Re: Internal access to a WSS 3.0 site

Hi Customer,

Appreciate your update and response. I am glad to hear that the problem has
been fixed. If you have any other questions or concerns, please do not
hesitate to contact us. It is always our pleasure to be of assistance.

Have a nice day!

Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Mesan <935main@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: Internal access to a WSS 3.0 site
| Date: Thu, 21 Feb 2008 07:53:05 -0800 (PST)
| Organization: http://groups.google.com
| Lines: 280
| Message-ID:
<f8636e4b-9aa9-4125-9f1f-f2b67a18328a@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References:
<ff8ffbc7-4120-4448-a6d8-4c14aff3faa9@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <4z3ZGYHdIHA.1500@xxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 71.39.74.209
| Mime-Version: 1.0
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: quoted-printable
| X-Trace: posting.google.com 1203609185 12296 127.0.0.1 (21 Feb 2008
15:53:05 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Thu, 21 Feb 2008 15:53:05 +0000 (UTC)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: e6g2000prf.googlegroups.com; posting-host=71.39.74.209;
| posting-account=b6I8MwoAAABFur1O6r6RZKujyNmYdUwE
| User-Agent: G2/1.0
| X-HTTP-Via: 1.1 SBS2003
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
| User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
| http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT
| 5.1; SV1; http://bsalsa.com) (WinBuilder); User-agent: Mozilla/4.0
| (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) (
Embedded Web
| Browser from: http://bsalsa.com/); SLCC1; .NET CLR 2.0.50727;
InfoPath.2; FDM;
| .NET CLR 3.5.21022; .NET CLR 3.0.04506; OfficeLiveConnector.1.0; MS-RTC
LM
| 8),gzip(gfe),gzip(gfe)
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!msrtrans!
msrn-in!newshub.sdsu.edu!postnews.google.com!e6g2000prf.googlegroups.com!not
-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:93789
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| On Feb 21, 3:39 am, v-mzh...@xxxxxxxxxxxxxxxxxxxx (Manfred Zhuang
| [MSFT]) wrote:
| > Hello Customer,
| >
| > Thank you for posting here.
| >
| > From your post, I understand that when attempting to access an internal
| > website, ISA blocks the traffic.
| >
| > I suggest you check following steps:
| >
| > Step 1:
| > ======
| > 1. Open ISA management.
| > 2. Click ServerName/Configuration/Networks.
| > 3. Right click Internal in the right pane and click Propeties.
| > 4. Click Addresses tab, please ensure the IP of the SharePoint server is
| > included.
| > 5. Click Domains tab, please ensure both the Alias and the FQDN are
added.> 6. Click Web Browser tab, ensure all the options are checked.
| > 7. Click Add and  add the IP address of the SharePoint server. (Input
the
| > same IP for both From and To)
| > 8. Click Apply button.
| >
| > If it does not help, let's move on:
| >
| > Step 2:
| > =====
| > 1. On a client workstation, open IE.
| > 2. Click Tools-->Internet Options.
| > 3. Click Connections tab and then click LAN Settings¡­
| > 4. Uncheck the first two options and select Use a proxy server for your
LAN.
| > 5. Input the address of your ISA server in Address box and input 8080 in
| > the Port box. Do not select Bypass proxy server for local addresses.
| > 6. Click Advanced button, add the address of the SharePoint server to
the
| > Exceptions box.
| >
| > Please check if it helps. If yes, we can use Group Policy to change the
| > settings on all the client workstations:
| >
| > 1. Create a new GPO and link it to MyBusiness/Users/SBSUsers
| > 2. Edit following policy of the GPO:
| >
| > User Configuration/Windows Settings/Internet Explorer
| > Maintenance/Connection/Proxy Settings
| >
| > 3. Select Enable Proxy settings, input the address of the ISA server and
| > port 8080
| > 4. Uncheck Do not use proxy server for local addresses and add the
address> of the SharePoint server to the Exceptions box.
| >
| > After that, please run gpupdate /force on the client and restart it to
see> if the settings are changed.
| >
| > If the problem persists, please help me gather following information:
| >
| > 1. Please capture a screenshot of the error message received on the
client> workstation when attempting to visit the SharePoint server:
| >
| > To capture the image, we can perform the steps below:
| >
| > (a) When the error message appears, press the Print Screen key several
| > times (this key is located to the right of the F12 key on the keyboard)
| > (b) Open Paint ['start' => 'All Programs' => 'Accessories' => 'Paint'].
| > (c) Click Edit (menu) -> Paste or press Ctrl + V.
| > (d) Click File (menu) -> Save. Save it as a .jpg or .gif file and send
it
| > to me as an attachment.
| >
| > 2. Please help to gather the ISA Info:
| >
| > 1) Download the file from the following URL:
| >
| > http://www.isatools.org/isainfo/ISAInfo.zip
| >
| > 2) Extract all files to a folder on ISA server.
| > 3) Double click Isainfo.js.  This will generate 2 files
| > ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
the> current folder.
| > 4) Please send these files to me at v-mzh...@xxxxxxxxxxxxx
| >
| > 3. Please also help to gather the ISA logs:
| >
| > 1) Schedule a down time.
| >
| > 2) Open ISA 2004 management console.
| >
| > 3) Expand the server node and highlight 'Monitoring'.
| >
| > 4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
| > Pane' is showed there.
| >
| > 5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
| > Tasks', and then switch the 'log storage format' from 'MSDE database'
| > (default) to 'File'.
| >
| > 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
| >
| > 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
'Logging
| > Tasks', and then switch the 'log storage format' from 'MSDE database'
| > (default) to 'File'.
| >
| > 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
| >
| > 9) Click 'Apply' to save changes and update the configuration.
| >
| > 10) Temporarily disable the Firewall service.  To do that, please click
| > Monitoring | Services tab, and then right click 'Microsoft Firewall' to
| > choose 'Stop'.
| >
| > 11) Clear the current existing W3C logs.  To do that, go to the log
saving
| > directory and clean any existing .W3C logs. By default, the logs will be
| > saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
not
| > be able to deleted, that's normal.)   You may backup them first and
then> delete them.
| >
| > 12) Go back to the ISA 2004 management console, and then Start the
stopped> 'Microsoft Firewall' service.
| >
| > 13) Reproduce the problem, stop the service, and then gather the
resulting> W3C files to me for analysis.
| >
| > 14) Please also let me know the IP address of the testing clients so
that I
| > can filter the data.
| >
| > Hope the above information helps. Please feel free to let me know if
there> is anything I can do for you.
| >
| > Best regards,
| >
| > Manfred Zhuang(MSFT)
| > Microsoft Online Newsgroup Support
| >
| > Get Secure! -www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding> newsgroups so that they can be resolved in an efficient and
timely manner.> You can locate the newsgroup
here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > checkhttp://support.microsoft.comfor regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------------
| > | From: Mesan <935m...@xxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Subject: Internal access to a WSS 3.0 site
| > | Date: Tue, 19 Feb 2008 08:46:47 -0800 (PST)
| > | Organization:http://groups.google.com
| > | Lines: 38
| > | Message-ID:
| > <ff8ffbc7-4120-4448-a6d8-4c14aff3f...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| > | NNTP-Posting-Host: 71.39.74.209
| > | Mime-Version: 1.0
| > | Content-Type: text/plain; charset=ISO-8859-1
| > | Content-Transfer-Encoding: 7bit
| > | X-Trace: posting.google.com 1203439607 26487 127.0.0.1 (19 Feb 2008
| > 16:46:47 GMT)
| > | X-Complaints-To: groups-ab...@xxxxxxxxxx
| > | NNTP-Posting-Date: Tue, 19 Feb 2008 16:46:47 +0000 (UTC)
| > | Complaints-To: groups-ab...@xxxxxxxxxx
| > | Injection-Info: e25g2000prg.googlegroups.com;
posting-host=71.39.74.209;
| > |       posting-account=b6I8MwoAAABFur1O6r6RZKujyNmYdUwE
| > | User-Agent: G2/1.0
| > | X-HTTP-Via: 1.1 SBS2003
| > | X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
| > |       User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1;
| > |      http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE
6.0;
| > Windows NT
| > |       5.1; SV1;http://bsalsa.com) (WinBuilder); User-agent:
Mozilla/4.0
| > |       (compatible; MSIE 6.0; Windows NT 5.1; SV1;http://bsalsa.com) (
| > Embedded Web
| > |       Browser from:http://bsalsa.com/);SLCC1; .NET CLR 2.0.50727;
| > InfoPath.2; FDM;
| > |       .NET CLR 3.5.21022; .NET CLR 3.0.04506;
OfficeLiveConnector.1.0; MS-RTC
| > LM
| > |       8),gzip(gfe),gzip(gfe)
| > | Path:
| >
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed­
0
| >
0.sul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!e25g2000pr­
g
| > .googlegroups.com!not-for-mail
| > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:93289
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I'm running SBS2003 R2 Premium.  I've got a member server (actually,
| > | it's an additional domain controller) that's hosting a WSS 3.0 site.
| > | Client computers cannot access the WSS 3.0 site.
| > |
| > | I've got an ALIAS set up in the DNS records redirecting "sharepoint"
| > | to otherserver.mydomain.local.
| > | All our clients are set up to use ISA's proxy server for internal
| > | access.  If I make the clients bypass the proxy server for local
| > | addresses they can reach "http://sharepoint"; but they can no longer
| > | reach companyweb or any of the other sites on the SBS server.  If I
| > | disable "bypass proxy server for local addresses" then the clients can
| > | reach all the sites on the SBS server but not the WSS 3.0 site on the
| > | member server.
| > |
| > | The ISA logs show the following:
| > |
| >
---------------------------------------------------------------------------­
-
| > ------------------------------------------------
| > | Denied Connection SBS 2/19/2008 9:36:41 AM
| > | Log type: Web Proxy (Forward)
| > | Status: 12202 The ISA Server denied the specified Uniform Resource
| > | Locator (URL).
| > | Rule: Block unauthorized web use
| > | Source: Internal ( 192.168.10.204:0)
| > | Destination: External ( 192.168.10.8:8080)
| > | Request: GEThttp://otherserver/default.aspx
| > | Filter information: Req ID: 0eabc2dc
| > | Protocol: http
| > | User: DOMAIN\User
| > |
| >
---------------------------------------------------------------------------­
-
| > ------------------------------------------------
| > |
| > | The problem that I see is the "Destination" line - see how it's
| > | classifying the internal SBS IP as "External"?  As far as I can tell,
| > | traffic from the client through ISA to the member server (to "http://
| > | sharepoint") _should_ be allowed through the SBS Protected Networks
| > | Access rule, but the error above comes from a rule after the protected
| > | networks rule.
| > |
| > | Why is ISA blocking traffic to my WSS 3.0 site hosted by a member
| > | server?
| > |
| Step 1 did it - you're amazing! Thank you! Thank you! Thank you!
| Hoorah! Hoorah! Hoorah! :-)
|

.

Loading