RE: Blank pages in IE live log shows...

  • From: "William Rascher" <wrascher@xxxxxxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 8 Apr 2005 15:29:52 -0500

Your asking "me" about routing questions... ;-)  From what I understand
there has been related issues with Websense and Pix.  Which are both
directly upstream and I have no access to or control over.  Sites came up
with no problems at the ISA 2004 or 2000 servers and any workstation on the
switch between our router and the ISA servers. My question was "What is
different between 2000 and 2004...?". I was reminded that ISA 2004, unlike
2000, protects both external and internal since a large percentage of
attacks occur from the internal network.  I didn't ask the important
question of why the registry change after the review of a capture from an
internal client. As Jim noted my skills at effectively ready through a
capture are limited, so I implemented the suggestion without question. I
have emailed a couple of questions since this case isn't closed.  This email
would have been sent earlier, but I was hoping for a complete answer to your
question.  Sorry.  When I get the info I'll pass it on, but it maybe a week
because I'm heading to Dallas for a another course.

William

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Friday, April 08, 2005 09:26
To: [ISAserver.org Discussion List]
Subject: [QUAR][isalist] RE: [isalist]RE: Blank pages in IE live log
shows...

http://www.ISAserver.org

Hi William,

Then that's REALLY interesting. Can you tell us the reasoning they used to
determine it as a path MTU discovery issue and where the router was that
created the problem?

Thanks! 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx]
Sent: Friday, April 08, 2005 9:20 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: [QUAR]RE: Blank pages in IE live log shows...

http://www.ISAserver.org

Hello Tom,

No, we're using a single T1. 

William

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Friday, April 08, 2005 09:07
To: [ISAserver.org Discussion List]
Subject: [QUAR][isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

Hi William,

Interesting! Are you using a DSL connection to the Internet? 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx]
Sent: Friday, April 08, 2005 8:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

Well I surrendered and called MS.  With Byron Carter's help I think we have
a solution, but I still need to do some more testing.  I've asked other
districts in our region (same ISP) that are having this same problem with
ISA 2004 to give this a try.  We changed the EnablePMTUDiscovery
(http://tinyurl.com/66qhf) to 1 like it is in our ISA 2K.  Can someone
explain how this will affect security?  I found some information in
http://tinyurl.com/6av9n relating to DoS, but is there other problems
created by changing this key?   Jim, thank you for your help I
appreciate
your time and effort.

William

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, April 06, 2005 15:04
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

You could post the capture for a trusted soul to examine if it's Greek to
you...

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx]
Sent: Wednesday, April 06, 2005 12:59
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

 By captures I'm assuming netmon.  Looking down the capture I see get...,
control bits, continuation..., status code = 200, and then a response to
client: status code = 302 - found.  On the LAN capture the internal DNS is
quarried and return the correct address. The next frames on the external
controller are a GET, continuation, and control.  That is where IE dies
(blank page).  I would need guidance on what to look for and I thought would
be to much to ask.  So, suggestions?  :-)

William


-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, April 06, 2005 08:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

Ok - the point of this exercise so far isn't clear.
Nothing you've shown from the logs indicates a "problem" as such.
Grab some captures at the ISA and see what they show.

-----Original Message-----
From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx]
Sent: Wednesday, April 06, 2005 6:17 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

Thank you for all your help.  Our upstream provider has been pointing at ISA
2004 as the source of the problem since ISA 2000 doesn't have this problem.
My suspicion has been with the upstream Websense server or Pix. The burden
has fallen on me to prove the problem isn't with ISA 2004, but upstream.


Thanks again,
William

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 19:48
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

Based on the cache-info data provided (0x40020004), I'm inclined to believe
that the upstream server is closing the connection gracefully.
This is based on that data resolving to (from the help):
0x40000000 == Response should not be cached 0x00020000 == Response includes
the CACHE-CONTROL: PRIVATE header
0x00000004 == Request includes one of these headers:
CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE.
..add them all up and you get 0x40020004.

Any server that is trying that hard to control where the data is stored is
also likely to make sure the connection is only open long enough to transfer
said data.

Unfortunately, only a packet capture can show this conclusively.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 14:27
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

In addition to the directions I also cleared IE's cache.  Then started the
query and came up with the same results.  Tried again with ISA caching
turned off (restarted ISA Services).  Same results. 

0.0.0.0         No      Proxy   SRV01           www1.us.dell.com
TCP
Internet        -       -               -               -       -
-
0       375     401     1418            200     0x40020004      0x480
Web
Proxy Filter    4/5/2005 16:19  143.166.83.38   80      http    Allowed
Connection      All Open        10.10.11.2      anonymous       Internal
External        GET
http://www1.us.dell.com/content/public/bw.aspx?~bandwidth=Lan
0.0.0.0         No      Proxy   SRV01           www.dell.com    TCP
Internet        -       -               -               -       -
-
0       1547    1       1451            0       0x4     0xd80   Web
Proxy
Filter  4/5/2005 16:19  143.166.83.230  80      http    Allowed
Connection
All Open        10.10.11.2      anonymous       Internal        External
GET
http://www.dell.com/metrics/DellHomePage.htm?c=us&l=en&s=gen&eiwatch=htt
p://
www.dell.com/metrics/DellHomePage.htm
10.114.0.2                              SRV01   -               TCP
-
-                               1642    0       5325    20563
0x80074e20
0x0     0x0     Firewall        4/5/2005 16:19  143.166.83.230  80
HTTP
Closed Connection               10.114.0.2              Local Host
External        -       -
10.10.11.2                              SRV01   -               TCP
-
-                               2412    3000    6092    3614
0x80074e20
0x0     0x0     Firewall        4/5/2005 16:19  10.10.1.1       8080
Unidentified IP Traffic Closed Connection               10.10.11.2
Internal        Local Host      -       -
10.114.0.1                              SRV01   -               Raw 88
-
-                               0       0       0       0
0xc004000d
FWX_E_POLICY_RULES_DENIED               0x0     0x0     Firewall
4/5/2005 16:19  224.0.0.10      0       Unidentified IP Traffic Denied
Connection      Default rule    10.114.0.1              External
Local Host      -       -

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 15:36
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

That's better...

>From that log, it appears that your clients aren't taking advantage of
HTTP 1.1 "keep-alive".

Try this:
In IE, go to "Tools", "Internet Options", "Advanced" and select "Use HTTP
1.1" and "Use HTTP 1.1 through proxy".

Stop and restart all your IE sessions (yes, including the ISA MMC and
OL2K3).

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 12:09
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

 
Sorry about the partial...  I'm probably going to overkill this, and I'm
sure you'll let know. :-) The times were identical.


10.114.0.2                              SRV01   -               TCP
-
-                               3457    0       0       0       0x0
0x0     0x0     Firewall        4/5/2005 09:47  143.166.83.38   80
HTTP
Initiated Connection            10.114.0.2              Local Host
External        -       -
10.10.11.2                              SRV01   -               TCP
-
-                               1200    0       0       0       0x0
0x0     0x0     Firewall        4/5/2005 09:47  10.10.1.1       8080
Unidentified IP Traffic Initiated Connection            10.10.11.2
Internal        Local Host      -       -
0.0.0.0         No      Proxy   SRV01           www1.us.dell.com
TCP
Internet        -       -               -               -       -
-
0       3297    1       1397            0       0x5     0x400   Web
Proxy
Filter  4/5/2005 09:47  143.166.83.38   80      http    Allowed
Connection
All Open        10.10.11.2      anonymous       Internal        External
GET
http://www1.us.dell.com/content/default.aspx?c=us&cs=k12home&l=en&s=edu
10.114.0.2                              SRV01   -               TCP
-
-                               3457    0       2024    129
0x80074e20
0x0     0x0     Firewall        4/5/2005 09:47  143.166.83.38   80
HTTP
Closed Connection               10.114.0.2              Local Host
External        -       -
10.10.11.2                              SRV01   -               TCP
-
-                               1200    3000    1645    209
0x80074e20
0x0     0x0     Firewall        4/5/2005 09:47  10.10.1.1       8080
Unidentified IP Traffic Closed Connection               10.10.11.2
Internal        Local Host      -       -



-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 12:21
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Blank pages in IE live log shows...

http://www.ISAserver.org

That code resolves to '20000', a normal disconnect.
You really should refrain from sending "partial" log entries - the time
between connect and disconnect will help you determine whether or not this
entry indicates a problem.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 
-----Original Message-----
From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 08:42
To: [ISAserver.org Discussion List]
Subject: [isalist] Blank pages in IE live log shows...

http://www.ISAserver.org

In IE websites like Dell's system configuration pages are blank, but the
previous page were displayed.  The log query shows the following sequential
line:

143.166.83.38 80 http Allowed All Open anonymous Internal   External GET
http://
143.166.83.38 80 HTTP Closed                     Local Host External

Why is ISA 2004 closing the connection after allowing?  The Result Code was
0x80074e20 on the closed connection line.  I looked at 284818 and this
number exceeds all values described.  Is there a newer article or am I
heading in the wrong direction?

William

---
[This E-mail scanned for viruses by Declude Virus]


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wrascher@xxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wrascher@xxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wrascher@xxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]



Other related posts: