RE: SBS ISA Server starts giving out 12202 errors to client

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi Sraley,

Thank you for posting in SBS newsgroup.

>From the description, I understand the issue to be: you have configured 6
user accounts can access anything on internet, however 1 user of these 6
get error 12202 when he access internet. And the situation occurs on all
the client computers he logs on. If I have misunderstood your concerns,
please do not hesitate to let me know.

To narrow down the problem, would you please help me collect the following
information?

1. Double check if the user belongs to the specified group with the other 5
good users?
2. Please create an allow rule for the problematic user to access to
anywhere on internet and move it to the top of rules. Check if the issue
still occurs.
3. Please also try to make sure "Require all users to authenticate" is not
selected On ISA Management as following:

For ISA 2000:

1) Right-click on the server name or array name in ISA management console.
Select "Properties".
2) On "Outgoing Web Requests" tab, clear "Ask unauthenticated users for
identification".

For ISA 2004:

1) Click "Start", point to "Programs", point to "Microsoft ISA Server", and
then click "ISA Server Management".
2) In "ISA Server Management", in the right pane, click the "Toolbox" tab,
and then click "Networks".
3) Right click Internal and select Properties.
4) In Web Proxy tab | Authentication button, make sure "Require all users
to authenticate" is not selected.

4. If the issue still occurs, please try to remove the user account and
recreate the user account to see how thing goes.

If it does not work, please help me collect the ISA info and ISA log (Note:
please also let me know the IP address of the testing client and user
account so that I can filter the data):

For ISA 2000:

1. Gather the ISA Info:

1) Download the file from the following URL:

http://isatools.org/ISAInfo.vbe

2) Copy the file ISAInfo.vbe into ISA server, and then double click it.
This will generate a file <computer-name>_ISAInfo.txt file in C:\Program
Files\Microsoft ISA Server.
3) Please send the file to me at v-crinal@xxxxxxxxxxxxxx

2. ISA Logs:

1) Open ISA Management, and then point to Monitoring Configuration | Logs
2) Double click ISA Server Firewall Service in the right pane, click to
select Enable Logging for this service, click Fields tab, click Select All,
and then click OK.
3) Please repeat Step 2) to enable logging IP Packet Filter and Web Proxy
Services.
4) Run command "net stop isactrl" (without the quotation marks) to stop all
ISA Services.
5) Backup all files in the folder C:\Program Files\Microsoft ISA
Server\ISALogs, and then delete them.
6) In ISA Management | <server name> | Monitoring | Services, start all ISA
services.
7) Reproduce the issue.
8) Wait for about 3 minutes, and then send that day's firewall, web proxy
and IP Packet filter log below in C:\Program Files\Microsoft ISA
Server\ISALogs to me:

Firewall log: FWSEXTDyyyymmdd.log
Web Proxy log: WEBEXTDyyyymmdd.log
IP Packet Filter log: IPPEXTDyyyymmdd.log

9) Please also let me know the IP address of the testing client so that I
can filter the data.

For ISA 2004:

1. Collect the ISA info:

1) Download the file from the following URL:

http://www.isatools.org/isainfo/ISAInfo.zip

2) Extract all files to a folder on ISA server
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me at v-crinal@xxxxxxxxxxxxxx

2. Please also help to gather the ISA logs:

1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem (initiate an SQL access), stop the service, and
then gather the resulting W3C files to me for analysis.

More information:

831140 Web content does not appear, or clients receive an "HTTP 502 Proxy
Error" message when they try to access external Web sites with ISA Server
2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;831140

317798 Content Filtering with ISA Server May Return HTTP Error 502 on Some
Web Sites
http://support.microsoft.com/default.aspx?scid=kb;EN-US;317798

295089 You Are Denied Access to a Destination Set When You Use Site and
Content Rules
http://support.microsoft.com/default.aspx?scid=kb;EN-US;295089

I am appreciated your time and look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: SBS ISA Server starts giving out 12202 errors to client
|| From: =?Utf-8?B?c3JhbGV5?= <sraley@xxxxxxxxxxx>
| Subject: SBS ISA Server starts giving out 12202 errors to client
| Date: Mon, 16 Jan 2006 04:36:04 -0800
| | Newsgroups: microsoft.public.windows.server.sbs
|
| Running SBS 2003 ISA server and have a group of clients who have access
to
| anything on the internet. 6 of the 40 users. 1 of these 6 is now getting
| error 12202 that ISA is denying access to anything on the internet.
Nothing
| has changed on the server. It is not his computer because we have tested
| other accounts on the pc and they get to the internet fine. His account
is
| blocked from any machine he signs on with. Was working fine for months
| before last week.
|

.

Quantcast