RE: ISA 2004 help please
- From: v-edtian@xxxxxxxxxxxxxxxxxxxx (Edward Tian [MSFT])
- Date: Thu, 05 Oct 2006 10:21:00 GMT
Hi Jim,
Since my colleague Crina is taking leave today, I jump into this thread.
Did you receive event 14147 in the event log? You may refer to this KB:
Client computers cannot access external resources, and event ID 14147
appears in the Application log in ISA Server 2004 (884496)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;884496
Meanwhile, please help me gather the following info:
1. Please send me a network topology with detailed IP schema.
2. Please let me know the detailed symptom of this issue.
3. Please send me the ISA info and ISA Bpa:
1) Download the file from the following URL:
http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me at v-edtian@xxxxxxxxxxxxx
Follow the link and download and run the Microsoft Internet Security and
Acceleration (ISA) Server 2004 Best Practices Analyzer Tool and then send
me the results (XML format):
http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-
91EC-0829E5F84063&displaylang=en
Thanks for your time and have a nice day!
Sincerely,
Edward Tian(MSFT)
Microsoft Partner Online Support
Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting
from the web interface: Partner Feedback
from your newsreader:
microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
====================================================
--------------------
| Thread-Topic: ISA 2004 help please
| thread-index: Acbn4SaHXx4RR0JgRBSmib8AWGemnQ==
| X-WBNR-Posting-Host: 146.163.166.13
| From: =?Utf-8?B?SmltIE11c3N1bG1hbg==?=
<JimMussulman@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <8FA245E6-63C3-4215-8D68-730FA1CE7B8B@xxxxxxxxxxxxx>
<e6J4x6I2GHA.4464@xxxxxxxxxxxxxxxxxxxxx>
<B84C616B-E718-4117-80B5-FE8BD0D3E646@xxxxxxxxxxxxx>
<I6GyM6v2GHA.4956@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: ISA 2004 help please
| Date: Wed, 4 Oct 2006 11:16:02 -0700
| Lines: 276
| Message-ID: <1356B42C-3C49-45E4-9D14-38B00F2C9E3A@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:302623
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Sorry for the long time in posting a response. I was able to get the
| connections to work by placing a persistant route on each of the
workstations
| that pointed to the telent server that they have to connect to.
|
| I still cannot get the workstations at the remote clinic to connect to
the
| server. They are on a VLAN that uses 192.168.16.1 as the gateway into our
| network, and I have set that as the gateway on those machines. The SBS
| network includes that address in it's address space and i use the default
| 192.168.16.2 for the SBS server. They use a 172.30.xxx.xxx ip address on
that
| VLAN and they are members of the SBS domain. When I set a persistant
route on
| the server to their addresses (how I configured the ISA 2000 serverand
they
| connected with no problems) I get an ISA error message that says the
route
| are not in the ISA list and are blocked. I have configured a network set
that
| includes those machines and have ISA route to that network and set up a
| policy to allow access to that network. I still cannot connect those
| workstations and don't think a persistant route on those workstations
will
| help for the gateway they use is already in their network properties.
| Any help is appreciated.
| Jim
|
|
|
| ""Crina Li"" wrote:
|
| > Hi Jim,
| >
| > Thanks for your update.
| >
| > I will look forward to your test result.
| >
| > Thanks for your time.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------------
| > | Thread-Topic: ISA 2004 help please
| > | thread-index: AcbYyECw/PZTzlzcTLy0++CcoWjhLg==
| > | X-WBNR-Posting-Host: 24.171.121.150
| > | From: =?Utf-8?B?SmltIE11c3N1bG1hbg==?=
| > <JimMussulman@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | References: <8FA245E6-63C3-4215-8D68-730FA1CE7B8B@xxxxxxxxxxxxx>
| > <e6J4x6I2GHA.4464@xxxxxxxxxxxxxxxxxxxxx>
| > | Subject: RE: ISA 2004 help please
| > | Date: Fri, 15 Sep 2006 06:10:01 -0700
| > | Lines: 146
| > | Message-ID: <B84C616B-E718-4117-80B5-FE8BD0D3E646@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Path: TK2MSFTNGXA01.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:297796
| > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Answers to your questions in order:
| > | 1. Yes, I do want internal clients behind the ISA firewall to access
| > these
| > | assets. They were able to do so with the same client setup prior to
| > moving
| > | from ISA 2000 to ISA 2004.
| > |
| > | 2. Yes, I added a persistant route with the route add -p command line
| > | command in the format you show, with the gateway portion of the
command
| > set
| > | to 192.168.16.1. (This is the exact same setting that I used with the
ISA
| > | 2000 firewall and did not have any problem conneting.) When I did
that, I
| > get
| > | a message in the event log - Event ID 14147 which says: "ISA Server
| > detected
| > | routes through adapter Server Local Area Connection that do not
correlate
| > | with the network element to which this adapter belongs. For best
| > practice,
| > | the address range of an ISA Server network should match the address
| > ranges
| > | routable through the associated network adapter as defined in the
routing
| > | table. Otherwise valid packets may be dropped as spoofed. (This alert
may
| > | occur momentarily when you create a remote site network. You may
safely
| > | ignore this message if it does not reoccur.) The address ranges in
| > conflict
| > | are: 172.xxx.xxx.101-172.xxx.xxx.101;192.168.16.0-192.168.16.0;. "
| > |
| > | 3. I have not set a static route on the lan clients, for I did not
have
| > to
| > | do so with the previous firewall. One of the applications is a telnet
| > client
| > | that points to an address in the 172 range shown above.
| > |
| > | Thank you for your response. I will try your recommendations and
report
| > back.
| > | Jim
| > |
| > | ""Crina Li"" wrote:
| > |
| > | > Hi Jim,
| > | >
| > | > Thank you for posting in SBS newsgroup.
| > | >
| > | > To narrow down the problem, would you please help me collect the
| > detailed
| > | > network diagram? Do you mean you want to access these resources
from
| > | > internal client of SBS with ISA 2004?
| > | >
| > | > Do you mean you have added PersistentRoute on the SBS via Route Add
| > *.*.*.*
| > | > MASK 255.0.0.0 *.*.*.* -p? If the issue still occurs, please try
the
| > | > following information:
| > | >
| > | > 1. Create static route on each of the client computers.
| > | > 2. On the LAN client, disable Firewall client, disable Web Proxy
| > client,
| > | > enable SecureNAT client. (The default gateway is pointing to the
ISA
| > | > Server's internal interface).
| > | >
| > | > I appreciate your time and look forward to hearing from you.
| > | >
| > | > Best regards,
| > | >
| > | > Crina Li (MSFT)
| > | >
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > =====================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
check
| > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | >
| > | > =====================================================
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > | > --------------------
| > | > | Thread-Topic: ISA 2004 help please
| > | > | thread-index: AcbYCmcnX1yygId7RgKl/tAosRihBA==
| > | > | X-WBNR-Posting-Host: 24.171.121.150
| > | > | From: =?Utf-8?B?SmltIE11c3N1bG1hbg==?=
| > | > <JimMussulman@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | > | Subject: ISA 2004 help please
| > | > | Date: Thu, 14 Sep 2006 07:31:01 -0700
| > | > | Lines: 29
| > | > | Message-ID: <8FA245E6-63C3-4215-8D68-730FA1CE7B8B@xxxxxxxxxxxxx>
| > | > | MIME-Version: 1.0
| > | > | Content-Type: text/plain;
| > | > | charset="Utf-8"
| > | > | Content-Transfer-Encoding: 7bit
| > | > | X-Newsreader: Microsoft CDO for Windows 2000
| > | > | Content-Class: urn:content-classes:message
| > | > | Importance: normal
| > | > | Priority: normal
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | Path: TK2MSFTNGXA01.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:297514
| > | > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > |
| > | > | We have been using SBS 2000 with ISA firewall to connect to some
| > hospital
| > | > | assets (Xray images, etc.) from SBS. We are a doctors office in a
| > medical
| > | > | office complex that has our own internet access and network. I
| > recently
| > | > | replaced the server and OS to SBS 2003 Premium and cannot reach
those
| > | > assets.
| > | > | I created a new domain and added the users rather than migrating.
| > | > |
| > | > | Here is the scenario:
| > | > | The hospital is using 192.168.16.1 as the gateway from our
network to
| > the
| > | > | assets that are setup on a VLAN. On the old server, I set up a
| > persistant
| > | > | route to the IP's of those assets, and was able to connect with
no
| > | > problem.
| > | > | The internal IP range for my server was 192.168.16.0 through
| > | > 192.168.16.255.
| > | > |
| > | > | When I set up the new server, I applied the persistant routing to
the
| > | > server
| > | > | using the route add command and configured networks and policies
to
| > | > access
| > | > | those assets as I had done on the old machine. I began to get
| > messages
| > | > that
| > | > | there was a route that was not valid and the ISA server would
treat
| > it as
| > | > | possible spoofing. Originally I used an edge template, for that
was
| > the
| > | > | configuration used on the old server. I could not connect, so I
| > changed
| > | > the
| > | > | template to a perimeter and identified the IP of 192.168.16.1 as
the
| > | > | perimeter IP. I also changed the IP range for the SBS to
192.168.16.2
| > and
| > | > | above (thinking that the 16.1 address would be outside the
internal
| > | > network
| > | > | range). I set up policies and I still cannot connect to those
| > assets. I
| > | > | would really appreciate any configuration help so the doctors can
see
| > the
| > | > | Xrays.
| > | > |
| > | > | Thanks in advance.
| > | > | Jim Mussulman
| > | > |
| > | > |
| > | > |
| > | >
| > | >
| > |
| >
| >
|
.
- Follow-Ups:
- RE: ISA 2004 help please
- From: Jim Mussulman
- RE: ISA 2004 help please
- References:
- RE: ISA 2004 help please
- From: Jim Mussulman
- RE: ISA 2004 help please
- Prev by Date: Re: KB920685 won't install
- Next by Date: W3k std primary (AD), SBS backup domain controller
- Previous by thread: RE: ISA 2004 help please
- Next by thread: RE: ISA 2004 help please
- Index(es):
Relevant Pages
|
