Jim, The ISA is 2004 Ent. Here a part of the doc: Scenario 4: Proxy Server, Gateway, and Firewall In this scenario, direct communication to the Internet from client workstations is not allowed. In order to access the Internet, all communications are routed through a proxy server. A proxy server is a specialized server inside the corporate network that receives connections from internal clients and has special permission to communicate with the Internet through the firewall. This allows a centralized tracking, access, and caching mechanism to be configured for the entire corporate network. Typically, proxy servers are configured in the web browser. No gateway configuration is then necessary. However, as noted in scenario 2, non-transparent proxy services will not work with ONLINE BANKER services clients since you cannot specify the server address and port numbers to match the proxy server. Fortunately, ONLINE BANKER services provides another method of communications that is proxy-server compatible: IIOP HTTP Tunneling (HIOP). This does two things: first, it determines the HTTP proxy settings from the current browser. Then, it wraps all of the IIOP traffic into an HTTP "wrapper" and attempts communication with the ONLINE BANKER services server using the HTTP protocol over port 8088. Note that the HIOP protocol still encrypts the data sent through the connection before it is "wrapped" in the HTTP headers, so the protocol is just as secure as the IIOP connection, even though it is transmitted using standard HTTP format (instead of HTTPS).[PARA] The benefit is that the client can then be used with machines that do not have a direct Internet connection, but can access web sites (HTTP traffic) via a configured proxy server in the web browser. However, there are drawbacks to this. * First, HTTP traffic is usually stateless: the connection is made and then broken again for each request. This requires extra time to initiate this connection on every request to the server. Since IIOP is connection-based, there is no overhead. * Second, encoding the IIOP packets and wrapping them in HTTP-like wrappers takes processor and bandwidth overhead. So, application response times are impacted. * Finally, some older proxy servers may have difficulty with some of the HTTP POST sizes that ONLINE BANKER services transmits, while others may have difficulty with the HTTP 1.1 "Keep-Alive" and caching settings used by the HIOP communications protocol. Note that fallback to HIOP tunneling is automatic: the client will first attempt to create a TCP/IP connection on port 15000 to the onlinebanker.usbank.com site. If that connection fails, the client will automatically fall back to HTTP tunneling. The client reads the browser's proxy settings, and then attempts communication with the proxy server at the IP address and port number specified in the browsers settings. The proxy server must then forward the HIOP requests to port 8088 on the onlinebanker.usbank.com site. The ONLINE BANKER services server then processes these requests normally and responds via the same port 8088 connection. At no time is a gateway or port 15000 access required in this method. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, February 02, 2006 6:55 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Unable to Access some web site over ISA proxy http://www.ISAserver.org Why don't you just summarize the document's claims? ISA 2000 or 2004? Std or Ent edition? "Error Code 10061: Connection refused" is exactly that; the *actual* server you spoke to isn't accepting connections on that IP/transport/Port. 99 times out of 10, this is a DNS resolution issue - IOW, you're not talking to the server you think you are. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: MJ [mailto:mjtech@xxxxxxxxx] Sent: Thursday, February 02, 2006 15:00 To: [ISAserver.org Discussion List] Subject: [isalist] Unable to Access some web site over ISA proxy http://www.ISAserver.org Hi all There is a bank web site that the accounting department accesses, and today after I after I enabled the proxy GPO for that dept they started having a problem accessing a bank web site. Well they can see the web site and after they logon it's taking them to a page from ISA =========================================================================== Proxy that says: Error Code 10061: Connection refused Background: The server you are attempting to access has refused the connection with the gateway. This usually results from trying to connect to a service that is inactive on the server. Date: 2/2/2006 4:09:36 PM Server: ISAServer.DomainName.com Source: Remote server =========================================================================== When I look at the logging I see that there is a denied result, but the rule that denied it is "-" which I am not sure what it means, this is only a dash or underscore either one. I contacted the web the bank and they told me that it's a known issue and emailed me a document that's talking about so many things that in most part I don't know. If somebody would like to help me, I will email you the document and you may see more than what I am seeing. Please help me out; I am so tired of this problem. Thanks in advance