Re: ISA 2004 & companyweb

Dear Danny,

Nice to hear from you again! Thanks for your time and effort!

It seems that the companyweb only works when we use web proxy and check the
"Bypass proxy server for local addresses" on the workstations, right?

To address your concern, please let me describe the mechanism of the web
proxy engine:

Technically, Internet Explorer uses the following rule to determine if the
web site is on internet or intranet: "If an FQDN or IP address contains a
period (e.g. http://www.a.com, Internet Explorer identifies the Web site or
share as in the Internet zone". If your LAN clients access your internal
web sites by using FQDN name or IP address, Internet Explorer will always
treat it as the Internet sites so that the request will be sent to the web
proxy engine of the ISA Server. In your case, since the URL doesn't contain
a period (http://companyweb), the IE will regarde this URL as an internal
address. How IE will handle this request depends on the "Bypass proxy
server for local addresses" checkbox. If the checkbox is ticked, the client
computer will resolve the name by itself using the internal DNS Server and
send the HTTP request directly to the website. If this checkbox is
un-ticked, the client computer will still send the request to the ISA's web
proxy engine. The proxy engine will perform the name resolution and send
the web content back to the workstation.

By default, the outbound web listener is listening on port 8080 of the
internal interface. You can check it from
Configuration->Networks->Internal->Web Proxy. The Enable HTTP option is
enabled and 8080 is specified to be the HTTP port.

As a conclusion, to access an internal website, the recommended
configuration on the client computer is enabling the proxy and checking the
"Bypass proxy server for local addresses" option.

For test purpose, let's go to one client computer and do the following
setup:

Test One:

1. Open IE, go to Connections->LAN Settings.

2. Please UNCHECK the "Automatically detect settings" option and the "Use
automatic configuration script" option.

Note: Once either of these two options is enabled, the IE will pull down
the configuration from the ISA Server and override the local proxy settings.

3. Please temporarily uncheck the "Use a proxy server for your LAN" option.

Then access http://companyweb, how will things go?

Test Two:

1. Open IE, go to Connections->LAN Settings.

2. Please UNCHECK the "Automatically detect settings" option and the "Use
automatic configuration script" option.

3. Please check the "Use a proxy server for your LAN" option, and then
check the "Bypass proxy server for local addresses" option. Then click the
Advanced Button, remove ALL the entries under the Exceptions section.

Then let's access the http://companyweb again, will you be able to access
the companyweb?


You are right that under normal condition, only the IIS service is
listening on the port 80 on the internal interface. The ISA proxy service
is listening on port 8080 on the internal interface and the web listener is
listening on the port 80 on the external interface. The ISA's web proxy
engine will only answer the requests when they are regarded as Internet
addresses or the "Bypass proxy server for local addresses" option is
UNCHECKED. Since the companyweb is an internal website, there is no reason
for the ISA to handle these requests.

If the Test One/Two still fail, please type "ipconfig /all >
d:\filename.txt" and send the .txt file to my mailbox:
v-edtian@xxxxxxxxxxxxxx Also, please capture a screenshot on the LAN
Settings page (where you specify the proxy server), and send me the .jpg
file for further analysis.

In addition, please kindly help me gather the ISA info and ISA log I
requested in my initial reply so that I can perform a deeper research on
this issue. For your convenience, I re-attach the steps for gathering the
ISA log/info:

1. Please help to gather the ISA Info:

1) Download the file from the following URL:

http://www.isatools.org/isainfo/ISAInfo.zip

2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me at v-edtian@xxxxxxxxxxxxx

2. Please also help to gather the ISA logs:

1) Schedule a down time.

2) Open ISA 2004 management console.

3) Expand the server node and highlight 'Monitoring'.

4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.

5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

6) Switch to the 'Fields' tab, click 'Select All', and then click OK.

7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

8) Switch to the 'Fields' tab, click 'Select All', and then click OK.

9) Click 'Apply' to save changes and update the configuration.

10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.

11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.

12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.

13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.

14) Please also let me know the IP address of the testing clients so that I
can filter the data.

I really appreciate your patience and effort on this issue. Please don't
hesitate to let me know if you have any questions or concerns.

Have a nice day! :-)

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Danny Liberty" <dliberty@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: ISA 2004 & companyweb
| Date: 3 Jan 2006 14:23:39 -0800
| Organization: http://groups.google.com
| Lines: 25
| Message-ID: <1136327019.808510.96440@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1135454205.630378.211550@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <1135622443.629083.80090@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <WZaRIFFEGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 80.178.203.73
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1136327024 20171 127.0.0.1 (3 Jan 2006
22:23:44 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Tue, 3 Jan 2006 22:23:44 +0000 (UTC)
| In-Reply-To: <WZaRIFFEGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
| User-Agent: G2/0.2
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
InfoPath.2; .NET CLR 2.0.50727),gzip(gfe),gzip(gfe)
| X-HTTP-Via: 1.1 Cache-LNS-PT-Stack-1 (NetCache NetApp/5.6.2R1)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: g49g2000cwa.googlegroups.com; posting-host=80.178.203.73;
| posting-account=u8AvCA0AAAD1liAqRATfkseTNIBPzfpY
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!postnews.google.com!g49g2000cwa.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:233812
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Edward,
|
| Unfortunately, the situation is not resolved.
| What I've discovered is that companyweb is accesible, but only when
| going through the ISA proxy. So I have to configure IE or GPO not to
| bypass proxy for local addresses. Then, when a user on the internal
| network tries to access http://companyweb, he connects through the ISA
| proxy and is able to reach companyweb.
| Still one question remains - why is ISA listening on port 80 on the
| internal network??
| I'm not certain of this, but notice the error being returned is "Error
| Code: 403 Forbidden. The ISA Server denied the specified Uniform
| Resource Locator (URL). (12202)" so unless IIS has some connection to
| ISA this shouldn't be happening. It's a direct connection from a client
| in the internal network to the server on port 80. ISA shouldn't be
| answering to port 80 from the local network (correct me if I'm wrong
| here). I also checked the SBS web listener is configured as you
| suggested (only listening on the external network).
|
| Any more ideas ? :)
|
| Thanks again,
|
| Danny
|
|

.