Hi John, Someday I'm going to work on getting a better understanding of PMTU determination through a firewall. I wonder if enabling IP Routing and making the client a SecureNAT client fixes this problem, and that is the reason why undoing the Web Proxy client config fixes things? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Tuesday, September 16, 2003 1:48 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: OT: NOT Sonicwall Issue http://www.ISAserver.org > I've read the article but it doesn't explain why I can get to the https > sites by taking the firewall out of the picture. "Information to, from and across the Internet are sent in what are called packets, or envelopes. These come in various sizes depending on the nature of the request and amount of information. For example, a ping is a very small packet size while a web page with lots of graphics and material will use many (possible hundreds) of large packets to transport all the information to you. Think of it as a difference between a post card and an envelope that contains your tax returns. " "Sometimes, the packet size is restricted by either a firewall, a router on the Internet, or by one of the computers. Generally, the packet (MTU) size is negotiated between the two computers involved and generally less than 1500. If the MTU size is not negotiated properly, routers and firewalls have the ability to fragment the packets into smaller sizes that can then pass correctly." "However, in the case of some secure websites, the security software installed sees that the packets have been fragmented or otherwise altered, and take that as an indication that the information in the packet is possibly malicious, and silently drops it. In the mean time, the requesting computer is sitting there waiting and waiting, until it finally times itself out. " "This can also be caused be either a router, firewall or computer in the path which is blocking ICMP Code3 Type 4 packets, which blocks the sending computer or firewall from discovering the MTU path and/or size available." I am sorry, but I do not have time to go in-depth for free on a public forum how packets are created and fragmented and recreated and changed and altered to satisfy the various elements including NICs and routers and firewalls and hubs and switches that make up the big communication link we call the Internet. If you need detailed information, I would suggest picking up a good book on TCP/IP that explains about packets and routing and MTU sizes. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')