[isalist] Re: SurfControl/Direct Access...

From: "John T \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Date: Tue, 22 Aug 2006 14:47:06 -0700
OK, this is very annoying. I have been following this thread as I have
client with similar problems. I call PSS for the 920716 HF and 3 times she
asked what version of ISA 2004 and 3 times I said standard. I get the hot
fix and it says the product for the hot fix is not installed. I go back and
look at it and it is ISA2004EE-KB920716-x86-ENU.msp. Does this mean there is
a different file for Standard edition and the one she sent me to is for
Enterprise edition, or do I need to use something to install the msp with?

 

John T

eServices For You

 

"Seek, and ye shall find!"

 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Stefaan Pouseele
Sent: Tuesday, August 22, 2006 12:49 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...

 

Hi Dan, 

 

check out
http://blogs.isaserver.org/pouseele/2006/07/21/solving-the-directly-access-t
hese-servers-or-domains-issue-in-isa-server-2004-sp2/ in case you are
running SP2. 

 

HTH, 

Stefaan

 

  _____  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: dinsdag 22 augustus 2006 21:39
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...

Okay, let's drop SurfControl from the list of possible suspects; it appears
to be a moot point in this issue, and is just clouding the issue.  So, the
next questions is "why is local traffic passing through the ISA server?".

 

To double-check my direct access settings, I went through these two
tutorials, and Tom's book.

http://www.isaserver.org/articles/2004directaccessp1.html

http://www.isaserver.org/articles/2004directaccessp2.html

 

Reviewing those articles reaffirms that direct access requires very little
setting changes, all of which have been present on my system all along.
Going back through the thread that Gregory posted showed one other thing
that I didn't do before (per Jim's recommendation), and that was to change
the DHCP-based wpad settings to DNS-based settings.  I got that up and
running last night, and it appears to be working as expected, but the
problem still exists.  The ISA server is on 10.20.1.1, the webserver is on
10.20.1.4, any traffic coming from that same subnet destined for 10.20.1.4
passes through the ISA server instead of bypassing it.

 

So, I guess my next step will be to go through the wpad and wspad files and
verify they are sending the right settings, check out the FWC setting to see
if there is anything in there that could be causing the problem (although, I
tested it on a computer w/o FWC, only proxy and it still did it), and run
through the rules again.

 

  _____  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Roy Tsao
Sent: Tuesday, August 22, 2006 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...

 

Oh...

 

As said by Dr. Shinder, direct access is purely a client manner not ISA nor
SWF,

you may verift if you do set (deploy) a correct setting for direct accesss
at client side

or not.

 

The simplest way to verify if SWF monitors so called directed access is to
manually

set a WPC client by excluding address for direct access...

 

 

 

 

----- Original Message ----- 

From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>  

To: isalist@xxxxxxxxxxxxx 

Sent: Tuesday, August 22, 2006 7:11 PM

Subject: [isalist] Re: SurfControl/Direct Access...

 

Exactly, that is the way it is "supposed" to work, but the traffic still
shows up on the ISA server when it isn't supposed to.

 


  _____  


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Roy Tsao
Sent: Tuesday, August 22, 2006 5:17 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...

 

> Hi Dan,
> 
> 1) If your client access the unwanted monitor site through ISA
>   (ISA is a router between two subnet), you need to set unmonitored
>   site at SWF
> 2) If your client can access the site by another route without need
>   to go thourgh ISA, then you shall deploy direct access for
>   client depending on client type (WPC or FWC). It has nothing to
>   do with SWF setting.
> ----- Original Message ----- 
> From: "Ball, Dan" < <mailto:DBall@xxxxxxxxxxx> DBall@xxxxxxxxxxx>
> To: < <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, August 22, 2006 10:44 AM
> Subject: [isalist] Re: SurfControl/Direct Access...
> 
> 
>>  <http://www.ISAserver.org> http://www.ISAserver.org
>> -------------------------------------------------------
>>  
>> Yes they are.
>> 
>> -----Original Message-----
>> From:  <mailto:isalist-bounce@xxxxxxxxxxxxx> isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thomas W Shinder
>> Sent: Monday, August 21, 2006 10:31 PM
>> To:  <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: SurfControl/Direct Access...
>> 
>>  <http://www.ISAserver.org> http://www.ISAserver.org
>> -------------------------------------------------------
>>  
>> Are the Web proxy clients configured to use the autoconfiguration
>> script?
>> 
>> Thomas W Shinder, M.D.
>> Site:  <http://www.isaserver.org> www.isaserver.org
>> Blog:  <http://blogs.isaserver.org/shinder/>
http://blogs.isaserver.org/shinder/
>> Book:  <http://tinyurl.com/3xqb7> http://tinyurl.com/3xqb7
>> MVP -- ISA Firewalls
>> 
>> 
>> 
>>> -----Original Message-----
>>> From:  <mailto:isalist-bounce@xxxxxxxxxxxxx>
isalist-bounce@xxxxxxxxxxxxx 
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
>>> Sent: Monday, August 21, 2006 9:25 PM
>>> To:  <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: SurfControl/Direct Access...
>>> 
>>>  <http://www.ISAserver.org> http://www.ISAserver.org
>>> -------------------------------------------------------
>>>   
>>> I've been digging through my archives for the last hour, and 
>>> cannot find
>>> what I remember... Maybe it's just my old-age kicking in, and I'm
>>> remembering things that didn't happen...
>>> 
>>> Anyways, I've gone through the Direct Access settings over 
>>> and over, and
>>> cannot find what might be wrong.  Only thing I can think of is the
>>> wpad/wspad settings...
>>> 
>>> 
>>> -----Original Message-----
>>> From:  <mailto:isalist-bounce@xxxxxxxxxxxxx>
isalist-bounce@xxxxxxxxxxxxx 
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Thomas W Shinder
>>> Sent: Monday, August 21, 2006 10:00 PM
>>> To:  <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: SurfControl/Direct Access...
>>> 
>>>  <http://www.ISAserver.org> http://www.ISAserver.org
>>> -------------------------------------------------------
>>>   
>>> Hi Dan,
>>> 
>>> For internal connections, Direct Access is entirely a client function.
>>> ISA is never in the picture.
>>> 
>>> Tom
>>> 
>>> Thomas W Shinder, M.D.
>>> Site:  <http://www.isaserver.org> www.isaserver.org
>>> Blog:  <http://blogs.isaserver.org/shinder/>
http://blogs.isaserver.org/shinder/
>>> Book:  <http://tinyurl.com/3xqb7> http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>> 
>>>  
>>> 
>>> > -----Original Message-----
>>> > From:  <mailto:isalist-bounce@xxxxxxxxxxxxx>
isalist-bounce@xxxxxxxxxxxxx 
>>> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
>>> > Sent: Monday, August 21, 2006 8:36 PM
>>> > To:  <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx
>>> > Subject: [isalist] Re: SurfControl/Direct Access...
>>> > 
>>> >  <http://www.ISAserver.org> http://www.ISAserver.org
>>> > -------------------------------------------------------
>>> >   
>>> > That is what we were talking about, it IS configured for 
>>> > direct access,
>>> > but no matter what I do the traffic shows up as passing 
>>> > through the ISA
>>> > server.  I seem to recall discussing this with you before, 
>>> and it was
>>> > determined that SurfControl had basically disabled the Direct 
>>> > Access.  
>>> > 
>>> > Geesh, now you got me wondering what was really said.  I'll 
>>> > have to dig
>>> > through my e-mail archives to find out what we talked about 
>>> > last time...
>>> > 
>>> > -----Original Message-----
>>> > From:  <mailto:isalist-bounce@xxxxxxxxxxxxx>
isalist-bounce@xxxxxxxxxxxxx 
>>> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>> > On Behalf Of Thomas W Shinder
>>> > Sent: Monday, August 21, 2006 8:12 PM
>>> > To:  <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx
>>> > Subject: [isalist] Re: SurfControl/Direct Access...
>>> > 
>>> >  <http://www.ISAserver.org> http://www.ISAserver.org
>>> > -------------------------------------------------------
>>> >   
>>> > Hi Dan,
>>> > 
>>> > To solve that problem you need to enable Direct Access to 
>>> the internal
>>> > sites.
>>> > 
>>> > Tom
>>> > 
>>> > Thomas W Shinder, M.D.
>>> > Site:  <http://www.isaserver.org> www.isaserver.org
>>> > Blog:  <http://blogs.isaserver.org/shinder/>
http://blogs.isaserver.org/shinder/
>>> > Book:  <http://tinyurl.com/3xqb7> http://tinyurl.com/3xqb7
>>> > MVP -- ISA Firewalls
>>> > 
>>> >  
>>> > 
>>> > > -----Original Message-----
>>> > > From:  <mailto:isalist-bounce@xxxxxxxxxxxxx>
isalist-bounce@xxxxxxxxxxxxx 
>>> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
>>> > > Sent: Monday, August 21, 2006 6:56 PM
>>> > > To:  <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx
>>> > > Subject: [isalist] Re: SurfControl/Direct Access...
>>> > > 
>>> > >  <http://www.ISAserver.org> http://www.ISAserver.org
>>> > > -------------------------------------------------------
>>> > >   
>>> > > Yes, that was the problem we were running into.  Surfcontrol was
>>> > > "automatically" monitoring every user that browsed our published
>>> > > webserver from the Internet, making the saved history 
>>> > > database useless.
>>> > > I'd go in and deselect all the external hostnames, tell 
>>> > > SurfControl not
>>> > > to monitor them, and the next day I'd have a couple hundred 
>>> > more to do
>>> > > it all over again.  It proved to be quite tedious since 
>>> I'd have to
>>> > > browse through that narrow list box to select all the 
>>> > hostnames, stop
>>> > > the database, save the changes, and start it again.
>>> > > 
>>> > > I finally fixed that by stopping it from monitoring port 
>>> 80, now it
>>> > > monitors only port 8080, the proxy port.  That seems to be 
>>> > > working now,
>>> > > the only ones "automatically" monitored are the users using 
>>> > the proxy,
>>> > > which is who we want to monitor anyways.
>>> > > 
>>> > > But, that doesn't solve the problem I have now, the 
>>> requests really
>>> > > "shouldn't" be passing through the ISA server in the first 
>>> > > place if they
>>> > > are going to the webserver on the same internal subnet.
>>> > >   
>>> > > 
>>> > > -----Original Message-----
>>> > > From:  <mailto:isalist-bounce@xxxxxxxxxxxxx>
isalist-bounce@xxxxxxxxxxxxx 
>>> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>> > > On Behalf Of Crockett, Gregory
>>> > > Sent: Monday, August 21, 2006 6:49 PM
>>> > > To:  <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx
>>> > > Subject: [isalist] Re: SurfControl/Direct Access...
>>> > > 
>>> > >  <http://www.ISAserver.org> http://www.ISAserver.org
>>> > > -------------------------------------------------------
>>> > >   
>>> > > Add the sites to "unmonitored sites" found under the monitor
>>> > > application/monitored data tab.  There, you should list all 
>>> > > sites and ip
>>> > > addresses of all host that you do not want monitored.  This 
>>> > > includes web
>>> > > enabled devices (switches, etc.) that are accessed 
>>> through isa from
>>> > > Internal to internal networks.  If not, they (users either 
>>> > > authenticated
>>> > > or unauthenticated) will eat at your license count.
>>> > > 
>>> > > greg
>>> > > 
>>> > > Sent from mobile Outlook.
>>> > > 
>>> > > -----Original Message-----
>>> > > From: "Ball, Dan" < <mailto:DBall@xxxxxxxxxxx> DBall@xxxxxxxxxxx>
>>> > > To: " <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx" <
<mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx>
>>> > > Sent: 8/21/06 2:19 PM
>>> > > Subject: [isalist] SurfControl/Direct Access...
>>> > > 
>>> > > Tom, what is the current status of Direct Access when used in
>>> > > conjunction with SurfControl?  I remember you saying 
>>> > > something about it
>>> > > before, but I can't find my e-mails on it.  I was working with
>>> > > SurfControl quite a bit last week, trying to work out some of 
>>> > > the bugs,
>>> > > and thought it would be really nice if I can get the local 
>>> > web traffic
>>> > > to stop going through the ISA server also.  
>>> > > 
>>> > >  
>>> > > 
>>> > > I finally figured out a way to get it to stop monitoring 
>>> > > users from the
>>> > > Internet, so that helps.  SurfControl support seemed 
>>> > surprised that it
>>> > > was doing that...
>>> > > 
>>> > >  
>>> > > 
>>> > > ------------------------------------------------------
>>> > > List Archives:  <//www.freelists.org/archives/isalist/>
//www.freelists.org/archives/isalist/  
>>> > > ISA Server Newsletter: 
>>> >  <http://www.isaserver.org/pages/newsletter.asp>
http://www.isaserver.org/pages/newsletter.asp 
>>> > > ISA Server Articles and Tutorials:
>>> > >  <http://www.isaserver.org/articles_tutorials/>
http://www.isaserver.org/articles_tutorials/ 
>>> > > ISA Server Blogs:  <http://blogs.isaserver.org/>
http://blogs.isaserver.org/ 
>>> > > ------------------------------------------------------
>>> > > Visit TechGenix.com for more information about our other sites:
>>> > >  <http://www.techgenix.com> http://www.techgenix.com 
>>> > > ------------------------------------------------------
>>> > > To unsubscribe visit  <http://www.isaserver.org/pages/isalist.asp>
http://www.isaserver.org/pages/isalist.asp 
>>> > > Report abuse to  <mailto:listadmin@xxxxxxxxxxxxx>
listadmin@xxxxxxxxxxxxx 
>>> > > 
>>> > > ------------------------------------------------------
>>> > > List Archives:  <//www.freelists.org/archives/isalist/>
//www.freelists.org/archives/isalist/  
>>> > > ISA Server Newsletter: 
>>> >  <http://www.isaserver.org/pages/newsletter.asp>
http://www.isaserver.org/pages/newsletter.asp 
>>> > > ISA Server Articles and Tutorials: 
>>> > >  <http://www.isaserver.org/articles_tutorials/>
http://www.isaserver.org/articles_tutorials/ 
>>> > > ISA Server Blogs:  <http://blogs.isaserver.org/>
http://blogs.isaserver.org/ 
>>> > > ------------------------------------------------------
>>> > > Visit TechGenix.com for more information about our other sites:
>>> > >  <http://www.techgenix.com> http://www.techgenix.com 
>>> > > ------------------------------------------------------
>>> > > To unsubscribe visit  <http://www.isaserver.org/pages/isalist.asp>
http://www.isaserver.org/pages/isalist.asp 
>>> > > Report abuse to  <mailto:listadmin@xxxxxxxxxxxxx>
listadmin@xxxxxxxxxxxxx 
>>> > > 
>>> > > 
>>> > > 
>>> > ------------------------------------------------------
>>> > List Archives:  <//www.freelists.org/archives/isalist/>
//www.freelists.org/archives/isalist/  
>>> > ISA Server Newsletter: 
>>>  <http://www.isaserver.org/pages/newsletter.asp>
http://www.isaserver.org/pages/newsletter.asp 
>>> > ISA Server Articles and Tutorials:
>>> >  <http://www.isaserver.org/articles_tutorials/>
http://www.isaserver.org/articles_tutorials/ 
>>> > ISA Server Blogs:  <http://blogs.isaserver.org/>
http://blogs.isaserver.org/ 
>>> > ------------------------------------------------------
>>> > Visit TechGenix.com for more information about our other sites:
>>> >  <http://www.techgenix.com> http://www.techgenix.com 
>>> > ------------------------------------------------------
>>> > To unsubscribe visit  <http://www.isaserver.org/pages/isalist.asp>
http://www.isaserver.org/pages/isalist.asp 
>>> > Report abuse to  <mailto:listadmin@xxxxxxxxxxxxx>
listadmin@xxxxxxxxxxxxx 
>>> > 
>>> > ------------------------------------------------------
>>> > List Archives:  <//www.freelists.org/archives/isalist/>
//www.freelists.org/archives/isalist/  
>>> > ISA Server Newsletter: 
>>>  <http://www.isaserver.org/pages/newsletter.asp>
http://www.isaserver.org/pages/newsletter.asp 
>>> > ISA Server Articles and Tutorials: 
>>> >  <http://www.isaserver.org/articles_tutorials/>
http://www.isaserver.org/articles_tutorials/ 
>>> > ISA Server Blogs:  <http://blogs.isaserver.org/>
http://blogs.isaserver.org/ 
>>> > ------------------------------------------------------
>>> > Visit TechGenix.com for more information about our other sites:
>>> >  <http://www.techgenix.com> http://www.techgenix.com 
>>> > ------------------------------------------------------
>>> > To unsubscribe visit  <http://www.isaserver.org/pages/isalist.asp>
http://www.isaserver.org/pages/isalist.asp 
>>> > Report abuse to  <mailto:listadmin@xxxxxxxxxxxxx>
listadmin@xxxxxxxxxxxxx 
>>> > 
>>> > 
>>> > 
>>> ------------------------------------------------------
>>> List Archives:  <//www.freelists.org/archives/isalist/>
//www.freelists.org/archives/isalist/  
>>> ISA Server Newsletter:  <http://www.isaserver.org/pages/newsletter.asp>
http://www.isaserver.org/pages/newsletter.asp 
>>> ISA Server Articles and Tutorials:
>>>  <http://www.isaserver.org/articles_tutorials/>
http://www.isaserver.org/articles_tutorials/ 
>>> ISA Server Blogs:  <http://blogs.isaserver.org/>
http://blogs.isaserver.org/ 
>>> ------------------------------------------------------
>>> Visit TechGenix.com for more information about our other sites:
>>>  <http://www.techgenix.com> http://www.techgenix.com 
>>> ------------------------------------------------------
>>> To unsubscribe visit  <http://www.isaserver.org/pages/isalist.asp>
http://www.isaserver.org/pages/isalist.asp 
>>> Report abuse to  <mailto:listadmin@xxxxxxxxxxxxx>
listadmin@xxxxxxxxxxxxx 
>>> 
>>> ------------------------------------------------------
>>> List Archives:  <//www.freelists.org/archives/isalist/>
//www.freelists.org/archives/isalist/  
>>> ISA Server Newsletter:  <http://www.isaserver.org/pages/newsletter.asp>
http://www.isaserver.org/pages/newsletter.asp 
>>> ISA Server Articles and Tutorials: 
>>>  <http://www.isaserver.org/articles_tutorials/>
http://www.isaserver.org/articles_tutorials/ 
>>> ISA Server Blogs:  <http://blogs.isaserver.org/>
http://blogs.isaserver.org/ 
>>> ------------------------------------------------------
>>> Visit TechGenix.com for more information about our other sites:
>>>  <http://www.techgenix.com> http://www.techgenix.com 
>>> ------------------------------------------------------
>>> To unsubscribe visit  <http://www.isaserver.org/pages/isalist.asp>
http://www.isaserver.org/pages/isalist.asp 
>>> Report abuse to  <mailto:listadmin@xxxxxxxxxxxxx>
listadmin@xxxxxxxxxxxxx 
>>> 
>>> 
>>> 
>> ------------------------------------------------------
>> List Archives:  <//www.freelists.org/archives/isalist/>
//www.freelists.org/archives/isalist/  
>> ISA Server Newsletter:  <http://www.isaserver.org/pages/newsletter.asp>
http://www.isaserver.org/pages/newsletter.asp 
>> ISA Server Articles and Tutorials:
>>  <http://www.isaserver.org/articles_tutorials/>
http://www.isaserver.org/articles_tutorials/ 
>> ISA Server Blogs:  <http://blogs.isaserver.org/>
http://blogs.isaserver.org/ 
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>>  <http://www.techgenix.com> http://www.techgenix.com 
>> ------------------------------------------------------
>> To unsubscribe visit  <http://www.isaserver.org/pages/isalist.asp>
http://www.isaserver.org/pages/isalist.asp 
>> Report abuse to  <mailto:listadmin@xxxxxxxxxxxxx> listadmin@xxxxxxxxxxxxx

>> 
>> ------------------------------------------------------
>> List Archives:  <//www.freelists.org/archives/isalist/>
//www.freelists.org/archives/isalist/  
>> ISA Server Newsletter:  <http://www.isaserver.org/pages/newsletter.asp>
http://www.isaserver.org/pages/newsletter.asp 
>> ISA Server Articles and Tutorials:
<http://www.isaserver.org/articles_tutorials/>
http://www.isaserver.org/articles_tutorials/ 
>> ISA Server Blogs:  <http://blogs.isaserver.org/>
http://blogs.isaserver.org/ 
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>>  <http://www.techgenix.com> http://www.techgenix.com 
>> ------------------------------------------------------
>> To unsubscribe visit  <http://www.isaserver.org/pages/isalist.asp>
http://www.isaserver.org/pages/isalist.asp 
>> Report abuse to  <mailto:listadmin@xxxxxxxxxxxxx> listadmin@xxxxxxxxxxxxx

>> 
>>
Follow-Ups:
- [isalist] Re: SurfControl/Direct Access...
  - From: Stefaan Pouseele
References:
- [isalist] Re: SurfControl/Direct Access...
  - From: Stefaan Pouseele
[isalist] Re: SurfControl/Direct Access...

Other related posts:
