RE: SBS Premium, Secure Banking site, certificate = no joy

Dear Gary:
Thank you for posting here.

>From the description, I understand that the internal XP clients with
firewall client installed cannot access a specific banking web site.
Sometimes it works but the performance is very slow. The SBS network is
protected by the ISA Server 2004. If I have misunderstood your concern,
please do let me know.

Before we go any further, I would like to suggest you re-run the CEICW
Wizard. The wizard will help us automatically configure the internet
settings and create the ISA rules. You can follow this step-by-step article
to complete the wizard:

825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763

Based on my research, I would like to provide you the following suggestions:

Suggestion 1: Increase the value of Connection limit time

Open the ISA Server management console, navigate to Configuration->
General-> Define Connection Limits-> Connection Limit-> Limit the number of
connection-> Connection limit per client (TCP and non-TCP).

The default value is 40, 160 is recommended.

Suggestion 2: Clear the ISA Cache

In addition, I would like to suggest you clear the ISA Cache, you can
perform the following steps:

1. On the ISA Server computer, stop the Microsoft Firewall service. To do
so:
1). Click Start, click Run, type services.msc in the Open box, and then
click OK.
2). Right-click Microsoft Firewall, and then click Stop.

2. Start Windows Explorer.

3. Locate the Urlcache folder.

4. In the Urlcache folder, locate the file that has the .cdat file name
extension.

5. Right-click the .cdat file, and then click Delete.

6. When you are prompted to confirm the removal of the .cdat file, click
Yes.
If you are prompted to delete the .cdat file because it is too big for the
recycle bin, click Yes.

7. Restart the Microsoft Firewall service.

More information:
How to delete the Web cache in Internet Security and Acceleration Server
2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;838248

Then try to access the problematic page again, does the problem persist?

If the performance is still very slow, can you tell me if you have
configured the internal client as both the web proxy client and firewall
client?

To be a Web Proxy client, we need to configure the ISA as the proxy server
in Web browser setting.
To be a Firewall client, the workstation needs to have the ISA Firewall
Client software installed.

Suggestion 3: Enable the anonymous authentication:
1. Open the ISA Server management console, navigate to "Firewall Policy".
On the right pane, double click the "SBS Internet Access Rule". Go to the
Users tab, you will find that the default setting is applied to "SBS
Internet Users", please change it to "All Users" and then click "Apply" to
save the settings.

2. Open ISA2004 Management Console, in the left panel, expand to
Configuration->Networks. Under "Networks panel", double click "Internal".
Switch to "Web Proxy" panel, click "Authentication?". Uncheck the "Require
all users to authenticate" option, and then click "Apply" to save the
settings.

Suggestion 4: Configure the problematic banking site for Direct Access
Please try the following steps to configure the problematic web site for
direct access.

a. Open ISA management console, expand the server name. Expand the
Configuration node and click the Networks node.

b. In the details pane, click the Networks tab and then double click the
Internal Network.

c. In the Internal Properties dialog box, click the Web Browser tab. On the
Web Browser tab, click the Add button.

d. In the Add Server dialog box, select the Domain or computer option and
enter the name of the site that you want Direct Access to be used. Enter
*.bankname.com in the text box, click OK. Click Apply to save the changes
and then update the firewall policy.

e. Double click on the Firewall client icon in the system tray Click the
Test Server button. This forces the Firewall client to pull the new
configuration information from the ISA firewall. Click Close in the Testing
ISA Server dialog box when the test completes, then click the Apply button
in the Microsoft Firewall Client for ISA Server 2004 dialog box.

Click the Web Browser tab. Confirm that there is a checkmark in the Enable
Web browser automatic configuration checkbox and click Configure Now, and
then click OK in the Web Browser Settings Update dialog box.
Then click Apply and then click OK in the Microsoft Firewall Client for ISA
Server 2004 dialog box.

More detailed information:

Configuring Sites for Direct Access
http://www.isaserver.org/articles/2004directaccessp1.html


If the problem still persists, we may need to perform a deep investigation,
please help me gather the ISA info and ISA log:

1. Please help to gather the ISA Info:

1) Download the file from the following URL:

http://www.isatools.org/isainfo/ISAInfo.zip

2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.

2. Please also help to gather the ISA logs:

1) Schedule a down time.

2) Open ISA 2004 management console.

3) Expand the server node and highlight 'Monitoring'.

4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.

5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

6) Switch to the 'Fields' tab, click 'Select All', and then click OK.

7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

8) Switch to the 'Fields' tab, click 'Select All', and then click OK.

9) Click 'Apply' to save changes and update the configuration.

10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.

11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.

12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.

13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.

14) Please also let me know the IP address of the testing client and the
URL of the banking site so that I can filter the data. You can send all the
files to my mailbox: v-edtian@xxxxxxxxxxxxx

Meanwhile, I have some additional questions:
1. Does this problem occur on all the internal clients?

2. If we temporarily place a client directly connect to the router/modem
(We may need to manually configure the TCP/IP settings), will it be able to
access this banking page without problem?

3. Double check if the DNS settings are correct:

a. Leave the Default Gateway of the internal NIC blank on the SBS.
b. Configure both the internal NIC and the external NIC to use the internal
DNS Service as the DNS Server.
c. On the DNS Server, create the DNS Forwarder to forward the external DNS
resolution requests to the ISP's DNS server.

I appreciate you taking time to perform the test and gather the
information. Please feel free to let me know if you have any questions or
concerns.

I look forward to your update.
Have a nice day! :)

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Gary" <gepea***@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: SBS Premium, Secure Banking site, certificate = no joy
| Date: 18 Oct 2005 14:03:59 -0700
| Organization: http://groups.google.com
| Lines: 24
| Message-ID: <1129669439.645683.244890@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 24.85.89.58
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1129669445 1880 127.0.0.1 (18 Oct 2005
21:04:05 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Tue, 18 Oct 2005 21:04:05 +0000 (UTC)
| User-Agent: G2/0.2
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
NET CLR 1.1.4322),gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: z14g2000cwz.googlegroups.com; posting-host=24.85.89.58;
| posting-account=9bq-Wg0AAACwLaK2apfuWZZ0eaiCAysO
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!postnews.google.com!z14g2000cwz.googlegroups.com!not-fo
r-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:162429
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Got a bunch of WXP SP2 clients switched over to running the ISA
| firewall client and have now lost external access to a specific banking
| site (ADP if any one has experience with it please speak up). This
| site requires a certificate be installed on the client. All
| certificates have been re-issued since the network change.
|
| Most times the connection fails and IE comes up with a "page can not be
| displayed" error (not an ISA error page). Sometimes by closing and
| immediately restarting it will work but is usually slow to connect.
| ADP claims they are using standard ports (443 etc) and it should work
| with ISA.
|
| Have looked at the logs and nothing is jumping out (but not exactly
| sure what to look for though)
|
| Access off network works fine.
|
| What am I missing?
|
| People dont get paid if I dont sort this out so its a bit urgent :)
|
| Thanks for your help
| Gary
|
|

.