[isalist] Re: ISA Intra Array Authentification
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 13 Feb 2007 11:30:50 -0600
Seems like a "hork mode" issue to me. I never heard about an external
interface, just an "internal" and "intra-array" interface.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin
Sent: Tuesday, February 13, 2007 8:15 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
Your question is very good !
What means for you if the ARRAY is working ?
Everything is perfect, servers sincronize with Stogage, same
settings, no errors .... But when one server want to use CACHE of the
OTHER ... the problem apear ... and the end user see the error message:
X
Network Access Message: The page cannot be displayed
Explanation: There is a problem with the page you are trying to reach
and it cannot be displayed.
Try the following:
* Refresh page: Search for the page again by clicking the Refresh
button. The timeout may have occurred due to Internet congestion.
* Check spelling: Check that you typed the Web page address
correctly. The address may have been mistyped.
* Access from a link: If there is a link to the page you are
looking for, try accessing the page from that link.
If you are still not able to view the requested page, try contacting
your administrator or Helpdesk.
Technical Information (for support personnel)
* Error Code: 502 Proxy Error. Logon failure: unknown user name or
bad password. (1326)
* IP Address: 192.168.254.1
* Date: 2/13/2007 2:13:44 PM
* Server: proxy-zorilor2.bizarnet.ro
* Source: proxy
The conclusion are simple: the servers do not exchange cache
betweeen ! this looks like Intra Array Authentification problem !
Exepting this everything is normal ok !
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN
INTERLINK INFRA ASST MGR
Sent: Tuesday, February 13, 2007 2:17 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
Is it your array working?
I have 2 years of using ISA2004, and I received those crappy
messages since the beginning. I also have 8 arrays and all are working
perfectly even when those messages keep appearing. On the arrays I have
things like VPN, Citrix, websites published, 2 are just to browse the
web with redundancy, etc, etc.
So again, you want to fix them go ahead. But are the array
working?
Regards
Diego R. Pietruszka
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin
Sent: Monday, February 12, 2007 5:26 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
More info.
The Internal network have following modules configured:
- Autudiscovery
- Web proxy
- Carp
- Web browsers
- Domain
- Adreses
The IntraArray network created with the IP of the Second NICS
who was placed for ARRAY only:
- Autudiscovery
- Web proxy
- Carp
- Web browsers
- Domain
- Adreses
Are you sure that all this Enabled modules are Ok for these
networks please ?
Yours sincerely,
Bogdan Florin
CEO
InterNetCon - Satellite Internet Services
www.internetcon.ro www.powersat.ro
Phone: +40-264-452383
Cell: +40-740-074031
Cell: +40-788-074031
Fax: +40-264-452207
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin
Sent: Monday, February 12, 2007 11:33 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
Any ideea in my case will be welcome.
I check 1000 times and everything is the same like
documentation.
There is two ISA servers, each of them with two NICs. One as
Internet conectivity and another one for ARRAY only.
Do you have any reall ideeas or questions ?
Yours sincerely,
Bogdan Florin
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Monday, February 12, 2007 10:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
What's sad is that I actually know that song ;)
t
On 2/12/07 11:36 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh
to all:
..and dey swam and dey swam all over de dam..."
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of
God)
Sent: Monday, February 12, 2007 10:23 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
Zinged right by ya ;)
t
On 2/12/07 8:36 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to
all:
As a rule, it's not a problem unless you have one of several web
content filters that were never tested in this scenario.
Unfortunately, that's a common problem.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of
God)
Sent: Monday, February 12, 2007 7:34 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
I always thought there was something fishy about Server-side
CARP.
t
On 2/12/07 6:12 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to
all:
No.
You still haven't answered this question: "Are these servers in
a workgroup or domain environment?"
If you send anything, send ISAInfo; not screen captures.
There are three cases where this error might occur:
1. Intra-array traffic, where each server queries the
others for their interpretation of the array membership (uses machine
account by default)
2. Server-side CARP (uses machine account by default)
3. Web Chaining (uses the account specified in the rule)
Quit playing with hardware settings - they have nothing to do
with this.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin
Sent: Sunday, February 11, 2007 10:29 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
I have an idea:
The security setup on the D:\URLCACHE is the following:
Administrators - full
Network Service - full
System - full
Does this have something to do with the Authentication error?
Yours sincerely,
Bogdan Florin
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison
Sent: Monday, February 12, 2007 2:39 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
Good - that's been answered.
Are these servers in a workgroup or domain environment?
Are you chaining between ISA servers?
Have you configured any web chaining rules?
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin
Sent: Sunday, February 11, 2007 2:28 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
I'm sorry to see you upset.
Array properties / IntraArray credentials ... is setup
"Authenticate using the computer account of the Array member"
It is normal to be the same because this proporites are
auotmaticaly sincronized by the array himself as far as I know.
Do you have any other ideea ?
Yours sincerely,
Bogdan Florin
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison
Sent: Sunday, February 11, 2007 11:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
Stop
Playing
With
Your
Network
Configuration
Stop
Playing
With
NLB
Settings
Check the intra-array authentication settings for each server in
the array.
Make sure that they are *THE SAME* for each server.
What; I donn tawk Engrish gud?!?
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin
Sent: Sunday, February 11, 2007 1:17 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
ISA1, original ip: xxx.xxx.xxx.187
ISA2, original ip: xxx.xxx.xxx.189
I follow the documentation enabling NLB on Internal networks and
I specify the virtual ip as: xxx.xxx.xxx.190 (same subnet)
The intra array authentification show problems !
Than I add a second interface on both servers (192.168.254.1
and 192.168.254.2) and I specify that this new one should be for intra
array, I also disabled the firewall as described in documentation:
http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee
.mspx
result > same problems !
I notice that in Networks I receive this message: You have
changed the network topology. The network diagram does not reflect these
changes. All networks in the network topology are listed in the networks
tab.
And I change topology to Edge Firewall with FULL FULL acces >
same result > intra array problems !
I really have no ideea what can be done.
And after every change ..... I wait peacefully till a corect
total and complete sincronization.
Any ideea is very warm welcome.
Yours sincerely,
Bogdan Florin
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison
Sent: Sunday, February 11, 2007 5:23 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
It's only a "best practice" if you operate NLB on Windows prior
to 2003 SP1.
There is no valid "traffic" or "functionality" requirement to
have a separate intra-array NIC if you're running non-NLB or Windows
2003 SP1 or later.
The fact is; changing your network or NLB configuration will not
affect the authentication used to communicate between array members.
Check the authentication selection & IP address defined for each
member in the array - they *MUST AGREE*.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Gerald G. Young
Sent: Sunday, February 11, 2007 7:05 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
Well, technically, not exactly, although it is a best practice.
There are two ways to work around this. These are:
1. Run NLB in Multicast mode - not something I consider a
good idea because you will most likely end up having to hard code a
bunch of network devices' ARP tables.
2. Use the UnicastInterHostCommSupport Registry key
(assuming Windows 2003 SP1).
The link for 2., above is
http://support.microsoft.com/kb/898867.
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Steve Moffat
Sent: Sunday, February 11, 2007 6:50 AM
To: ISA Mailing List
Subject: [isalist] Re: ISA Intra Array Authentification
Intra-Array Communication
When you use ISA Server integrated NLB, each computer running
ISA Server services requires an additional network adapter, for
intra-array communication. We recommend that these network adapters be
physically connected to each other (for example, through a single
switch), and not to other network segments, to ensure that they receive
only intra-array communication. You should then configure intra-array
communication to use the IP address of the new adapter on each server.
The configuration procedures are described in the topic Configuring and
Securing Intra-Array Communication in this document.
Therefore it needs at least 2 nics
S
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin
Sent: Sunday, February 11, 2007 3:00 AM
To: ISA Mailing List
Subject: [isalist] Re: ISA Intra Array Authentification
I did this and I found interesting documentation.
http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee
.mspx
please be kind and confirm if my understanding was right:
- to have ISA with one Ethernet card only working in ARRAY
there is also required to configure Network Load Balancing.
Or ... TWO Ethernet will be a MUST ?
Thank you.
PS: on Isa 2000 it was simple creating the array, joust add
second server, same settings and work but in 2004 it seems they change
something more.
Yours sincerely,
Bogdan Florin
CEO
InterNetCon - Satellite Internet Services
www.internetcon.ro <http://www.internetcon.ro>
<http://www.internetcon.ro> www.powersat.ro <http://www.powersat.ro>
<http://www.powersat.ro>
Phone: +40-264-452383
Cell: +40-740-074031
Cell: +40-788-074031
Fax: +40-264-452207
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison
Sent: Saturday, February 10, 2007 10:21 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
Search the help for "intra-array account".
Make sure that it's set the same for al servers in the array.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Bogdan Florin
Sent: Monday, February 05, 2007 11:30 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] ISA Intra Array Authentification
Dear Colleagues,
I come to you with a simple question and I trough that you can
help me faster than any other documentation.
We have an ISA Server 2004 connected to our main domain, with
only one interface and used purely for caching. The settings are all ok,
everything works all right. In this enviroments we add another server
with intentions to have 2 servers in array. We would like to make a fail
over at DNS level with same record and two IP.
After this array created successfully, there is one error on
each ISA machine:
Description: ISA Server cannot connect to xxx.xxx.xxx.xxx proxy
server because the server requires authentication, either when chaining
or for intra-array communication. However authentication failed because
the specified credentials were incorrect. Check authentication
credentials and try again.
While XXX.XXX.XXX.XXX is the address of OTHER server. In this
spirit I reach the conclusion that there is a problem in INTRA ARRAY
communication.
The second server it have CARP Load factor to 1 and the old
server have CARP Load factor to 100. In this enviroments .... When an
end user connects to the second server it got the following error:
? Error Code: 502 Proxy Error. Logon failure: unknown user
name or bad password. (1326)
? IP Address: server isa old
? Date: 2/6/2007 7:18:37 AM
? Server: server isa new
? Source: proxy
I can only conclude that Intra-Array authentification is the
problem.
If you can provide me a fast advice I would appreciate very
much.
Yours sincerely,
Bogdan Florin
CEO
InterNetCon - Satellite Internet Services
www.internetcon.ro <http://www.internetcon.ro>
<http://www.internetcon.ro> www.powersat.ro <http://www.powersat.ro>
<http://www.powersat.ro>
Phone: +40-264-452383
Cell: +40-740-074031
Cell: +40-788-074031
Fax: +40-264-452207
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
