RE: OT: NOT Sonicwall Issue
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 16 Sep 2003 16:39:33 -0500
Hi John,
Someday I'm going to work on getting a better understanding of PMTU
determination through a firewall. I wonder if enabling IP Routing and
making the client a SecureNAT client fixes this problem, and that is the
reason why undoing the Web Proxy client config fixes things?
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, September 16, 2003 1:48 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OT: NOT Sonicwall Issue
http://www.ISAserver.org
> I've read the article but it doesn't explain why I can get to the
https
> sites by taking the firewall out of the picture.
"Information to, from and across the Internet are sent in what are
called
packets, or envelopes. These come in various sizes depending on the
nature
of the request and amount of information. For example, a ping is a very
small packet size while a web page with lots of graphics and material
will
use many (possible hundreds) of large packets to transport all the
information to you. Think of it as a difference between a post card and
an
envelope that contains your tax returns. "
"Sometimes, the packet size is restricted by either a firewall, a router
on
the Internet, or by one of the computers. Generally, the packet (MTU)
size
is negotiated between the two computers involved and generally less than
1500. If the MTU size is not negotiated properly, routers and firewalls
have
the ability to fragment the packets into smaller sizes that can then
pass
correctly."
"However, in the case of some secure websites, the security software
installed sees that the packets have been fragmented or otherwise
altered,
and take that as an indication that the information in the packet is
possibly malicious, and silently drops it. In the mean time, the
requesting
computer is sitting there waiting and waiting, until it finally times
itself
out. "
"This can also be caused be either a router, firewall or computer in the
path which is blocking ICMP Code3 Type 4 packets, which blocks the
sending
computer or firewall from discovering the MTU path and/or size
available."
I am sorry, but I do not have time to go in-depth for free on a public
forum
how packets are created and fragmented and recreated and changed and
altered
to satisfy the various elements including NICs and routers and firewalls
and
hubs and switches that make up the big communication link we call the
Internet.
If you need detailed information, I would suggest picking up a good book
on
TCP/IP that explains about packets and routing and MTU sizes.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
