[isalist] Re: SurfControl/Direct Access...

That does appear to be the situation I am experiencing, so I requested
the hotfix, installed it, modified the direct access list like
recommended, but see no difference yet.  I'll reboot the server tonight,
and test it again.  

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Wednesday, August 23, 2006 7:50 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...

 

Cool!  Thanks!  I'll read this in a bit more detail later, the symptoms
sound very familiar...  Might just be the culprit!

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Stefaan Pouseele
Sent: Tuesday, August 22, 2006 3:49 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...

 

Hi Dan, 

 

check out
http://blogs.isaserver.org/pouseele/2006/07/21/solving-the-directly-acce
ss-these-servers-or-domains-issue-in-isa-server-2004-sp2/ in case you
are running SP2. 

 

HTH, 

Stefaan

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: dinsdag 22 augustus 2006 21:39
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...

Okay, let's drop SurfControl from the list of possible suspects; it
appears to be a moot point in this issue, and is just clouding the
issue...  So, the next questions is "why is local traffic passing
through the ISA server?"...

 

To double-check my direct access settings, I went through these two
tutorials, and Tom's book...

http://www.isaserver.org/articles/2004directaccessp1.html

http://www.isaserver.org/articles/2004directaccessp2.html

 

Reviewing those articles reaffirms that direct access requires very
little setting changes, all of which have been present on my system all
along.  Going back through the thread that Gregory posted showed one
other thing that I didn't do before (per Jim's recommendation), and that
was to change the DHCP-based wpad settings to DNS-based settings.  I got
that up and running last night, and it appears to be working as
expected, but the problem still exists.  The ISA server is on 10.20.1.1,
the webserver is on 10.20.1.4, any traffic coming from that same subnet
destined for 10.20.1.4 passes through the ISA server instead of
bypassing it.

 

So, I guess my next step will be to go through the wpad and wspad files
and verify they are sending the right settings, check out the FWC
setting to see if there is anything in there that could be causing the
problem (although, I tested it on a computer w/o FWC, only proxy and it
still did it), and run through the rules again.

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Roy Tsao
Sent: Tuesday, August 22, 2006 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...

 

Oh...

 

As said by Dr. Shinder, direct access is purely a client manner not ISA
nor SWF,

you may verift if you do set (deploy) a correct setting for direct
accesss at client side

or not.

 

The simplest way to verify if SWF monitors so called directed access is
to manually

set a WPC client by excluding address for direct access...

 

 

 

 

        ----- Original Message ----- 

        From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>  

        To: isalist@xxxxxxxxxxxxx 

        Sent: Tuesday, August 22, 2006 7:11 PM

        Subject: [isalist] Re: SurfControl/Direct Access...

         

        Exactly, that is the way it is "supposed" to work, but the
traffic still shows up on the ISA server when it isn't supposed to.

         

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
        Sent: Tuesday, August 22, 2006 5:17 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: SurfControl/Direct Access...

         

        > Hi Dan,
        > 
        > 1) If your client access the unwanted monitor site through ISA
        >   (ISA is a router between two subnet), you need to set
unmonitored
        >   site at SWF
        > 2) If your client can access the site by another route without
need
        >   to go thourgh ISA, then you shall deploy direct access for
        >   client depending on client type (WPC or FWC). It has nothing
to
        >   do with SWF setting.
        > ----- Original Message ----- 
        > From: "Ball, Dan" <DBall@xxxxxxxxxxx
<mailto:DBall@xxxxxxxxxxx> >
        > To: <isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >
        > Sent: Tuesday, August 22, 2006 10:44 AM
        > Subject: [isalist] Re: SurfControl/Direct Access...
        > 
        > 
        >> http://www.ISAserver.org <http://www.ISAserver.org> 
        >> -------------------------------------------------------
        >>  
        >> Yes they are.
        >> 
        >> -----Original Message-----
        >> From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx]
        >> On Behalf Of Thomas W Shinder
        >> Sent: Monday, August 21, 2006 10:31 PM
        >> To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> 
        >> Subject: [isalist] Re: SurfControl/Direct Access...
        >> 
        >> http://www.ISAserver.org <http://www.ISAserver.org> 
        >> -------------------------------------------------------
        >>  
        >> Are the Web proxy clients configured to use the
autoconfiguration
        >> script?
        >> 
        >> Thomas W Shinder, M.D.
        >> Site: www.isaserver.org <http://www.isaserver.org> 
        >> Blog: http://blogs.isaserver.org/shinder/
<http://blogs.isaserver.org/shinder/> 
        >> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
        >> MVP -- ISA Firewalls
        >> 
        >> 
        >> 
        >>> -----Original Message-----
        >>> From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>  
        >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
        >>> Sent: Monday, August 21, 2006 9:25 PM
        >>> To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> 
        >>> Subject: [isalist] Re: SurfControl/Direct Access...
        >>> 
        >>> http://www.ISAserver.org <http://www.ISAserver.org> 
        >>> -------------------------------------------------------
        >>>   
        >>> I've been digging through my archives for the last hour, and

        >>> cannot find
        >>> what I remember... Maybe it's just my old-age kicking in,
and I'm
        >>> remembering things that didn't happen...
        >>> 
        >>> Anyways, I've gone through the Direct Access settings over 
        >>> and over, and
        >>> cannot find what might be wrong.  Only thing I can think of
is the
        >>> wpad/wspad settings...
        >>> 
        >>> 
        >>> -----Original Message-----
        >>> From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>  
        >>> [mailto:isalist-bounce@xxxxxxxxxxxxx]
        >>> On Behalf Of Thomas W Shinder
        >>> Sent: Monday, August 21, 2006 10:00 PM
        >>> To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> 
        >>> Subject: [isalist] Re: SurfControl/Direct Access...
        >>> 
        >>> http://www.ISAserver.org <http://www.ISAserver.org> 
        >>> -------------------------------------------------------
        >>>   
        >>> Hi Dan,
        >>> 
        >>> For internal connections, Direct Access is entirely a client
function.
        >>> ISA is never in the picture.
        >>> 
        >>> Tom
        >>> 
        >>> Thomas W Shinder, M.D.
        >>> Site: www.isaserver.org <http://www.isaserver.org> 
        >>> Blog: http://blogs.isaserver.org/shinder/
<http://blogs.isaserver.org/shinder/> 
        >>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
        >>> MVP -- ISA Firewalls
        >>> 
        >>>  
        >>> 
        >>> > -----Original Message-----
        >>> > From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>  
        >>> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball,
Dan
        >>> > Sent: Monday, August 21, 2006 8:36 PM
        >>> > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> 
        >>> > Subject: [isalist] Re: SurfControl/Direct Access...
        >>> > 
        >>> > http://www.ISAserver.org <http://www.ISAserver.org> 
        >>> > -------------------------------------------------------
        >>> >   
        >>> > That is what we were talking about, it IS configured for 
        >>> > direct access,
        >>> > but no matter what I do the traffic shows up as passing 
        >>> > through the ISA
        >>> > server.  I seem to recall discussing this with you before,

        >>> and it was
        >>> > determined that SurfControl had basically disabled the
Direct 
        >>> > Access.  
        >>> > 
        >>> > Geesh, now you got me wondering what was really said.
I'll 
        >>> > have to dig
        >>> > through my e-mail archives to find out what we talked
about 
        >>> > last time...
        >>> > 
        >>> > -----Original Message-----
        >>> > From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>  
        >>> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
        >>> > On Behalf Of Thomas W Shinder
        >>> > Sent: Monday, August 21, 2006 8:12 PM
        >>> > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> 
        >>> > Subject: [isalist] Re: SurfControl/Direct Access...
        >>> > 
        >>> > http://www.ISAserver.org <http://www.ISAserver.org> 
        >>> > -------------------------------------------------------
        >>> >   
        >>> > Hi Dan,
        >>> > 
        >>> > To solve that problem you need to enable Direct Access to 
        >>> the internal
        >>> > sites.
        >>> > 
        >>> > Tom
        >>> > 
        >>> > Thomas W Shinder, M.D.
        >>> > Site: www.isaserver.org <http://www.isaserver.org> 
        >>> > Blog: http://blogs.isaserver.org/shinder/
<http://blogs.isaserver.org/shinder/> 
        >>> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
        >>> > MVP -- ISA Firewalls
        >>> > 
        >>> >  
        >>> > 
        >>> > > -----Original Message-----
        >>> > > From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>  
        >>> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball,
Dan
        >>> > > Sent: Monday, August 21, 2006 6:56 PM
        >>> > > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx>

        >>> > > Subject: [isalist] Re: SurfControl/Direct Access...
        >>> > > 
        >>> > > http://www.ISAserver.org <http://www.ISAserver.org> 
        >>> > > -------------------------------------------------------
        >>> > >   
        >>> > > Yes, that was the problem we were running into.
Surfcontrol was
        >>> > > "automatically" monitoring every user that browsed our
published
        >>> > > webserver from the Internet, making the saved history 
        >>> > > database useless.
        >>> > > I'd go in and deselect all the external hostnames, tell 
        >>> > > SurfControl not
        >>> > > to monitor them, and the next day I'd have a couple
hundred 
        >>> > more to do
        >>> > > it all over again.  It proved to be quite tedious since 
        >>> I'd have to
        >>> > > browse through that narrow list box to select all the 
        >>> > hostnames, stop
        >>> > > the database, save the changes, and start it again.
        >>> > > 
        >>> > > I finally fixed that by stopping it from monitoring port

        >>> 80, now it
        >>> > > monitors only port 8080, the proxy port.  That seems to
be 
        >>> > > working now,
        >>> > > the only ones "automatically" monitored are the users
using 
        >>> > the proxy,
        >>> > > which is who we want to monitor anyways.
        >>> > > 
        >>> > > But, that doesn't solve the problem I have now, the 
        >>> requests really
        >>> > > "shouldn't" be passing through the ISA server in the
first 
        >>> > > place if they
        >>> > > are going to the webserver on the same internal subnet.
        >>> > >   
        >>> > > 
        >>> > > -----Original Message-----
        >>> > > From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>  
        >>> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
        >>> > > On Behalf Of Crockett, Gregory
        >>> > > Sent: Monday, August 21, 2006 6:49 PM
        >>> > > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx>

        >>> > > Subject: [isalist] Re: SurfControl/Direct Access...
        >>> > > 
        >>> > > http://www.ISAserver.org <http://www.ISAserver.org> 
        >>> > > -------------------------------------------------------
        >>> > >   
        >>> > > Add the sites to "unmonitored sites" found under the
monitor
        >>> > > application/monitored data tab.  There, you should list
all 
        >>> > > sites and ip
        >>> > > addresses of all host that you do not want monitored.
This 
        >>> > > includes web
        >>> > > enabled devices (switches, etc.) that are accessed 
        >>> through isa from
        >>> > > Internal to internal networks.  If not, they (users
either 
        >>> > > authenticated
        >>> > > or unauthenticated) will eat at your license count.
        >>> > > 
        >>> > > greg
        >>> > > 
        >>> > > Sent from mobile Outlook.
        >>> > > 
        >>> > > -----Original Message-----
        >>> > > From: "Ball, Dan" <DBall@xxxxxxxxxxx
<mailto:DBall@xxxxxxxxxxx> >
        >>> > > To: "isalist@xxxxxxxxxxxxx
<mailto:isalist@xxxxxxxxxxxxx> " <isalist@xxxxxxxxxxxxx
<mailto:isalist@xxxxxxxxxxxxx> >
        >>> > > Sent: 8/21/06 2:19 PM
        >>> > > Subject: [isalist] SurfControl/Direct Access...
        >>> > > 
        >>> > > Tom, what is the current status of Direct Access when
used in
        >>> > > conjunction with SurfControl?  I remember you saying 
        >>> > > something about it
        >>> > > before, but I can't find my e-mails on it.  I was
working with
        >>> > > SurfControl quite a bit last week, trying to work out
some of 
        >>> > > the bugs,
        >>> > > and thought it would be really nice if I can get the
local 
        >>> > web traffic
        >>> > > to stop going through the ISA server also.  
        >>> > > 
        >>> > >  
        >>> > > 
        >>> > > I finally figured out a way to get it to stop monitoring

        >>> > > users from the
        >>> > > Internet, so that helps.  SurfControl support seemed 
        >>> > surprised that it
        >>> > > was doing that...
        >>> > > 
        >>> > >  
        >>> > > 
        >>> > > ------------------------------------------------------
        >>> > > List Archives:
http://www.freelists.org/archives/isalist/
<http://www.freelists.org/archives/isalist/>   
        >>> > > ISA Server Newsletter: 
        >>> > http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>  
        >>> > > ISA Server Articles and Tutorials:
        >>> > > http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>  
        >>> > > ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>  
        >>> > > ------------------------------------------------------
        >>> > > Visit TechGenix.com for more information about our other
sites:
        >>> > > http://www.techgenix.com <http://www.techgenix.com>  
        >>> > > ------------------------------------------------------
        >>> > > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>  
        >>> > > Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>  
        >>> > > 
        >>> > > ------------------------------------------------------
        >>> > > List Archives:
http://www.freelists.org/archives/isalist/
<http://www.freelists.org/archives/isalist/>   
        >>> > > ISA Server Newsletter: 
        >>> > http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>  
        >>> > > ISA Server Articles and Tutorials: 
        >>> > > http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>  
        >>> > > ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>  
        >>> > > ------------------------------------------------------
        >>> > > Visit TechGenix.com for more information about our other
sites:
        >>> > > http://www.techgenix.com <http://www.techgenix.com>  
        >>> > > ------------------------------------------------------
        >>> > > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>  
        >>> > > Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>  
        >>> > > 
        >>> > > 
        >>> > > 
        >>> > ------------------------------------------------------
        >>> > List Archives: http://www.freelists.org/archives/isalist/
<http://www.freelists.org/archives/isalist/>   
        >>> > ISA Server Newsletter: 
        >>> http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>  
        >>> > ISA Server Articles and Tutorials:
        >>> > http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>  
        >>> > ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>  
        >>> > ------------------------------------------------------
        >>> > Visit TechGenix.com for more information about our other
sites:
        >>> > http://www.techgenix.com <http://www.techgenix.com>  
        >>> > ------------------------------------------------------
        >>> > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>  
        >>> > Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>  
        >>> > 
        >>> > ------------------------------------------------------
        >>> > List Archives: http://www.freelists.org/archives/isalist/
<http://www.freelists.org/archives/isalist/>   
        >>> > ISA Server Newsletter: 
        >>> http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>  
        >>> > ISA Server Articles and Tutorials: 
        >>> > http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>  
        >>> > ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>  
        >>> > ------------------------------------------------------
        >>> > Visit TechGenix.com for more information about our other
sites:
        >>> > http://www.techgenix.com <http://www.techgenix.com>  
        >>> > ------------------------------------------------------
        >>> > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>  
        >>> > Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>  
        >>> > 
        >>> > 
        >>> > 
        >>> ------------------------------------------------------
        >>> List Archives: http://www.freelists.org/archives/isalist/
<http://www.freelists.org/archives/isalist/>   
        >>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>  
        >>> ISA Server Articles and Tutorials:
        >>> http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>  
        >>> ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>  
        >>> ------------------------------------------------------
        >>> Visit TechGenix.com for more information about our other
sites:
        >>> http://www.techgenix.com <http://www.techgenix.com>  
        >>> ------------------------------------------------------
        >>> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>  
        >>> Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>  
        >>> 
        >>> ------------------------------------------------------
        >>> List Archives: http://www.freelists.org/archives/isalist/
<http://www.freelists.org/archives/isalist/>   
        >>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>  
        >>> ISA Server Articles and Tutorials: 
        >>> http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>  
        >>> ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>  
        >>> ------------------------------------------------------
        >>> Visit TechGenix.com for more information about our other
sites:
        >>> http://www.techgenix.com <http://www.techgenix.com>  
        >>> ------------------------------------------------------
        >>> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>  
        >>> Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>  
        >>> 
        >>> 
        >>> 
        >> ------------------------------------------------------
        >> List Archives: http://www.freelists.org/archives/isalist/
<http://www.freelists.org/archives/isalist/>   
        >> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>  
        >> ISA Server Articles and Tutorials:
        >> http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>  
        >> ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>  
        >> ------------------------------------------------------
        >> Visit TechGenix.com for more information about our other
sites:
        >> http://www.techgenix.com <http://www.techgenix.com>  
        >> ------------------------------------------------------
        >> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>  
        >> Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>  
        >> 
        >> ------------------------------------------------------
        >> List Archives: http://www.freelists.org/archives/isalist/
<http://www.freelists.org/archives/isalist/>   
        >> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>  
        >> ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>  
        >> ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>  
        >> ------------------------------------------------------
        >> Visit TechGenix.com for more information about our other
sites:
        >> http://www.techgenix.com <http://www.techgenix.com>  
        >> ------------------------------------------------------
        >> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>  
        >> Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>  
        >> 
        >>

Other related posts: