Re: ISA Server Problems, please help
From: Joey K (no_at_nospam.com)
Date: 02/11/05
- Next message: Jim K: "Re: DNS Question"
- Previous message: Les Connor [SBS Community Member - SBS MVP]: "Re: Block Porn Email"
- In reply to: Stuart Mackie [MCSE MCSA]: "Re: ISA Server Problems, please help"
- Next in thread: Stuart Mackie [MCSE MCSA]: "Re: ISA Server Problems, please help"
- Reply: Stuart Mackie [MCSE MCSA]: "Re: ISA Server Problems, please help"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 11 Feb 2005 10:12:57 -0600
Stuart, Thank you for the reply!
"Stuart Mackie [MCSE MCSA]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com>
wrote in message news:eJ$MOu7DFHA.2180@TK2MSFTNGP12.phx.gbl...
> Hi Joey.
>
> 1. By default W3PROXY.EXE reserves 50% of memory for caching purposes.
> Please have a look at the following and try adjusting your settings
> http://www.smallbizserver.net/Default.aspx?tabid=122
For the large memory, that setting eluded me! Thanks!
> 2. Can you provide more information on your current configuration
> - ipconfig /all data for your server
I pasted into the bottom of this message. The #2 adapter is not connected
to anything so that is why it has a 169 address. The #1 address is a DHCP
but I have the router set for a static address (that is the WAN/Internet
side) and the router is running NAT for an extra layer of security.
> - You mention users browsing the web are unaffected and Firewall
> clients are unaffected, is it secureNAT clients which are affected ?
Yes, secureNAT clients are affected. I don't seem to have any access for
testing I was using IE (without proxy settings), VNC client, and the UPS
Worldship to make outgoing connections. The VNC client and the UPS
software was working (I am not sure about IE), and in a bit of haste, I
changed something that disabled that access.
> - what action causes the proxy chain loop errors logged i.e. when
> accessing an internal website/resource, or when someone external accesses
> an internal resource etc ?
Those messages in the event log were sporadic, usually generating three of
them within 30 seconds, but sometimes there was just one. I have feeling
they were coming from outside web requests.
I may have fixed the problem with the help of the eventid.net site suggested
to me. I haven't seen that error message in the event log since yesterday
afternoon. In the Web Publishing rules I changed the rule I had to allow
incoming web requests for the Defualt IIS website to the selected
destination set (instead of all destinations). Then I set that destination
set to the domains here (www.server.com and server.com) instead of using the
wild card *.abc.com. Also in that same Web publishing rule I changed
the address specified on the action tab to redirect to a
publishing.server.local (when it was set to servername.server.local). And I
then checked Send the original host header to the publishing server instead
of the actual one.
> - is your ISA server allowing any type of internet or internal access ?
Yes, proxy works good for web browsing, and Firewall Clients are able access
internet resources besides the web. Incoming web site requests work fine.
OWA works, too. The internal SharePoint (companyweb) is also working. SMTP
mail is also fine.
> 3. Since SecureNAT are unable to authenticate for internet access, you
> need to have a Site and Content Rule, and a Protocol Rule which are set to
> allow 'Any Request' (i.e. anonymous connections). The default
> configuration of ISA is configured this way. You need to consider whether
> this configuration is what you want since all internal systems will be
> provided unrestricted internet access. Any rules you create which control
> access using users/groups etc will in effect be ignored because the all
> access rule will be used by ISA before the outgoing connection is asked
> for credentials (which SecureNAT clients can't provide). Ideally you
> would only provide unrestricted access to specific sites rather than 'All
> Destinations'.
This maybe where I am having trouble, I think I am foggy on the real basics
here of which clients use what rules.
Right now in Site and Content I have three rules. One that applies to all
internal destinations, allowing any request to access it with all content
groups (I applied that because I could not access the IIS Default website
internally). The second rule is the default Small Business Server rule that
allows for windows update. The third is another small business rule that is
set to allow any external destination just from the Internet Users group.
With these three rules should SecureNAT be able to access the outside?
> Are you able to install the firewall client rather than leaving them as
> SecureNAT clients ?
Mostly yes, there is a couple of linux computers that are used sometimes.
They work with the proxy server for web browsing. I don't care if these
machines have unrestricted access out. From what I understand above I
would want to specify a site and content rule to those internal IP
addresses, or is that not possible?
>
> 4. 403 Forbidden - The ISA Server denies the specified Uniform Resource
> Locator
> (URL). (12202)
>
> Do you get this error on an workstation, or when trying to access websites
> on the ISA server itself ?
This error is on the workstation. (I enabled the IP Packet Filter SBS HTTP
80 Out filter to allow the server to have web access).
For IE/Firefox without a proxy set, SecureNAT and the Firewall client (I
tried it both enabled and disabled), both do not allow any web browsing to
external sites reporting a 403 Forbidden - The ISA Server denies the
specified Uniform Resource Locator (URL). (12202) Internet Security and
Acceleration Server error. When I try a https:// IE reports the standard
Cannot find server or DNS Error page.
> There are a number of good documents on www.isaserver.org which explain a
> number of features in ISA. In particular if you haven't used ISA server
> before, understanding how to configure rules for your Access Policy and
> the differences between the secureNAT, firewall and web proxy clients
> would be a few core areas to look at.
I have been scouring that site for the past week reading everything I can.
I think I am still not clear on how the three access policy groups (Site &
Content Rules, Protocol Rules, and IP Packet Filters) relate to the three
clients (Proxy, Firewall Client, and SecureNAT) and the ISA/SBS server
itself.
I appreciate all of the help!
> --
> Hth,
> Stuart Mackie
> www.stu.uk.com
> MCSA: & MCSE: Security
-----
Windows IP Configuration
Host Name . . . . . . . . . . . . : pe2600
Primary Dns Suffix . . . . . . . : SRI.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : SRI.local
domain.actdsltmp
Ethernet adapter Server Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network
Connection
Physical Address. . . . . . . . . : 00-06-5B-F0-1D-0C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2
Ethernet adapter Network Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100+ Dual Port Server
Adapter #2
Physical Address. . . . . . . . . : 00-02-B3-BE-8C-CB
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IP Address. . . : 169.254.163.64
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2
Ethernet adapter Network Connection:
Connection-specific DNS Suffix . : domain.actdsltmp
Description . . . . . . . . . . . : Intel(R) PRO/100+ Dual Port Server
Adapter
Physical Address. . . . . . . . . : 00-02-B3-BE-8C-CA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.123.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.123.254
DHCP Server . . . . . . . . . . . : 192.168.123.254
DNS Servers . . . . . . . . . . . : 192.168.16.2
NetBIOS over Tcpip. . . . . . . . : Disabled
Lease Obtained. . . . . . . . . . : Friday, February 11, 2005 8:40:35 AM
Lease Expires . . . . . . . . . . : Saturday, February 12, 2005 8:40:35
AM
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.37
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
> "Joey K" <no@nospam.com> wrote in message
> news:OnKwqL4DFHA.4004@tk2msftngp13.phx.gbl...
>>I just re-ran the wizard and reconfigured all of the settings. It did not
>>seem to change or disable any of the ISA rules and settings.
>>
>>
>>
>> Another problem I am having is, using SecureNat client internally on IE
>> (without the proxy set) I still get a
>>
>> 403 Forbidden - The ISA Server denies the specified Uniform Resource
>> Locator (URL). (12202)
>> Internet Security and Acceleration Server
>> error message.
>>
>>
>> I will have to wait and see if any more chain loop error messages show
>> up. How do I check and disable any upstream proxy requests? I checked
>> the Default rule (the only one) in the Routing folder, but that is set
>> for "Retrieve the request directly."
>>
>> Thanks,
>> Joey
>>
>>
>>
>>
>> "Henry Craven [SBS-MVP]" <IUnknown@Dot.Nyet> wrote in message
>> news:%238Dn9U0DFHA.3972@TK2MSFTNGP15.phx.gbl...
>>> Have a look at, and bookmark: http://www.eventid.net
>>>
>>> 1st thing I'd go is re-run the To-Do List CEICW
>>> That will reset all the ISA settings so you should have a clean slate to
>>> work with and be able to sort any errors before bringing in extraneous
>>> ones due to custom settings.
>>>
>>> --
>>> Henry Craven {SBS-MVP}
>>> CI Information Technology
>>> ----------------------------------------------------
>>> Melbourne SBS Users Group -
>>> http://groups.yahoo.com/group/melb-SBSusers/
>>>
>>> "Joey K" <no@nospam.com> wrote in message
>>> news:OjIOW%23uDFHA.512@TK2MSFTNGP15.phx.gbl...
>>>>I have been a long time SBS user with version 4.5. Early, last month I
>>>>did a clean install of SBS 2003 Pro on the server here and everything
>>>>runs great (I installed a standard version back in October to learn the
>>>>new system).
>>>>
>>>> However, I am having lots of problems with ISA 2000 server. I feel
>>>> like I don't entirely understand what and how configure it. Users can
>>>> access the web alright with the proxy server settings in Firefox/IE.
>>>> And Firewall clients seem to work fine as well. The configuration I
>>>> have is really basic with two network adapters and I am running in the
>>>> combination mode (or whatever it was called with cache and firewall).
>>>> The external interface is connected to a router with static WAN DSL
>>>> connection on a subnet of 192.168.123.xxx. The internal adapter is
>>>> 192.168.16.2.
>>>>
>>>>
>>>> My big problems/questions are:
>>>>
>>>> 1. Memory! W3PROXY.EXE is showing 400,000 K of mem usage and 1,200,000
>>>> of VM Size. That seems WAY too much for a proxy service with only 5-10
>>>> users max. Does this sound right?
>>>>
>>>>
>>>> 2. Error message in the event viewer:
>>>>
>>>> Event Type: Warning
>>>> Event Source: Microsoft Web Proxy
>>>> Event Category: None
>>>> Event ID: 14141
>>>> Date: 2/9/2005
>>>> Time: 2:44:45 PM
>>>> User: N/A
>>>> Computer: PE2600
>>>> Description:
>>>> ISA Server detected a proxy chain loop. There is a problem with the
>>>> configuration of the ISA Server routing policy.
>>>>
>>>> For more information, see Help and Support Center at
>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>
>>>> ----
>>>>
>>>> Event Type: Warning
>>>> Event Source: Microsoft Web Proxy
>>>> Event Category: None
>>>> Event ID: 14149
>>>> Date: 2/9/2005
>>>> Time: 12:47:12 PM
>>>> User: N/A
>>>> Computer: PE2600
>>>> Description:
>>>> Web Proxy service failed to listen to 127.0.0.1 port 80. The network
>>>> interface card might not be functional. The error code specified in the
>>>> Data area of the event properties indicates the cause of the failure.
>>>> For more information about this event, see ISA Server Help.
>>>>
>>>> For more information, see Help and Support Center at
>>>> http://go.microsoft.com/fwlink/events.asp.
>>>> Data:
>>>> 0000: 1d 27 00 00 .'..
>>>>
>>>> ----
>>>>
>>>> Then in my ISA server management console there are other errors listed
>>>> in the alert section:
>>>>
>>>> 1. Routing (chaining) failure. The ISA server failed to route the
>>>> request to an upstream server
>>>> 2. Upstream chaning credentials. Upstream chaning credentials are
>>>> invalid
>>>> 3. Resource allocation failure. A resource allocation failure has
>>>> occurred. For example, insufficient memory resources.
>>>>
>>>>
>>>>
>>>> Does anyone have any clue on any of these errors? I have searched the
>>>> web and MS support site many times to find these errors messages with
>>>> no luck. It almost seems like they all maybe related. Except for the
>>>> routing messages, I don't think I have any upstream proxies configured.
>>>>
>>>>
>>>> 3. My other question is how do I allow a SecureNAT client access the
>>>> Internet? It was working for me, but I changed something and now I
>>>> cannot get any connection (web or otherwise) to work.
>>>>
>>>>
>>>>
>>>> I know there is a huge list here, but I would love some insight into
>>>> this!!!
>>>>
>>>> Thank you,
>>>>
>>>> Joey
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Jim K: "Re: DNS Question"
- Previous message: Les Connor [SBS Community Member - SBS MVP]: "Re: Block Porn Email"
- In reply to: Stuart Mackie [MCSE MCSA]: "Re: ISA Server Problems, please help"
- Next in thread: Stuart Mackie [MCSE MCSA]: "Re: ISA Server Problems, please help"
- Reply: Stuart Mackie [MCSE MCSA]: "Re: ISA Server Problems, please help"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
