[isalist] Re: ISA server problem - connection refused.
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 19 Apr 2006 08:31:43 -0700
http://www.ISAserver.org
-------------------------------------------------------
I hate to see you waste your time with that.
Get a packet capture while you test.
If the upstream server is actually refusing the traffic, this is the only way
you can prove it conclusively.
Connection limits, wpad, monkeys & buckets are completely unrelated.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Stuart Tonge
Sent: Wednesday, April 19, 2006 08:09
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA server problem - connection refused.
Thanks for the info tom.
No im not using autoconf or discovery - but I will try them both.
Topology:
LAN - ISA server - Firewall - Router - ISP
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: 19 April 2006 15:04
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA server problem - connection refused.
Hi Stuart,
Are they configured to use the autoconfiguration script? If not, try that. You
can also use wpad autodiscovery which will have the same result.
Make sure to enable autodiscovery publishing on the ISA firewall.
Is the ISA firewall in parallel with the existing firewall solution? What does
the relevent network topology look like?
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stuart Tonge
Sent: Wednesday, April 19, 2006 8:50 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA server problem - connection refused.
Hi Tom
Nah its dual NIC - no need for the prozac just yet :-)
I have the clients setup to point to the proxy (which I've left to the
default of ip-address: 8080)
I have enabled 1.1 through proxies.
The problem persists however.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: 19 April 2006 14:44
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA server problem - connection refused.
Hi Stuart,
OK, in that case, I won't jump out the window today (I always get
clinically depressed when I see a hork mode [single NIC] ISA firewall
deployment)
Configure the clients as Web proxy clients and enable HTTP 1.1 through
proxy connections in the browsers.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stuart Tonge
Sent: Wednesday, April 19, 2006 8:13 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA server problem - connection refused.
Yes it's paid for.
I didn't deploy it as the front line firewall since this is the
first isa 2004 server I've deployed out of test environments.
I was going to trial it as the primary, but with all the
problems it's caused thus far im not sure I trust it any longer.
When the existing problem is resolved, I will likely trial it.
But first I need to get the web working properly.
I will try sniffing the wire and removing the perimeter
firewall to see if that resolves any problems.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: 19 April 2006 14:09
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA server problem - connection refused.
But the ISA firewall is surely more secure than what you're
using?
Why waste the security you paid for (I assume you paid for the
ISA software?)
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stuart Tonge
Sent: Wednesday, April 19, 2006 7:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA server problem - connection
refused.
Hi Amy.
Not connection limits - I've disabled any limits.
DNS works just fine for everything else, and lookups
work in general. Both simple and recursive.
It's not intended to protect - I have existing hardware
firewalls deployed which do the job just fine.
All I want it to do is proxy.
If I have time to reconfigure & learn ISA more fully
after the project then I'll reconfigure it.
Right now I just want it to not cause me problems.
Can you suggest any resolutions to the problem?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: 19 April 2006 13:21
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA server problem - connection
refused.
Might be connection limits or a problem with your DNS
or workstation setup in general. Just from the brief description you gave of
your ISA configuration it sounds like it might not be set up properly at all.
Firewalls don't interfere, they protect.
Amy
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stuart Tonge
Sent: Wednesday, April 19, 2006 7:25 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] ISA server problem - connection
refused.
Hi all.
I have an ISA server 2004 box deployed as a web proxy.
I have set an allow any-any rule to stop the firewall
interfering.
I have my users proxying through this box to the web.
It works 95% of the time. The rest of the time, i get a
10061 connection refused error.
If i refresh the page, it generally refreshes the first
time.
This happens on many sites & has been seen nmultiple
times on microsoft.com, bbc.co.uk, isaserver.org.
Sometimes images do not load on a page, but this is
fairly rare, and some of the images may load.
Some will load, some will not.
I have tried to isolate 'problem sites' but this has
not worked - the error seems totally random.
The only common occurance I have noted is that after
one error, some clients - not all - seem to have trouble
connecting to any site for the next 30-60 seconds,
instead receiving the error over and over.
I have only seen this on 2 of 40 clients.
I have tried disabling all web filter add-ins, caching,
ip routing, ip filtering, etc.
Basically i've tried every button i can find in ISA
2004! nothing makes the problem better.
It's also hard to test since it's intermittent.
The ISA server is directly connected to a firewall
which filters traffic, but this device works fine 100% of the time when
web traffic passed via it instead of ISA.
ISA is reporting no errors in the console. There are no
errors in the syslogs.
Does anyone have any ideas short of uninstalling ISA &
getting a refund?
Thanks,
Stuart Tonge
Pink Fish I.T. LTD
Network Architect
stuart.tonge@xxxxxxxxxxxx
http://www.pink-fish.tv
01302 365408
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
