Re: ISA Server Problems, please help
From: Joey K (no_at_nospam.com)
Date: 02/15/05
- Next message: tonkle: "Default printer"
- Previous message: Chico: "Re: Companyweb to access a folder"
- In reply to: Stuart Mackie [MCSE MCSA]: "Re: ISA Server Problems, please help"
- Next in thread: William Bunton: "Re: ISA Server Problems, please help"
- Reply: William Bunton: "Re: ISA Server Problems, please help"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 15 Feb 2005 12:08:33 -0600
> "Stuart Mackie [MCSE MCSA]" 1. The proxy chain loop errors can be related
> to incorrectly configured hosting rules. Post back if these re-appear,
> but the configuration change you've made should have resolved these.
Yep, they are gone! :-) The funny thing is that every hosted site seemed
to work fine.
> 2. Can you just confirm that SecureNAT clients weren't able to access web
> sites using a web browser, but were able to run VNC and 'UPS Worldship' to
> access EXTERNAL sites ?
Yes, VNC and Worldship WERE able to connect while the web browswer did not.
But now SecureNAT clients cannot access any external sites (even
windowsupdate).
I don't know what I changed! :-(
> Based on the rules you have listed, SecureNAT clients should only be
> allowed access to windowsupdate etc. The All access rule for SBS Internet
> Users will only apply to authenticated users i.e. Web Proxy and/or
> Firewall Client users who are members of the Internet Users group..
> To accommodate the linux SecureNAT clients you should create a new Client
> Address Set (ISA Console - Server\Policy Elements\Client Address Set) and
> add the IP addresses of the linux systems. Then create a Protocol Rule
> with appropriate Protocols (e.g. FTP Download, HTTP and HTTPS) and apply
> it to the Client Address set you created. Finally create a Site and
> Consent Rule permitting Access to all Destinations and again apply it to
> the Client Address set.
Good info! And it is working for me!
Except:
Right now using the Firewall client or SecureNAT, I cannot use IE (without
the proxy set) and any other program that uses port 80 to access any
external site (including Windows Update). I receive a 403 Forbidden - The
ISA Server denies the specified Uniform Resource Locator (URL). (12202)
error.
And this maybe tied right to this question:
> 3. Your workstation web browsers will need to be configured to use the
> Web Proxy otherwise they will be unable to access any external sites.
> Without proxy settings configured they would be able to access internal
> sites only.
> When you carried out testing, were the web proxy settings enabled in the
> browser and were you logged on with a domain user account who was a member
> of the Internet Users group ?
My testing with the proxy server enable has always worked perfect for logged
in users.
Maybe my expectations are too high here, with SBS 4.5 I could use a web
browser with its WSP/firewall client and no proxy set for the browser.
I want to be able to use a program that grabs web streams on port 80 using
MMS. Currently that is not working for me. Doesn't work without the proxy
set, returning the 403 error and if I set the proxy with my user name and
password in the program, it fails reporting 407 Proxy Authentication
Required (The ISA Server requires authorization to fulfill the request).
And this is on a computer included in the Client Address Set as described
above. Can I get this program to work?
Thanks again for all of the assitance, I know I am close to getting this set
right! :-)
> The documents on isaserver.org have quite a broad explanation of the three
> different client types. There are also some MS documentation available, I
> will try and get the links for you.
>
> --
> Hth,
> Stuart Mackie
> www.stu.uk.com
> MCSA: & MCSE: Security
>
>
> "Joey K" <no@nospam.com> wrote in message
> news:%23F2qsSFEFHA.1936@TK2MSFTNGP14.phx.gbl...
>> Stuart, Thank you for the reply!
>>
>>
>> "Stuart Mackie [MCSE MCSA]"
>> <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com> wrote in message
>> news:eJ$MOu7DFHA.2180@TK2MSFTNGP12.phx.gbl...
>>> Hi Joey.
>>>
>>> 1. By default W3PROXY.EXE reserves 50% of memory for caching purposes.
>>> Please have a look at the following and try adjusting your settings
>>> http://www.smallbizserver.net/Default.aspx?tabid=122
>>
>> For the large memory, that setting eluded me! Thanks!
>>
>>
>>> 2. Can you provide more information on your current configuration
>>> - ipconfig /all data for your server
>>
>> I pasted into the bottom of this message. The #2 adapter is not
>> connected to anything so that is why it has a 169 address. The #1
>> address is a DHCP but I have the router set for a static address (that is
>> the WAN/Internet side) and the router is running NAT for an extra layer
>> of security.
>>
>>
>>
>>> - You mention users browsing the web are unaffected and Firewall
>>> clients are unaffected, is it secureNAT clients which are affected ?
>>
>> Yes, secureNAT clients are affected. I don't seem to have any access for
>> testing I was using IE (without proxy settings), VNC client, and the UPS
>> Worldship to make outgoing connections. The VNC client and the UPS
>> software was working (I am not sure about IE), and in a bit of haste, I
>> changed something that disabled that access.
>>
>>
>>> - what action causes the proxy chain loop errors logged i.e. when
>>> accessing an internal website/resource, or when someone external
>>> accesses an internal resource etc ?
>>
>> Those messages in the event log were sporadic, usually generating three
>> of them within 30 seconds, but sometimes there was just one. I have
>> feeling they were coming from outside web requests.
>>
>> I may have fixed the problem with the help of the eventid.net site
>> suggested to me. I haven't seen that error message in the event log
>> since yesterday afternoon. In the Web Publishing rules I changed the
>> rule I had to allow incoming web requests for the Defualt IIS website to
>> the selected destination set (instead of all destinations). Then I set
>> that destination set to the domains here (www.server.com and server.com)
>> instead of using the wild card *.abc.com. Also in that same Web
>> publishing rule I changed the address specified on the action tab to
>> redirect to a publishing.server.local (when it was set to
>> servername.server.local). And I then checked Send the original host
>> header to the publishing server instead of the actual one.
>>
>>
>>> - is your ISA server allowing any type of internet or internal access
>>> ?
>>
>> Yes, proxy works good for web browsing, and Firewall Clients are able
>> access internet resources besides the web. Incoming web site requests
>> work fine. OWA works, too. The internal SharePoint (companyweb) is also
>> working. SMTP mail is also fine.
>>
>>
>>> 3. Since SecureNAT are unable to authenticate for internet access, you
>>> need to have a Site and Content Rule, and a Protocol Rule which are set
>>> to allow 'Any Request' (i.e. anonymous connections). The default
>>> configuration of ISA is configured this way. You need to consider
>>> whether this configuration is what you want since all internal systems
>>> will be provided unrestricted internet access. Any rules you create
>>> which control access using users/groups etc will in effect be ignored
>>> because the all access rule will be used by ISA before the outgoing
>>> connection is asked for credentials (which SecureNAT clients can't
>>> provide). Ideally you would only provide unrestricted access to
>>> specific sites rather than 'All Destinations'.
>>
>> This maybe where I am having trouble, I think I am foggy on the real
>> basics here of which clients use what rules.
>> Right now in Site and Content I have three rules. One that applies to
>> all internal destinations, allowing any request to access it with all
>> content groups (I applied that because I could not access the IIS Default
>> website internally). The second rule is the default Small Business
>> Server rule that allows for windows update. The third is another small
>> business rule that is set to allow any external destination just from the
>> Internet Users group.
>>
>> With these three rules should SecureNAT be able to access the outside?
>>
>>
>>
>>> Are you able to install the firewall client rather than leaving them as
>>> SecureNAT clients ?
>>
>> Mostly yes, there is a couple of linux computers that are used sometimes.
>> They work with the proxy server for web browsing. I don't care if these
>> machines have unrestricted access out. From what I understand above I
>> would want to specify a site and content rule to those internal IP
>> addresses, or is that not possible?
>>
>>>
>>> 4. 403 Forbidden - The ISA Server denies the specified Uniform Resource
>>> Locator
>>> (URL). (12202)
>>>
>>> Do you get this error on an workstation, or when trying to access
>>> websites on the ISA server itself ?
>>
>> This error is on the workstation. (I enabled the IP Packet Filter SBS
>> HTTP 80 Out filter to allow the server to have web access).
>>
>> For IE/Firefox without a proxy set, SecureNAT and the Firewall client (I
>> tried it both enabled and disabled), both do not allow any web browsing
>> to external sites reporting a 403 Forbidden - The ISA Server denies the
>> specified Uniform Resource Locator (URL). (12202) Internet Security and
>> Acceleration Server error. When I try a https:// IE reports the standard
>> Cannot find server or DNS Error page.
>>
>>
>>> There are a number of good documents on www.isaserver.org which explain
>>> a number of features in ISA. In particular if you haven't used ISA
>>> server before, understanding how to configure rules for your Access
>>> Policy and the differences between the secureNAT, firewall and web proxy
>>> clients would be a few core areas to look at.
>>
>> I have been scouring that site for the past week reading everything I
>> can. I think I am still not clear on how the three access policy groups
>> (Site & Content Rules, Protocol Rules, and IP Packet Filters) relate to
>> the three clients (Proxy, Firewall Client, and SecureNAT) and the ISA/SBS
>> server itself.
>>
>>
>> I appreciate all of the help!
>>
>>
>>> --
>>> Hth,
>>> Stuart Mackie
>>> www.stu.uk.com
>>> MCSA: & MCSE: Security
>>
>>
>> -----
>>
>> Windows IP Configuration
>>
>> Host Name . . . . . . . . . . . . : pe2600
>> Primary Dns Suffix . . . . . . . : SRI.local
>> Node Type . . . . . . . . . . . . : Unknown
>> IP Routing Enabled. . . . . . . . : Yes
>> WINS Proxy Enabled. . . . . . . . : Yes
>> DNS Suffix Search List. . . . . . : SRI.local
>> domain.actdsltmp
>>
>>
>> Ethernet adapter Server Local Area Connection:
>>
>> Connection-specific DNS Suffix . :
>> Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network
>> Connection
>> Physical Address. . . . . . . . . : 00-06-5B-F0-1D-0C
>> DHCP Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . : 192.168.16.2
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> Default Gateway . . . . . . . . . :
>> DNS Servers . . . . . . . . . . . : 192.168.16.2
>> Primary WINS Server . . . . . . . : 192.168.16.2
>>
>>
>> Ethernet adapter Network Connection 2:
>>
>>
>> Connection-specific DNS Suffix . :
>> Description . . . . . . . . . . . : Intel(R) PRO/100+ Dual Port Server
>> Adapter #2
>> Physical Address. . . . . . . . . : 00-02-B3-BE-8C-CB
>> DHCP Enabled. . . . . . . . . . . : Yes
>> Autoconfiguration Enabled . . . . : Yes
>> Autoconfiguration IP Address. . . : 169.254.163.64
>> Subnet Mask . . . . . . . . . . . : 255.255.0.0
>> Default Gateway . . . . . . . . . :
>> DNS Servers . . . . . . . . . . . : 192.168.16.2
>> Primary WINS Server . . . . . . . : 192.168.16.2
>>
>>
>> Ethernet adapter Network Connection:
>>
>> Connection-specific DNS Suffix . : domain.actdsltmp
>> Description . . . . . . . . . . . : Intel(R) PRO/100+ Dual Port Server
>> Adapter
>> Physical Address. . . . . . . . . : 00-02-B3-BE-8C-CA
>> DHCP Enabled. . . . . . . . . . . : Yes
>> Autoconfiguration Enabled . . . . : Yes
>> IP Address. . . . . . . . . . . . : 192.168.123.2
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> Default Gateway . . . . . . . . . : 192.168.123.254
>> DHCP Server . . . . . . . . . . . : 192.168.123.254
>> DNS Servers . . . . . . . . . . . : 192.168.16.2
>> NetBIOS over Tcpip. . . . . . . . : Disabled
>> Lease Obtained. . . . . . . . . . : Friday, February 11, 2005 8:40:35
>> AM
>> Lease Expires . . . . . . . . . . : Saturday, February 12, 2005 8:40:35
>> AM
>>
>>
>> PPP adapter RAS Server (Dial In) Interface:
>>
>> Connection-specific DNS Suffix . :
>> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>> Physical Address. . . . . . . . . : 00-53-45-00-00-00
>> DHCP Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . : 192.168.16.37
>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>> Default Gateway . . . . . . . . . :
>> NetBIOS over Tcpip. . . . . . . . : Disabled
>>
>>
>>
>>
>>
>>
>>
>>
>>> "Joey K" <no@nospam.com> wrote in message
>>> news:OnKwqL4DFHA.4004@tk2msftngp13.phx.gbl...
>>>>I just re-ran the wizard and reconfigured all of the settings. It did
>>>>not seem to change or disable any of the ISA rules and settings.
>>>>
>>>>
>>>>
>>>> Another problem I am having is, using SecureNat client internally on IE
>>>> (without the proxy set) I still get a
>>>>
>>>> 403 Forbidden - The ISA Server denies the specified Uniform Resource
>>>> Locator (URL). (12202)
>>>> Internet Security and Acceleration Server
>>>> error message.
>>>>
>>>>
>>>> I will have to wait and see if any more chain loop error messages show
>>>> up. How do I check and disable any upstream proxy requests? I checked
>>>> the Default rule (the only one) in the Routing folder, but that is set
>>>> for "Retrieve the request directly."
>>>>
>>>> Thanks,
>>>> Joey
>>>>
>>>>
>>>>
>>>>
>>>> "Henry Craven [SBS-MVP]" <IUnknown@Dot.Nyet> wrote in message
>>>> news:%238Dn9U0DFHA.3972@TK2MSFTNGP15.phx.gbl...
>>>>> Have a look at, and bookmark: http://www.eventid.net
>>>>>
>>>>> 1st thing I'd go is re-run the To-Do List CEICW
>>>>> That will reset all the ISA settings so you should have a clean slate
>>>>> to work with and be able to sort any errors before bringing in
>>>>> extraneous ones due to custom settings.
>>>>>
>>>>> --
>>>>> Henry Craven {SBS-MVP}
>>>>> CI Information Technology
>>>>> ----------------------------------------------------
>>>>> Melbourne SBS Users Group -
>>>>> http://groups.yahoo.com/group/melb-SBSusers/
>>>>>
>>>>> "Joey K" <no@nospam.com> wrote in message
>>>>> news:OjIOW%23uDFHA.512@TK2MSFTNGP15.phx.gbl...
>>>>>>I have been a long time SBS user with version 4.5. Early, last month
>>>>>>I did a clean install of SBS 2003 Pro on the server here and
>>>>>>everything runs great (I installed a standard version back in October
>>>>>>to learn the new system).
>>>>>>
>>>>>> However, I am having lots of problems with ISA 2000 server. I feel
>>>>>> like I don't entirely understand what and how configure it. Users
>>>>>> can access the web alright with the proxy server settings in
>>>>>> Firefox/IE. And Firewall clients seem to work fine as well. The
>>>>>> configuration I have is really basic with two network adapters and I
>>>>>> am running in the combination mode (or whatever it was called with
>>>>>> cache and firewall). The external interface is connected to a router
>>>>>> with static WAN DSL connection on a subnet of 192.168.123.xxx. The
>>>>>> internal adapter is 192.168.16.2.
>>>>>>
>>>>>>
>>>>>> My big problems/questions are:
>>>>>>
>>>>>> 1. Memory! W3PROXY.EXE is showing 400,000 K of mem usage and
>>>>>> 1,200,000 of VM Size. That seems WAY too much for a proxy service
>>>>>> with only 5-10 users max. Does this sound right?
>>>>>>
>>>>>>
>>>>>> 2. Error message in the event viewer:
>>>>>>
>>>>>> Event Type: Warning
>>>>>> Event Source: Microsoft Web Proxy
>>>>>> Event Category: None
>>>>>> Event ID: 14141
>>>>>> Date: 2/9/2005
>>>>>> Time: 2:44:45 PM
>>>>>> User: N/A
>>>>>> Computer: PE2600
>>>>>> Description:
>>>>>> ISA Server detected a proxy chain loop. There is a problem with the
>>>>>> configuration of the ISA Server routing policy.
>>>>>>
>>>>>> For more information, see Help and Support Center at
>>>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>>>
>>>>>> ----
>>>>>>
>>>>>> Event Type: Warning
>>>>>> Event Source: Microsoft Web Proxy
>>>>>> Event Category: None
>>>>>> Event ID: 14149
>>>>>> Date: 2/9/2005
>>>>>> Time: 12:47:12 PM
>>>>>> User: N/A
>>>>>> Computer: PE2600
>>>>>> Description:
>>>>>> Web Proxy service failed to listen to 127.0.0.1 port 80. The network
>>>>>> interface card might not be functional. The error code specified in
>>>>>> the Data area of the event properties indicates the cause of the
>>>>>> failure. For more information about this event, see ISA Server Help.
>>>>>>
>>>>>> For more information, see Help and Support Center at
>>>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>>> Data:
>>>>>> 0000: 1d 27 00 00 .'..
>>>>>>
>>>>>> ----
>>>>>>
>>>>>> Then in my ISA server management console there are other errors
>>>>>> listed in the alert section:
>>>>>>
>>>>>> 1. Routing (chaining) failure. The ISA server failed to route the
>>>>>> request to an upstream server
>>>>>> 2. Upstream chaning credentials. Upstream chaning credentials are
>>>>>> invalid
>>>>>> 3. Resource allocation failure. A resource allocation failure has
>>>>>> occurred. For example, insufficient memory resources.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Does anyone have any clue on any of these errors? I have searched
>>>>>> the web and MS support site many times to find these errors messages
>>>>>> with no luck. It almost seems like they all maybe related. Except
>>>>>> for the routing messages, I don't think I have any upstream proxies
>>>>>> configured.
>>>>>>
>>>>>>
>>>>>> 3. My other question is how do I allow a SecureNAT client access the
>>>>>> Internet? It was working for me, but I changed something and now I
>>>>>> cannot get any connection (web or otherwise) to work.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I know there is a huge list here, but I would love some insight into
>>>>>> this!!!
>>>>>>
>>>>>> Thank you,
>>>>>>
>>>>>> Joey
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: tonkle: "Default printer"
- Previous message: Chico: "Re: Companyweb to access a folder"
- In reply to: Stuart Mackie [MCSE MCSA]: "Re: ISA Server Problems, please help"
- Next in thread: William Bunton: "Re: ISA Server Problems, please help"
- Reply: William Bunton: "Re: ISA Server Problems, please help"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
