ISA2004 issues (pretty detailed description and therefore much reading :)
- From: "A. Klimkin" <aklimkin at mail dot ru>
- Date: Fri, 2 Dec 2005 12:28:10 +0300
Hello everybody.
I'm facing a trouble I can't resolve by myself, so I try to ask the gurus.
Here we go.
My configuration:
I have an ISA2004SP1 installed and configured on Win2003SrvSP1 machine
within AD environment (member server).
Effective access policy allows some sites to be hit anonymously (namely,
there are windowsupdate sites) and the rest of the web requires user
identification via integrated authentification against AD.
All the users are configured to be web proxy clients of the ISA server and
to autodetect proxy settings. Local DNS server configured to return my ISA
server address in response to WPAD entry queries. ISA server is configured
to publish autodiscovery information on sandard port 80.
My first question:
Is there a way to force IE browser to redetect its proxy settings? I've
heard that this should happen every time you restart browser. But it seems
to not happen. I realized that after I've recently moved my ISA to a new
server (with new name and IP address) but keeping the same access policy
(via export/import feature). Sure, I've corrected the WPAD alias on my DNS
server to match new proxy address. And I've checked the client computer -
the WPAD name is resolved correctly.
Proxy redetection seems to not happen even if I restart the computer. The
only thing that helps is to go to IE connections settings, unticle
'autodetect' option, restart the browser and then check the 'autodetect'
option on again. It's pretty boring procedure to configure this way every
given client computer of a list of two hundreds comps, you know. So I'm
looking for an autodetection procedure that requires a little bit less
manual intervention.
And the second issue.
Recently one of my users complained that he can't reach some website. I've
checked this site and, yes, I can't reach it too, though there is no policy
that denies the access. This site is http://front.ru This is a public free
mail service with web interface. Generally it's russian server but it has an
interface with some english controls here http://front.ru/?lng=en
The trouble is that after I enter my logon credentials on the front page,
server redirects me to another page like this one:
http://www4.pochta.ru/list.php?id=Ne3b7c0bf26072aa2856fb93b519de38&last_enter=yes&lng=en
but the browser says that page cannot be found (HTTP 404). The URL might
slightly differ because of some balancing mechanism (it could be another
number next to 'www') and, I suppose, randomly generated 'id' value. But the
result always the same - page doesn't showing up.
That's what I'm see in my ISA server logs:
Client Username Protocol Destination Port Action Rule HTTP Method URL
Destination IP
MYDOMAIN\aklimkin http 80 Allowed Connection HTTP(S) access POST
http://front.ru/login.php?lng=en 81.211.64.20
anonymous http 8080 Denied Connection HTTP(S) access GET
http://www9.pochta.ru/list.php?id=N9de1c123de05b9e91d2ef6ec706e09e&last_enter=yes&lng=en
192.168.0.111
anonymous http 8080 Failed Connection Attempt HTTP(S) access GET
http://www9.pochta.ru/list.php?id=N9de1c123de05b9e91d2ef6ec706e09e&last_enter=yes&lng=en
192.168.0.111
MYDOMAIN\aklimkin http 80 Allowed Connection HTTP(S) access GET
http://www9.pochta.ru/list.php?id=N9de1c123de05b9e91d2ef6ec706e09e&last_enter=yes&lng=en
80.68.244.5
Web proxy client 8080 Closed Connection - - 192.168.0.111
Initially, IE (as usual) tries the destination anonymously, then, being
asked for identification, passes the credentials and ISA allows the
connection (as we can see). But the page won't be displayed with above
mentioned HTTP 404 error. Is there a problem with ISA or IE? Or maybe both?
Please bear in mind that there is public free web service, so I don't see
much sense to bother their support with this issue, taking into account the
fact that the service works just fine when you directly accessing it
(without authenticating proxy).
Ah. Just forgot to mention that I tried to enter those domains to directly
accessible sites at the web proxy tab of internal network object properties.
With no avail, as you can guess ;-)
Does anybody have any thoughts on this?
Regards,
Andrew
.
- Follow-Ups:
- Prev by Date: Re: vpn clients from remote site can't get through ISA
- Next by Date: ISA 2000 SPs
- Previous by thread: RE: Terminal services
- Next by thread: Re: ISA2004 issues (pretty detailed description and therefore much reading :)
- Index(es):
Relevant Pages
|
Loading
