RE: Unable to Access some web site over ISA proxy

  • From: "MJ" <mjtech@xxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 2 Feb 2006 23:32:42 -0500

Jim,

The ISA is 2004 Ent.

Here a part of the doc:

Scenario 4: Proxy Server, Gateway, and Firewall
In this scenario, direct communication to the Internet from client
workstations is not allowed. In order to access the Internet, all
communications are routed through a proxy server. A proxy server is a
specialized server inside the corporate network that receives connections
from internal clients and has special permission to communicate with the
Internet through the firewall. This allows a centralized tracking, access,
and caching mechanism to be configured for the entire corporate network.
Typically, proxy servers are configured in the web browser. No gateway
configuration is then necessary.

However, as noted in scenario 2, non-transparent proxy services will not
work with ONLINE BANKER services clients since you cannot specify the server
address and port numbers to match the proxy server. Fortunately, ONLINE
BANKER services provides another method of communications that is
proxy-server compatible: IIOP HTTP Tunneling (HIOP). This does two things:
first, it determines the HTTP proxy settings from the current browser. Then,
it wraps all of the IIOP traffic into an HTTP "wrapper" and attempts
communication with the ONLINE BANKER services server using the HTTP protocol
over port 8088.

Note that the HIOP protocol still encrypts the data sent through the
connection before it is "wrapped" in the HTTP headers, so the protocol is
just as secure as the IIOP connection, even though it is transmitted using
standard HTTP format (instead of HTTPS).[PARA]
The benefit is that the client can then be used with machines that do not
have a direct Internet connection, but can access web sites (HTTP traffic)
via a configured proxy server in the web browser.
However, there are drawbacks to this.
* First, HTTP traffic is usually stateless: the connection is made and then
broken again for each request. This requires extra time to initiate this
connection on every request to the server. Since IIOP is connection-based,
there is no overhead.
* Second, encoding the IIOP packets and wrapping them in HTTP-like wrappers
takes processor and bandwidth overhead. So, application response times are
impacted.
* Finally, some older proxy servers may have difficulty with some of the
HTTP POST sizes that ONLINE BANKER services transmits, while others may have
difficulty with the HTTP 1.1 "Keep-Alive" and caching settings used by the
HIOP communications protocol.
Note that fallback to HIOP tunneling is automatic: the client will first
attempt to create a TCP/IP connection on port 15000 to the
onlinebanker.usbank.com site. If that connection fails, the client will
automatically fall back to HTTP tunneling. The client reads the browser's
proxy settings, and then attempts communication with the proxy server at the
IP address and port number specified in the browsers settings. The proxy
server must then forward the HIOP requests to port 8088 on the
onlinebanker.usbank.com site. The ONLINE BANKER services server then
processes these requests normally and responds via the same port 8088
connection. At no time is a gateway or port 15000 access required in this
method.




 -----Original Message-----
From:   Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent:   Thursday, February 02, 2006 6:55 PM
To:     [ISAserver.org Discussion List]
Subject:        [isalist] RE: Unable to Access some web site over ISA proxy

http://www.ISAserver.org

Why don't you just summarize the document's claims?
ISA 2000 or 2004?
Std or Ent edition?

"Error Code 10061: Connection refused" is exactly that; the *actual* server
you spoke to isn't accepting connections on that IP/transport/Port.
99 times out of 10, this is a DNS resolution issue - IOW, you're not talking
to the server you think you are.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Thursday, February 02, 2006 15:00
To: [ISAserver.org Discussion List]
Subject: [isalist] Unable to Access some web site over ISA proxy

http://www.ISAserver.org

Hi all

There is a bank web site that the accounting department accesses, and today
after I after I enabled the proxy GPO for that dept they started having a
problem accessing a bank web site.
Well they can see the web site and after they logon it's taking them to a
page from ISA
===========================================================================

Proxy that says:
Error Code 10061: Connection refused
Background: The server you are attempting to access has refused the
connection with the gateway. This usually results from trying to connect to
a service that is inactive on the server.
Date: 2/2/2006 4:09:36 PM
Server: ISAServer.DomainName.com
Source: Remote server
===========================================================================

When I look at the logging I see that there is a denied result, but the rule
that denied it is "-" which I am not sure what it means, this is only a dash
or underscore either one.

I contacted the web the bank and they told me that it's a known issue and
emailed me a document that's talking about so many things that in most part
I don't know.
If somebody would like to help me, I will email you the document and you may
see more than what I am seeing.

Please help me out; I am so tired of this problem.

Thanks in advance



Other related posts: