[isalist] Re: ISA Intra Array Authentification

  • From: "Bogdan Florin" <florinb@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 13 Feb 2007 16:14:32 +0200

Your question is very good !

 

What means for you if the ARRAY is working ?

Everything is perfect, servers sincronize with Stogage, same settings,
no errors .... But when one server want to use CACHE of the OTHER ...
the problem apear ... and the end user see the error message:

 

X

Network Access Message: The page cannot be displayed 

 

 

 

 

Explanation: There is a problem with the page you are trying to reach
and it cannot be displayed. 

Try the following: 

*       Refresh page: Search for the page again by clicking the Refresh
button. The timeout may have occurred due to Internet congestion. 
*       Check spelling: Check that you typed the Web page address
correctly. The address may have been mistyped. 
*       Access from a link: If there is a link to the page you are
looking for, try accessing the page from that link. 

If you are still not able to view the requested page, try contacting
your administrator or Helpdesk. 

 

 

 

 

Technical Information (for support personnel) 

*       Error Code: 502 Proxy Error. Logon failure: unknown user name or
bad password. (1326) 
*       IP Address: 192.168.254.1 
*       Date: 2/13/2007 2:13:44 PM 
*       Server: proxy-zorilor2.bizarnet.ro 
*       Source: proxy 

 

The conclusion are simple: the servers do not exchange cache betweeen !
this looks like Intra Array Authentification problem !

 

Exepting this everything is normal ok !

 

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Tuesday, February 13, 2007 2:17 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

 

Is it your array working?

I have 2 years of using ISA2004, and I received those crappy messages
since the beginning. I also have 8 arrays and all are working perfectly
even when those messages keep appearing. On the arrays I have things
like VPN, Citrix, websites published, 2 are just to browse the web with
redundancy, etc, etc.

 

So again, you want to fix them go ahead. But are the array working?

 

Regards

Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Bogdan Florin
Sent: Monday, February 12, 2007 5:26 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

 

More info.

 

The Internal network have following modules configured:

-          Autudiscovery

-          Web proxy

-          Carp

-          Web browsers

-          Domain

-          Adreses

 

 

The IntraArray network created with the IP of the Second NICS who was
placed for ARRAY only:

-          Autudiscovery

-          Web proxy

-          Carp

-          Web browsers

-          Domain

-          Adreses

 

 

Are you sure that all this Enabled modules are Ok for these networks
please ?

 

 

 

Yours sincerely,

 

Bogdan Florin
CEO
InterNetCon - Satellite Internet Services
www.internetcon.ro www.powersat.ro
Phone: +40-264-452383
Cell: +40-740-074031
Cell: +40-788-074031
Fax: +40-264-452207

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Bogdan Florin
Sent: Monday, February 12, 2007 11:33 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

 

Any ideea in my case will be welcome.

 

I check 1000 times and everything is the same like documentation.

 

There is two ISA servers, each of them with two NICs. One as Internet
conectivity and another one for ARRAY only. 

 

Do you have any reall ideeas or questions ?

 

 

 

Yours sincerely,

 

Bogdan Florin

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, February 12, 2007 10:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

 

What's sad is that I actually know that song ;)

t


On 2/12/07 11:36 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

..and dey swam and dey swam all over de dam..."
 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Thor (Hammer of
God)
Sent: Monday, February 12, 2007 10:23 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

Zinged right by ya ;)

t


On 2/12/07 8:36 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
As a rule, it's not a problem unless you have one of several web content
filters that were never tested in this scenario.
Unfortunately, that's a common problem.
 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Thor (Hammer of
God)
Sent: Monday, February 12, 2007 7:34 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

I always thought there was something fishy about Server-side CARP.

t


On 2/12/07 6:12 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
No.
You still haven't answered this question: "Are these servers in a
workgroup or domain environment?"
If you send anything, send ISAInfo; not screen captures.

There are three cases where this error might occur:
1.      Intra-array traffic, where each server queries the others for
their interpretation of the array membership (uses machine account by
default)

2.      Server-side CARP (uses machine account by default)

3.      Web Chaining (uses the account specified in the rule)


Quit playing with hardware settings - they have nothing to do with this.
 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Bogdan Florin
Sent: Sunday, February 11, 2007 10:29 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

I have an idea:
The security setup on the D:\URLCACHE is the following:
 
Administrators - full
Network Service - full
System - full
 
Does this have something to do with the Authentication error?
 
 

Yours sincerely,
 

Bogdan Florin
   

________________________________



From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Jim Harrison
Sent: Monday, February 12, 2007 2:39 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

Good - that's been answered.
Are these servers in a workgroup or domain environment?
Are you chaining between ISA servers?
Have you configured any web chaining rules?
 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Bogdan Florin
Sent: Sunday, February 11, 2007 2:28 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

I'm sorry to see you upset.
 
Array properties / IntraArray credentials ... is setup "Authenticate
using the computer account of the Array member"
 
 
It is normal to be the same because this proporites are auotmaticaly
sincronized by the array himself as far as I know.
 
 
Do you have any other ideea ?
 
 
 

Yours sincerely,
 

Bogdan Florin
 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Jim Harrison
Sent: Sunday, February 11, 2007 11:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

Stop
Playing
With
Your
Network
Configuration
 
Stop
Playing
With
NLB
Settings
 
Check the intra-array authentication settings for each server in the
array.
Make sure that they are *THE SAME* for each server.
 
What; I donn tawk Engrish gud?!?
 
 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Bogdan Florin
Sent: Sunday, February 11, 2007 1:17 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

ISA1, original ip: xxx.xxx.xxx.187
ISA2, original ip: xxx.xxx.xxx.189
 
I follow the documentation enabling NLB on Internal networks and I
specify the virtual ip as: xxx.xxx.xxx.190 (same subnet)
 
The intra array authentification show problems !
 
Than I add a second interface on both servers  (192.168.254.1 and
192.168.254.2) and I specify that this new one should be for intra
array, I also disabled the firewall as described in documentation:
http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee
.mspx
 
result > same problems !
 
 
I notice that in Networks I receive this message: You have changed the
network topology. The network diagram does not reflect these changes.
All networks in the network topology are listed in the networks tab.
And I change topology to Edge Firewall with FULL FULL acces > same
result  > intra array problems !
 
I really have no ideea what can be done.
 
And after every change ..... I wait peacefully till a corect total and
complete sincronization.
 
 
Any ideea is very warm welcome.
 
 
 

Yours sincerely,
 

Bogdan Florin
 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Jim Harrison
Sent: Sunday, February 11, 2007 5:23 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

It's only a "best practice" if you operate NLB on Windows prior to 2003
SP1.
There is no valid "traffic" or "functionality" requirement to have a
separate intra-array NIC if you're running non-NLB or Windows 2003 SP1
or later.
 
The fact is; changing your network or NLB configuration will not affect
the authentication used to communicate between array members.
Check the authentication selection & IP address defined for each member
in the array - they *MUST AGREE*.

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Gerald G. Young
Sent: Sunday, February 11, 2007 7:05 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

Well, technically, not exactly, although it is a best practice.
 
There are two ways to work around this. These are:
 
1.     Run NLB in Multicast mode - not something I consider a good idea
because you will most likely end up having to hard code a bunch of
network devices' ARP tables.

2.     Use the UnicastInterHostCommSupport Registry key (assuming
Windows 2003 SP1).


The link for 2., above is http://support.microsoft.com/kb/898867.
 

Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
 
22451 Shaw Rd.
Sterling, VA 20166
 
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Steve Moffat
Sent: Sunday, February 11, 2007 6:50 AM
To: ISA Mailing List
Subject: [isalist] Re: ISA Intra Array Authentification

Intra-Array Communication
When you use ISA Server integrated NLB, each computer running ISA Server
services requires an additional network adapter, for intra-array
communication. We recommend that these network adapters be physically
connected to each other (for example, through a single switch), and not
to other network segments, to ensure that they receive only intra-array
communication. You should then configure intra-array communication to
use the IP address of the new adapter on each server. The configuration
procedures are described in the topic Configuring and Securing
Intra-Array Communication in this document.

Therefore it needs at least 2 nics
 
S
 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Bogdan Florin
Sent: Sunday, February 11, 2007 3:00 AM
To: ISA Mailing List
Subject: [isalist] Re: ISA Intra Array Authentification

I did this and I found interesting documentation.
 
http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee
.mspx
 
please be kind and confirm if my understanding was right:
 
-       to have ISA with one Ethernet card only working in ARRAY there
is also required to configure Network Load Balancing.
 
Or ... TWO Ethernet will be a MUST ?
 
Thank you.
 
 
PS: on Isa 2000 it was simple creating the array, joust add second
server, same settings and work but in 2004 it seems they change
something more.
 
 

Yours sincerely,
 

Bogdan Florin
CEO
InterNetCon - Satellite Internet Services
www.internetcon.ro <http://www.internetcon.ro>
<http://www.internetcon.ro>   www.powersat.ro <http://www.powersat.ro>
<http://www.powersat.ro>  
Phone: +40-264-452383
Cell: +40-740-074031
Cell: +40-788-074031
Fax: +40-264-452207
 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Jim Harrison
Sent: Saturday, February 10, 2007 10:21 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

Search the help for "intra-array account".
Make sure that it's set the same for al servers in the array.
 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Bogdan Florin
Sent: Monday, February 05, 2007 11:30 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] ISA Intra Array Authentification

Dear Colleagues,
 
I come to you with a simple question and I trough that you can help me
faster than any other documentation.
 
We have an ISA Server 2004 connected to our main domain, with only one
interface and used purely for caching. The settings are all ok,
everything works all right. In this enviroments we add another server
with intentions to have 2 servers in array. We would like to make a fail
over at DNS level with same record and two IP.
 
After this array created successfully, there is one error on each ISA
machine:
Description: ISA Server cannot connect to xxx.xxx.xxx.xxx proxy server
because the server requires authentication, either when chaining or for
intra-array communication. However authentication failed because the
specified credentials were incorrect. Check authentication credentials
and try again.

While XXX.XXX.XXX.XXX is the address of OTHER server. In this spirit I
reach the conclusion that there is a problem in INTRA ARRAY
communication.
 
The second server it have CARP Load factor to 1 and the old server have
CARP Load factor to 100. In this enviroments .... When an end user
connects to the second server it got the following error:
 
?      Error Code: 502 Proxy Error. Logon failure: unknown user name or
bad password. (1326) 
?      IP Address: server isa old
?      Date: 2/6/2007 7:18:37 AM 
?      Server: server isa new
?      Source: proxy 

I can only conclude that Intra-Array authentification is the problem.
 
If you can provide me a fast advice I would appreciate very much.
 
 
 

Yours sincerely,
 

Bogdan Florin
CEO
InterNetCon - Satellite Internet Services
www.internetcon.ro <http://www.internetcon.ro>
<http://www.internetcon.ro>   www.powersat.ro <http://www.powersat.ro>
<http://www.powersat.ro>  
Phone: +40-264-452383
Cell: +40-740-074031
Cell: +40-788-074031
Fax: +40-264-452207 

All mail to and from this domain is GFI-scanned. 

All mail to and from this domain is GFI-scanned. 

All mail to and from this domain is GFI-scanned. 

All mail to and from this domain is GFI-scanned. 

All mail to and from this domain is GFI-scanned. 

All mail to and from this domain is GFI-scanned. 



 

  

All mail to and from this domain is GFI-scanned. 


 

  

All mail to and from this domain is GFI-scanned. 

 

 

Other related posts: