't have
> permissions to administer it. But I don't use the gatekeeper service that
> much, so it is not important now. What is really important now is this 2
> minute session kill...
>
> Well, if you have something to help, I would really appreciate that.
>
> God Bless you,


.

Relevant Pages

  • Re: breaking the model
    ... > The forms data then is in the Request object. ... HTTP Request; in this case, the form POST Request from the Page. ... client and server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: MDX Sample App broken by 2005
    ... You might find it useful as an alternative to http ... Windows authentication wouldn't work since client and server are ... > different non-trusted domains. ...
    (microsoft.public.sqlserver.olap)
  • Re: SSL/TLS & renegotiation and Internet Explorer
    ... When IE closes the connection with the server and prompts the user to choose ... recovery logic the SSL session is discarded. ... If the user only has one suitable client certificate, ...
    (microsoft.public.security)
  • Re: RDP Printing by station
    ... flagged as non-printing stations can not print for ANY users. ... multiple NIC's on the terminal server. ... I'd then just have to ensure that the client stations that are ... session is limited to NIC # 1. ...
    (microsoft.public.windows.terminal_services)
  • Re: MSAS Licensing Part II
    ... wish to use http access then you must have Enterprise Edition. ... PTS looks at the server name. ... You will note that all of this is totally transparent to the client. ...
    (microsoft.public.sqlserver.olap)