Hi Ara, Sounds like a typical vendor help desk, "We'll give you all the support you need, provided you run the application on whitebox clones, direct internet connection, and only if you call us on the 3rd sunday after your Grandmothers 50th birthday.........." Is there anything else that could be coming in to play here ? e.g. Internet Security from Symantec acting as either a firewall /or pop up blocker or both, is there a third party free or commercial pop up blocker installed, Is there one of the free firewall walls like zone alarms installed on the PC, Is windows defender or a similar Spyware blocker installed, Have you carefully viewed the logs on the ISA to make sure that the applicatrion is not trying to open a connection on a non standard port. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ara Avvali Sent: Tue 31/Oct/2006 16:03 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: proxy configuration Hi Mohamed, Yes it is pretty much the same situation. The problem is their tech support doesn't help anything at all as soon as they see the proxy address in internet explorer. All they say is disable the IE pop up blocker and increase the cache size to 2 GB in IE. Anyway we are moving to stand alone version of payroll by January so that would be the end of it. Thanks anyway ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of mohamed saleh Sent: Monday, October 30, 2006 8:23 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: proxy configuration Ara, Let we think slowly, you said that the client can connect to the site successfully and login correctly till he see the icons of the payroll program, and it takes long time if he press any button further, right... Allright, it's some how like Connecting to hotmail.... you connect to hotmail site and login correctly and then you can do anything in ur hotmail acount and press any button you want, so I think that site is using a some kind of scripting or programing language or authentication method, which you should enable it to pass through ISA.... The hotmail, for example, check for the authentication and authorization to every page to ensure that this user account is the same user account and is not man in the middle,... So, I think you have to check with them how they make thier online authentication and authorization, and I think this might be help ----- Original Message ----- From: Ara Avvali <mailto:Ara.Avvali@xxxxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Friday, October 27, 2006 7:15 PM Subject: [isalist] Re: proxy configuration Hi Dan, Would you mind keeping me posted if you find the help reference? Thank you ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Friday, October 27, 2006 10:11 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: proxy configuration If you recall, a month or so ago I had problems with similar symptoms. I'll have to go back through my messages and see what the final result was, as I think it was a combination of things like DNS resolution, wpad retrieval, auto-configuration, etc... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ara Avvali Sent: Friday, October 27, 2006 11:58 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: proxy configuration Hi Jim, Thanks for your response. The problem I have we are using a web based ADP payroll by going to https://payex.adp.com. As you notice it requires an assigned certificate to go to site. Client is a xp sp2 with pop up blocker disabled and there is an allow rule on top going from internal to *.adp.com which allows all users access. Problem is behind ISA pages load slowly (2-3 times slower) and sometimes they even time out. Checking on live monitoring I found that connections are going to njpod18.adp.com which I think *.adp.com should cover it. If I connect the client directly to the router in front of ISA then everything works as fast as expected. Yesterday there was a threat about speed and Tom mentioned increasing connections should help. Even that gave me no luck. I have convinced the accounting that we should migrate to installed version of payroll program instead of web based. But that could be done after January. For now on I just connect one of machines directly to internet and let them do the payroll but that is not the practical solution. Man what a mess it would be if I deploy IE7 and the certificate check it has. I was wondering if anyone has any experience with this problem. ADP support as soon as they see a proxy server set in IE, then it is my side to figure out the problem. They have no documents about it. I found some instructions but that was no help either. That was why I tried the direct access solution. http://isainsbs.blogspot.com/2006/01/allowing-adp-through-isa-2004.html http://forums.isaserver.org/m_2002000597/mpage_1/key_/tm.htm#2002029215 Appreciated ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, October 26, 2006 6:25 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: proxy configuration You're shotgunning, Ara. Creating an "allow all" rule has nothing to do with "speed". Unless *.adp is part of the network structure that it "local" to the browser client, adding it to the web browser and domains data is inappropritate. Proxycfg has nothing to do with IE settings or IE behavior. Can you explain what you mean by "speed problems"? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ara Avvali Sent: Thursday, October 26, 2006 4:32 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] proxy configuration Hello everyone. I added *.adp.com for direct access to adp site. Created a rule to allow all outbound traffic from internal to *.adp.com but I still have speed issues. So I ran the proxycfg on the client which is xp sp2 with firewall client installed and it is telling me nothing is set for direct access. Any idea why? Appreciated All mail to and from this domain is GFI-scanned.