Your asking "me" about routing questions... ;-) From what I understand there has been related issues with Websense and Pix. Which are both directly upstream and I have no access to or control over. Sites came up with no problems at the ISA 2004 or 2000 servers and any workstation on the switch between our router and the ISA servers. My question was "What is different between 2000 and 2004...?". I was reminded that ISA 2004, unlike 2000, protects both external and internal since a large percentage of attacks occur from the internal network. I didn't ask the important question of why the registry change after the review of a capture from an internal client. As Jim noted my skills at effectively ready through a capture are limited, so I implemented the suggestion without question. I have emailed a couple of questions since this case isn't closed. This email would have been sent earlier, but I was hoping for a complete answer to your question. Sorry. When I get the info I'll pass it on, but it maybe a week because I'm heading to Dallas for a another course. William -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, April 08, 2005 09:26 To: [ISAserver.org Discussion List] Subject: [QUAR][isalist] RE: [isalist]RE: Blank pages in IE live log shows... http://www.ISAserver.org Hi William, Then that's REALLY interesting. Can you tell us the reasoning they used to determine it as a path MTU discovery issue and where the router was that created the problem? Thanks! Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx] Sent: Friday, April 08, 2005 9:20 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: [QUAR]RE: Blank pages in IE live log shows... http://www.ISAserver.org Hello Tom, No, we're using a single T1. William -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, April 08, 2005 09:07 To: [ISAserver.org Discussion List] Subject: [QUAR][isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org Hi William, Interesting! Are you using a DSL connection to the Internet? Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx] Sent: Friday, April 08, 2005 8:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org Well I surrendered and called MS. With Byron Carter's help I think we have a solution, but I still need to do some more testing. I've asked other districts in our region (same ISP) that are having this same problem with ISA 2004 to give this a try. We changed the EnablePMTUDiscovery (http://tinyurl.com/66qhf) to 1 like it is in our ISA 2K. Can someone explain how this will affect security? I found some information in http://tinyurl.com/6av9n relating to DoS, but is there other problems created by changing this key? Jim, thank you for your help I appreciate your time and effort. William -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, April 06, 2005 15:04 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org You could post the capture for a trusted soul to examine if it's Greek to you... ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx] Sent: Wednesday, April 06, 2005 12:59 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org By captures I'm assuming netmon. Looking down the capture I see get..., control bits, continuation..., status code = 200, and then a response to client: status code = 302 - found. On the LAN capture the internal DNS is quarried and return the correct address. The next frames on the external controller are a GET, continuation, and control. That is where IE dies (blank page). I would need guidance on what to look for and I thought would be to much to ask. So, suggestions? :-) William -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, April 06, 2005 08:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org Ok - the point of this exercise so far isn't clear. Nothing you've shown from the logs indicates a "problem" as such. Grab some captures at the ISA and see what they show. -----Original Message----- From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx] Sent: Wednesday, April 06, 2005 6:17 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org Thank you for all your help. Our upstream provider has been pointing at ISA 2004 as the source of the problem since ISA 2000 doesn't have this problem. My suspicion has been with the upstream Websense server or Pix. The burden has fallen on me to prove the problem isn't with ISA 2004, but upstream. Thanks again, William -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Tuesday, April 05, 2005 19:48 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org Based on the cache-info data provided (0x40020004), I'm inclined to believe that the upstream server is closing the connection gracefully. This is based on that data resolving to (from the help): 0x40000000 == Response should not be cached 0x00020000 == Response includes the CACHE-CONTROL: PRIVATE header 0x00000004 == Request includes one of these headers: CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE. ..add them all up and you get 0x40020004. Any server that is trying that hard to control where the data is stored is also likely to make sure the connection is only open long enough to transfer said data. Unfortunately, only a packet capture can show this conclusively. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx] Sent: Tuesday, April 05, 2005 14:27 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org In addition to the directions I also cleared IE's cache. Then started the query and came up with the same results. Tried again with ISA caching turned off (restarted ISA Services). Same results. 0.0.0.0 No Proxy SRV01 www1.us.dell.com TCP Internet - - - - - - 0 375 401 1418 200 0x40020004 0x480 Web Proxy Filter 4/5/2005 16:19 143.166.83.38 80 http Allowed Connection All Open 10.10.11.2 anonymous Internal External GET http://www1.us.dell.com/content/public/bw.aspx?~bandwidth=Lan 0.0.0.0 No Proxy SRV01 www.dell.com TCP Internet - - - - - - 0 1547 1 1451 0 0x4 0xd80 Web Proxy Filter 4/5/2005 16:19 143.166.83.230 80 http Allowed Connection All Open 10.10.11.2 anonymous Internal External GET http://www.dell.com/metrics/DellHomePage.htm?c=us&l=en&s=gen&eiwatch=htt p:// www.dell.com/metrics/DellHomePage.htm 10.114.0.2 SRV01 - TCP - - 1642 0 5325 20563 0x80074e20 0x0 0x0 Firewall 4/5/2005 16:19 143.166.83.230 80 HTTP Closed Connection 10.114.0.2 Local Host External - - 10.10.11.2 SRV01 - TCP - - 2412 3000 6092 3614 0x80074e20 0x0 0x0 Firewall 4/5/2005 16:19 10.10.1.1 8080 Unidentified IP Traffic Closed Connection 10.10.11.2 Internal Local Host - - 10.114.0.1 SRV01 - Raw 88 - - 0 0 0 0 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 4/5/2005 16:19 224.0.0.10 0 Unidentified IP Traffic Denied Connection Default rule 10.114.0.1 External Local Host - - -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Tuesday, April 05, 2005 15:36 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org That's better... >From that log, it appears that your clients aren't taking advantage of HTTP 1.1 "keep-alive". Try this: In IE, go to "Tools", "Internet Options", "Advanced" and select "Use HTTP 1.1" and "Use HTTP 1.1 through proxy". Stop and restart all your IE sessions (yes, including the ISA MMC and OL2K3). ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx] Sent: Tuesday, April 05, 2005 12:09 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org Sorry about the partial... I'm probably going to overkill this, and I'm sure you'll let know. :-) The times were identical. 10.114.0.2 SRV01 - TCP - - 3457 0 0 0 0x0 0x0 0x0 Firewall 4/5/2005 09:47 143.166.83.38 80 HTTP Initiated Connection 10.114.0.2 Local Host External - - 10.10.11.2 SRV01 - TCP - - 1200 0 0 0 0x0 0x0 0x0 Firewall 4/5/2005 09:47 10.10.1.1 8080 Unidentified IP Traffic Initiated Connection 10.10.11.2 Internal Local Host - - 0.0.0.0 No Proxy SRV01 www1.us.dell.com TCP Internet - - - - - - 0 3297 1 1397 0 0x5 0x400 Web Proxy Filter 4/5/2005 09:47 143.166.83.38 80 http Allowed Connection All Open 10.10.11.2 anonymous Internal External GET http://www1.us.dell.com/content/default.aspx?c=us&cs=k12home&l=en&s=edu 10.114.0.2 SRV01 - TCP - - 3457 0 2024 129 0x80074e20 0x0 0x0 Firewall 4/5/2005 09:47 143.166.83.38 80 HTTP Closed Connection 10.114.0.2 Local Host External - - 10.10.11.2 SRV01 - TCP - - 1200 3000 1645 209 0x80074e20 0x0 0x0 Firewall 4/5/2005 09:47 10.10.1.1 8080 Unidentified IP Traffic Closed Connection 10.10.11.2 Internal Local Host - - -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Tuesday, April 05, 2005 12:21 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Blank pages in IE live log shows... http://www.ISAserver.org That code resolves to '20000', a normal disconnect. You really should refrain from sending "partial" log entries - the time between connect and disconnect will help you determine whether or not this entry indicates a problem. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: William Rascher [mailto:wrascher@xxxxxxxxxxxxxxxx] Sent: Tuesday, April 05, 2005 08:42 To: [ISAserver.org Discussion List] Subject: [isalist] Blank pages in IE live log shows... http://www.ISAserver.org In IE websites like Dell's system configuration pages are blank, but the previous page were displayed. The log query shows the following sequential line: 143.166.83.38 80 http Allowed All Open anonymous Internal External GET http:// 143.166.83.38 80 HTTP Closed Local Host External Why is ISA 2004 closing the connection after allowing? The Result Code was 0x80074e20 on the closed connection line. I looked at 284818 and this number exceeds all values described. Is there a newer article or am I heading in the wrong direction? William --- [This E-mail scanned for viruses by Declude Virus] ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: wrascher@xxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: wrascher@xxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: wrascher@xxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus]