Your question is very good ! What means for you if the ARRAY is working ? Everything is perfect, servers sincronize with Stogage, same settings, no errors .... But when one server want to use CACHE of the OTHER ... the problem apear ... and the end user see the error message: X Network Access Message: The page cannot be displayed Explanation: There is a problem with the page you are trying to reach and it cannot be displayed. Try the following: * Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion. * Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped. * Access from a link: If there is a link to the page you are looking for, try accessing the page from that link. If you are still not able to view the requested page, try contacting your administrator or Helpdesk. Technical Information (for support personnel) * Error Code: 502 Proxy Error. Logon failure: unknown user name or bad password. (1326) * IP Address: 192.168.254.1 * Date: 2/13/2007 2:13:44 PM * Server: proxy-zorilor2.bizarnet.ro * Source: proxy The conclusion are simple: the servers do not exchange cache betweeen ! this looks like Intra Array Authentification problem ! Exepting this everything is normal ok ! ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR Sent: Tuesday, February 13, 2007 2:17 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification Is it your array working? I have 2 years of using ISA2004, and I received those crappy messages since the beginning. I also have 8 arrays and all are working perfectly even when those messages keep appearing. On the arrays I have things like VPN, Citrix, websites published, 2 are just to browse the web with redundancy, etc, etc. So again, you want to fix them go ahead. But are the array working? Regards Diego R. Pietruszka From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin Sent: Monday, February 12, 2007 5:26 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification More info. The Internal network have following modules configured: - Autudiscovery - Web proxy - Carp - Web browsers - Domain - Adreses The IntraArray network created with the IP of the Second NICS who was placed for ARRAY only: - Autudiscovery - Web proxy - Carp - Web browsers - Domain - Adreses Are you sure that all this Enabled modules are Ok for these networks please ? Yours sincerely, Bogdan Florin CEO InterNetCon - Satellite Internet Services www.internetcon.ro www.powersat.ro Phone: +40-264-452383 Cell: +40-740-074031 Cell: +40-788-074031 Fax: +40-264-452207 ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin Sent: Monday, February 12, 2007 11:33 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification Any ideea in my case will be welcome. I check 1000 times and everything is the same like documentation. There is two ISA servers, each of them with two NICs. One as Internet conectivity and another one for ARRAY only. Do you have any reall ideeas or questions ? Yours sincerely, Bogdan Florin ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Monday, February 12, 2007 10:44 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification What's sad is that I actually know that song ;) t On 2/12/07 11:36 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: ..and dey swam and dey swam all over de dam..." From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God) Sent: Monday, February 12, 2007 10:23 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification Zinged right by ya ;) t On 2/12/07 8:36 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: As a rule, it's not a problem unless you have one of several web content filters that were never tested in this scenario. Unfortunately, that's a common problem. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God) Sent: Monday, February 12, 2007 7:34 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification I always thought there was something fishy about Server-side CARP. t On 2/12/07 6:12 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: No. You still haven't answered this question: "Are these servers in a workgroup or domain environment?" If you send anything, send ISAInfo; not screen captures. There are three cases where this error might occur: 1. Intra-array traffic, where each server queries the others for their interpretation of the array membership (uses machine account by default) 2. Server-side CARP (uses machine account by default) 3. Web Chaining (uses the account specified in the rule) Quit playing with hardware settings - they have nothing to do with this. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin Sent: Sunday, February 11, 2007 10:29 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification I have an idea: The security setup on the D:\URLCACHE is the following: Administrators - full Network Service - full System - full Does this have something to do with the Authentication error? Yours sincerely, Bogdan Florin ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison Sent: Monday, February 12, 2007 2:39 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification Good - that's been answered. Are these servers in a workgroup or domain environment? Are you chaining between ISA servers? Have you configured any web chaining rules? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin Sent: Sunday, February 11, 2007 2:28 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification I'm sorry to see you upset. Array properties / IntraArray credentials ... is setup "Authenticate using the computer account of the Array member" It is normal to be the same because this proporites are auotmaticaly sincronized by the array himself as far as I know. Do you have any other ideea ? Yours sincerely, Bogdan Florin ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison Sent: Sunday, February 11, 2007 11:38 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification Stop Playing With Your Network Configuration Stop Playing With NLB Settings Check the intra-array authentication settings for each server in the array. Make sure that they are *THE SAME* for each server. What; I donn tawk Engrish gud?!? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin Sent: Sunday, February 11, 2007 1:17 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification ISA1, original ip: xxx.xxx.xxx.187 ISA2, original ip: xxx.xxx.xxx.189 I follow the documentation enabling NLB on Internal networks and I specify the virtual ip as: xxx.xxx.xxx.190 (same subnet) The intra array authentification show problems ! Than I add a second interface on both servers (192.168.254.1 and 192.168.254.2) and I specify that this new one should be for intra array, I also disabled the firewall as described in documentation: http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee .mspx result > same problems ! I notice that in Networks I receive this message: You have changed the network topology. The network diagram does not reflect these changes. All networks in the network topology are listed in the networks tab. And I change topology to Edge Firewall with FULL FULL acces > same result > intra array problems ! I really have no ideea what can be done. And after every change ..... I wait peacefully till a corect total and complete sincronization. Any ideea is very warm welcome. Yours sincerely, Bogdan Florin ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison Sent: Sunday, February 11, 2007 5:23 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification It's only a "best practice" if you operate NLB on Windows prior to 2003 SP1. There is no valid "traffic" or "functionality" requirement to have a separate intra-array NIC if you're running non-NLB or Windows 2003 SP1 or later. The fact is; changing your network or NLB configuration will not affect the authentication used to communicate between array members. Check the authentication selection & IP address defined for each member in the array - they *MUST AGREE*. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Gerald G. Young Sent: Sunday, February 11, 2007 7:05 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification Well, technically, not exactly, although it is a best practice. There are two ways to work around this. These are: 1. Run NLB in Multicast mode - not something I consider a good idea because you will most likely end up having to hard code a bunch of network devices' ARP tables. 2. Use the UnicastInterHostCommSupport Registry key (assuming Windows 2003 SP1). The link for 2., above is http://support.microsoft.com/kb/898867. Cordially yours, Jerry G. Young II Application Engineer, Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Steve Moffat Sent: Sunday, February 11, 2007 6:50 AM To: ISA Mailing List Subject: [isalist] Re: ISA Intra Array Authentification Intra-Array Communication When you use ISA Server integrated NLB, each computer running ISA Server services requires an additional network adapter, for intra-array communication. We recommend that these network adapters be physically connected to each other (for example, through a single switch), and not to other network segments, to ensure that they receive only intra-array communication. You should then configure intra-array communication to use the IP address of the new adapter on each server. The configuration procedures are described in the topic Configuring and Securing Intra-Array Communication in this document. Therefore it needs at least 2 nics S From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin Sent: Sunday, February 11, 2007 3:00 AM To: ISA Mailing List Subject: [isalist] Re: ISA Intra Array Authentification I did this and I found interesting documentation. http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee .mspx please be kind and confirm if my understanding was right: - to have ISA with one Ethernet card only working in ARRAY there is also required to configure Network Load Balancing. Or ... TWO Ethernet will be a MUST ? Thank you. PS: on Isa 2000 it was simple creating the array, joust add second server, same settings and work but in 2004 it seems they change something more. Yours sincerely, Bogdan Florin CEO InterNetCon - Satellite Internet Services www.internetcon.ro <http://www.internetcon.ro> <http://www.internetcon.ro> www.powersat.ro <http://www.powersat.ro> <http://www.powersat.ro> Phone: +40-264-452383 Cell: +40-740-074031 Cell: +40-788-074031 Fax: +40-264-452207 ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison Sent: Saturday, February 10, 2007 10:21 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification Search the help for "intra-array account". Make sure that it's set the same for al servers in the array. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin Sent: Monday, February 05, 2007 11:30 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] ISA Intra Array Authentification Dear Colleagues, I come to you with a simple question and I trough that you can help me faster than any other documentation. We have an ISA Server 2004 connected to our main domain, with only one interface and used purely for caching. The settings are all ok, everything works all right. In this enviroments we add another server with intentions to have 2 servers in array. We would like to make a fail over at DNS level with same record and two IP. After this array created successfully, there is one error on each ISA machine: Description: ISA Server cannot connect to xxx.xxx.xxx.xxx proxy server because the server requires authentication, either when chaining or for intra-array communication. However authentication failed because the specified credentials were incorrect. Check authentication credentials and try again. While XXX.XXX.XXX.XXX is the address of OTHER server. In this spirit I reach the conclusion that there is a problem in INTRA ARRAY communication. The second server it have CARP Load factor to 1 and the old server have CARP Load factor to 100. In this enviroments .... When an end user connects to the second server it got the following error: ? Error Code: 502 Proxy Error. Logon failure: unknown user name or bad password. (1326) ? IP Address: server isa old ? Date: 2/6/2007 7:18:37 AM ? Server: server isa new ? Source: proxy I can only conclude that Intra-Array authentification is the problem. If you can provide me a fast advice I would appreciate very much. Yours sincerely, Bogdan Florin CEO InterNetCon - Satellite Internet Services www.internetcon.ro <http://www.internetcon.ro> <http://www.internetcon.ro> www.powersat.ro <http://www.powersat.ro> <http://www.powersat.ro> Phone: +40-264-452383 Cell: +40-740-074031 Cell: +40-788-074031 Fax: +40-264-452207 All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.