Re: ISA Server Problems, please help

From: Stuart Mackie [MCSE MCSA] (newsgroups_at_--REMOVE_THIS-NO_SPAM--stu.uk.com)
Date: 02/12/05

• Next message: Marina Roos [SBS-MVP]: "Re: SQL Server 2000 Installation"
• Previous message: Dirk-Thomas Brown: "Re: What now"
• In reply to: Joey K: "Re: ISA Server Problems, please help"
• Next in thread: Joey K: "Re: ISA Server Problems, please help"
• Reply: Joey K: "Re: ISA Server Problems, please help"
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 12 Feb 2005 01:25:10 -0000

Hi Joey.

1. The proxy chain loop errors can be related to incorrectly configured
hosting rules. Post back if these re-appear, but the configuration change
you've made should have resolved these.

2. Can you just confirm that SecureNAT clients weren't able to access web
sites using a web browser, but were able to run VNC and 'UPS Worldship' to
access EXTERNAL sites ?
Based on the rules you have listed, SecureNAT clients should only be allowed
access to windowsupdate etc. The All access rule for SBS Internet Users
will only apply to authenticated users i.e. Web Proxy and/or Firewall Client
users who are members of the Internet Users group..
To accommodate the linux SecureNAT clients you should create a new Client
Address Set (ISA Console - Server\Policy Elements\Client Address Set) and
add the IP addresses of the linux systems. Then create a Protocol Rule with
appropriate Protocols (e.g. FTP Download, HTTP and HTTPS) and apply it to
the Client Address set you created. Finally create a Site and Consent Rule
permitting Access to all Destinations and again apply it to the Client
Address set.

3. Your workstation web browsers will need to be configured to use the Web
Proxy otherwise they will be unable to access any external sites. Without
proxy settings configured they would be able to access internal sites only.
When you carried out testing, were the web proxy settings enabled in the
browser and were you logged on with a domain user account who was a member
of the Internet Users group ?

The documents on isaserver.org have quite a broad explanation of the three
different client types. There are also some MS documentation available, I
will try and get the links for you.

-- 
Hth,
Stuart Mackie
www.stu.uk.com
MCSA: & MCSE: Security
"Joey K" <no@nospam.com> wrote in message 
news:%23F2qsSFEFHA.1936@TK2MSFTNGP14.phx.gbl...
> Stuart, Thank you for the reply!
>
>
> "Stuart Mackie [MCSE MCSA]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com> 
> wrote in message news:eJ$MOu7DFHA.2180@TK2MSFTNGP12.phx.gbl...
>> Hi Joey.
>>
>> 1.  By default W3PROXY.EXE reserves 50% of memory for caching purposes. 
>> Please have a look at the following and try adjusting your settings 
>> http://www.smallbizserver.net/Default.aspx?tabid=122
>
> For the large memory, that setting eluded me!  Thanks!
>
>
>> 2.  Can you provide more information on your current configuration
>>    - ipconfig /all data for your server
>
> I pasted into the bottom of this message.  The #2 adapter is not connected 
> to anything so that is why it has a 169 address.   The #1 address is a 
> DHCP but I have the router set for a static address (that is the 
> WAN/Internet side) and the router is running NAT for an extra layer of 
> security.
>
>
>
>>    - You mention users browsing the web are unaffected and Firewall 
>> clients are unaffected, is it secureNAT clients which are affected ?
>
> Yes, secureNAT clients are affected.  I don't seem to have any access for 
> testing I was using IE (without proxy settings), VNC client, and the UPS 
> Worldship to make outgoing connections.   The VNC client and the UPS 
> software was working (I am not sure about IE), and in a bit of haste, I 
> changed something that disabled that access.
>
>
>>    - what action causes the proxy chain loop errors logged i.e. when 
>> accessing an internal website/resource, or when someone external accesses 
>> an internal resource etc  ?
>
> Those messages in the event log were sporadic, usually generating three of 
> them within 30 seconds, but sometimes there was just one.  I have feeling 
> they were coming from outside web requests.
>
> I may have fixed the problem with the help of the eventid.net site 
> suggested to me.  I haven't seen that error message in the event log since 
> yesterday afternoon.   In the Web Publishing rules I changed the rule I 
> had to allow incoming web requests for the Defualt IIS website to the 
> selected destination set (instead of all destinations).  Then I set that 
> destination set to the domains here (www.server.com and server.com) 
> instead of using the wild card *.abc.com.      Also in that same Web 
> publishing rule I changed the address specified on the action tab to 
> redirect to a publishing.server.local (when it was set to 
> servername.server.local).  And I then checked Send the original host 
> header to the publishing server instead of the actual one.
>
>
>>    - is your ISA server allowing any type of internet or internal access 
>> ?
>
> Yes, proxy works good for web browsing, and Firewall Clients are able 
> access internet resources besides the web.  Incoming web site requests 
> work fine. OWA works, too.  The internal SharePoint (companyweb) is also 
> working.  SMTP mail is also fine.
>
>
>> 3. Since SecureNAT are unable to authenticate for internet access, you 
>> need to have a Site and Content Rule, and a Protocol Rule which are set 
>> to allow 'Any Request' (i.e. anonymous connections).  The default 
>> configuration of ISA is configured this way.  You need to consider 
>> whether this configuration is what you want since all internal systems 
>> will be provided unrestricted internet access.  Any rules you create 
>> which control access using users/groups etc will in effect be ignored 
>> because the all access rule will be used by ISA before the outgoing 
>> connection is asked for credentials (which SecureNAT clients can't 
>> provide).  Ideally you would only provide unrestricted access to specific 
>> sites rather than 'All Destinations'.
>
> This maybe where I am having trouble, I think I am foggy on the real 
> basics here of which clients use what rules.
> Right now in Site and Content I have three rules.  One that applies to all 
> internal destinations, allowing any request to access it with all content 
> groups (I applied that because I could not access the IIS Default website 
> internally).  The second rule is the default Small Business Server rule 
> that allows for windows update.  The third is another small business rule 
> that is set to allow any external destination just from the Internet Users 
> group.
>
> With these three rules should SecureNAT be able to access the outside?
>
>
>
>> Are you able to install the firewall client rather than leaving them as 
>> SecureNAT clients ?
>
> Mostly yes, there is a couple of linux computers that are used sometimes. 
> They work with the proxy server for web browsing. I don't care if these 
> machines have unrestricted access out.    From what I understand above I 
> would want to specify a site and content rule to those internal IP 
> addresses, or is that not possible?
>
>>
>> 4.  403 Forbidden - The ISA Server denies the specified Uniform Resource 
>> Locator
>>     (URL). (12202)
>>
>> Do you get this error on an workstation, or when trying to access 
>> websites on the ISA server itself ?
>
> This error is on the workstation.   (I enabled the IP Packet Filter SBS 
> HTTP 80 Out filter to allow the server to have web access).
>
> For IE/Firefox without a proxy set, SecureNAT and the Firewall client (I 
> tried it both enabled and disabled), both do not allow any web browsing to 
> external sites reporting a 403 Forbidden - The ISA Server denies the 
> specified Uniform Resource Locator (URL). (12202) Internet Security and 
> Acceleration Server error.  When I try a https:// IE reports the standard 
> Cannot find server or DNS Error page.
>
>
>> There are a number of good documents on www.isaserver.org which explain a 
>> number of features in ISA.  In particular if you haven't used ISA server 
>> before, understanding how to configure rules for your Access Policy and 
>> the differences between the secureNAT, firewall and web proxy clients 
>> would be a few core areas to look at.
>
> I have been scouring that site for the past week reading everything I can. 
> I think I am still not clear on how the three access policy groups (Site & 
> Content Rules, Protocol Rules, and IP Packet Filters) relate to the three 
> clients (Proxy, Firewall Client, and SecureNAT) and the ISA/SBS server 
> itself.
>
>
> I appreciate all of the help!
>
>
>> -- 
>> Hth,
>> Stuart Mackie
>> www.stu.uk.com
>> MCSA: & MCSE: Security
>
>
> -----
>
> Windows IP Configuration
>
>   Host Name . . . . . . . . . . . . : pe2600
>   Primary Dns Suffix  . . . . . . . : SRI.local
>   Node Type . . . . . . . . . . . . : Unknown
>   IP Routing Enabled. . . . . . . . : Yes
>   WINS Proxy Enabled. . . . . . . . : Yes
>   DNS Suffix Search List. . . . . . : SRI.local
>                                       domain.actdsltmp
>
>
> Ethernet adapter Server Local Area Connection:
>
>   Connection-specific DNS Suffix  . :
>  Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network 
> Connection
>   Physical Address. . . . . . . . . : 00-06-5B-F0-1D-0C
>   DHCP Enabled. . . . . . . . . . . : No
>   IP Address. . . . . . . . . . . . : 192.168.16.2
>   Subnet Mask . . . . . . . . . . . : 255.255.255.0
>   Default Gateway . . . . . . . . . :
>   DNS Servers . . . . . . . . . . . : 192.168.16.2
>   Primary WINS Server . . . . . . . : 192.168.16.2
>
>
> Ethernet adapter Network Connection 2:
>
>
>   Connection-specific DNS Suffix  . :
>   Description . . . . . . . . . . . : Intel(R) PRO/100+ Dual Port Server 
> Adapter #2
>   Physical Address. . . . . . . . . : 00-02-B3-BE-8C-CB
>   DHCP Enabled. . . . . . . . . . . : Yes
>   Autoconfiguration Enabled . . . . : Yes
>   Autoconfiguration IP Address. . . : 169.254.163.64
>   Subnet Mask . . . . . . . . . . . : 255.255.0.0
>   Default Gateway . . . . . . . . . :
>   DNS Servers . . . . . . . . . . . : 192.168.16.2
>   Primary WINS Server . . . . . . . : 192.168.16.2
>
>
> Ethernet adapter Network Connection:
>
>   Connection-specific DNS Suffix  . : domain.actdsltmp
>   Description . . . . . . . . . . . : Intel(R) PRO/100+ Dual Port Server 
> Adapter
>   Physical Address. . . . . . . . . : 00-02-B3-BE-8C-CA
>   DHCP Enabled. . . . . . . . . . . : Yes
>   Autoconfiguration Enabled . . . . : Yes
>   IP Address. . . . . . . . . . . . : 192.168.123.2
>   Subnet Mask . . . . . . . . . . . : 255.255.255.0
>   Default Gateway . . . . . . . . . : 192.168.123.254
>   DHCP Server . . . . . . . . . . . : 192.168.123.254
>   DNS Servers . . . . . . . . . . . : 192.168.16.2
>   NetBIOS over Tcpip. . . . . . . . : Disabled
>   Lease Obtained. . . . . . . . . . : Friday, February 11, 2005 8:40:35 AM
>   Lease Expires . . . . . . . . . . : Saturday, February 12, 2005 8:40:35 
> AM
>
>
> PPP adapter RAS Server (Dial In) Interface:
>
>   Connection-specific DNS Suffix  . :
>   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>   Physical Address. . . . . . . . . : 00-53-45-00-00-00
>   DHCP Enabled. . . . . . . . . . . : No
>   IP Address. . . . . . . . . . . . : 192.168.16.37
>   Subnet Mask . . . . . . . . . . . : 255.255.255.255
>   Default Gateway . . . . . . . . . :
>   NetBIOS over Tcpip. . . . . . . . : Disabled
>
>
>
>
>
>
>
>
>> "Joey K" <no@nospam.com> wrote in message 
>> news:OnKwqL4DFHA.4004@tk2msftngp13.phx.gbl...
>>>I just re-ran the wizard and reconfigured all of the settings.  It did 
>>>not seem to change or disable any of the ISA rules and settings.
>>>
>>>
>>>
>>> Another problem I am having is, using SecureNat client internally on IE 
>>> (without the proxy set) I still get a
>>>
>>> 403 Forbidden - The ISA Server denies the specified Uniform Resource 
>>> Locator (URL). (12202)
>>> Internet Security and Acceleration Server
>>> error message.
>>>
>>>
>>> I will have to wait and see if any more chain loop error messages show 
>>> up. How do I check and disable any upstream proxy requests?  I checked 
>>> the Default rule (the only one) in the Routing folder, but that is set 
>>> for "Retrieve the request directly."
>>>
>>> Thanks,
>>> Joey
>>>
>>>
>>>
>>>
>>> "Henry Craven [SBS-MVP]" <IUnknown@Dot.Nyet> wrote in message 
>>> news:%238Dn9U0DFHA.3972@TK2MSFTNGP15.phx.gbl...
>>>> Have a look at, and bookmark: http://www.eventid.net
>>>>
>>>> 1st thing I'd go is re-run the To-Do List CEICW
>>>> That will reset all the ISA settings so you should have a clean slate 
>>>> to work with and be able to sort any errors before bringing in 
>>>> extraneous ones due to custom settings.
>>>>
>>>> -- 
>>>> Henry Craven {SBS-MVP}
>>>> CI Information Technology
>>>> ----------------------------------------------------
>>>> Melbourne SBS Users Group -
>>>> http://groups.yahoo.com/group/melb-SBSusers/
>>>>
>>>> "Joey K" <no@nospam.com> wrote in message 
>>>> news:OjIOW%23uDFHA.512@TK2MSFTNGP15.phx.gbl...
>>>>>I have been a long time SBS user with version 4.5.  Early, last month I 
>>>>>did a clean install of SBS 2003 Pro on the server here and everything 
>>>>>runs great (I installed a standard version back in October to learn the 
>>>>>new system).
>>>>>
>>>>> However, I am having lots of problems with ISA 2000 server.  I feel 
>>>>> like I don't entirely understand what and how configure it.  Users can 
>>>>> access the web alright with the proxy server settings in Firefox/IE. 
>>>>> And Firewall clients seem to work fine as well.  The configuration I 
>>>>> have is really basic with two network adapters and I am running in the 
>>>>> combination mode (or whatever it was called with cache and firewall). 
>>>>> The external interface is connected to a router with static WAN DSL 
>>>>> connection on a subnet of 192.168.123.xxx.   The internal adapter is 
>>>>> 192.168.16.2.
>>>>>
>>>>>
>>>>> My big problems/questions are:
>>>>>
>>>>> 1. Memory!  W3PROXY.EXE is showing 400,000 K of mem usage and 
>>>>> 1,200,000 of VM Size.  That seems WAY too much for a proxy service 
>>>>> with only 5-10 users max.  Does this sound right?
>>>>>
>>>>>
>>>>> 2. Error message in the event viewer:
>>>>>
>>>>> Event Type: Warning
>>>>> Event Source: Microsoft Web Proxy
>>>>> Event Category: None
>>>>> Event ID: 14141
>>>>> Date:  2/9/2005
>>>>> Time:  2:44:45 PM
>>>>> User:  N/A
>>>>> Computer: PE2600
>>>>> Description:
>>>>> ISA Server detected a proxy chain loop. There is a problem with the 
>>>>> configuration of the ISA Server routing policy.
>>>>>
>>>>> For more information, see Help and Support Center at 
>>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>>
>>>>> ----
>>>>>
>>>>> Event Type: Warning
>>>>> Event Source: Microsoft Web Proxy
>>>>> Event Category: None
>>>>> Event ID: 14149
>>>>> Date:  2/9/2005
>>>>> Time:  12:47:12 PM
>>>>> User:  N/A
>>>>> Computer: PE2600
>>>>> Description:
>>>>> Web Proxy service failed to listen to 127.0.0.1 port 80. The network 
>>>>> interface card might not be functional. The error code specified in 
>>>>> the Data area of the event properties indicates the cause of the 
>>>>> failure. For more information about this event, see ISA Server Help.
>>>>>
>>>>> For more information, see Help and Support Center at 
>>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>> Data:
>>>>> 0000: 1d 27 00 00               .'..
>>>>>
>>>>> ----
>>>>>
>>>>> Then in my ISA server management console there are other errors listed 
>>>>> in the alert section:
>>>>>
>>>>> 1. Routing (chaining) failure.  The ISA server failed to route the 
>>>>> request to an upstream server
>>>>> 2. Upstream chaning credentials. Upstream chaning credentials are 
>>>>> invalid
>>>>> 3. Resource allocation failure. A resource allocation failure has 
>>>>> occurred. For example, insufficient memory resources.
>>>>>
>>>>>
>>>>>
>>>>> Does anyone have any clue on any of these errors?  I have searched the 
>>>>> web and MS support site many times to find these errors messages with 
>>>>> no luck. It almost seems like they all maybe related.  Except for the 
>>>>> routing messages, I don't think I have any upstream proxies 
>>>>> configured.
>>>>>
>>>>>
>>>>> 3. My other question is how do I allow a SecureNAT client access the 
>>>>> Internet?   It was working for me, but I changed something and now I 
>>>>> cannot get any connection (web or otherwise) to work.
>>>>>
>>>>>
>>>>>
>>>>> I know there is a huge list here, but I would love some insight into 
>>>>> this!!!
>>>>>
>>>>> Thank you,
>>>>>
>>>>> Joey
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> 

• Next message: Marina Roos [SBS-MVP]: "Re: SQL Server 2000 Installation"
• Previous message: Dirk-Thomas Brown: "Re: What now"
• In reply to: Joey K: "Re: ISA Server Problems, please help"
• Next in thread: Joey K: "Re: ISA Server Problems, please help"
• Reply: Joey K: "Re: ISA Server Problems, please help"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint