[isalist] Re: proxy configuration

Hi Jim,

I managed to get a log posted on site in excel format. Take a look at it
when you have a chance please. Any other comments are welcome. Thank you

http://bossaudio.com/ara/adplog.xls

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 2:39 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration

 

Get a simultaneous capture and ISA log.

Between the two of them, we may be able to sort it out.

You have to remember that you're 2nd in line behind John's cap analysis,
though...

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ara Avvali
Sent: Friday, October 27, 2006 12:21 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration

 

Status code I have to check on next time. I didn't pay attention to it. 

Because this is the only https site which again I might be totally wrong

User logs in, icons come up. Then clicking on any icon to go next step
takes forever and eventually fails

There is no other application installed. We are using IE6 to go to the
site

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 11:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration

 

 "failed connection" - with what status code?

Why do you think it has anything at all to do with the user cert?

What is the behavior right up to the failure?

Does the application use the browser or just the browser settings?

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ara Avvali
Sent: Friday, October 27, 2006 11:37 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration

 

Hi Jim,

This is the only site that we have problem with. By slow I mean "page
time outs". I removed the direct access setting as you said it was no
good anyway. 

Checking on logs I can see "failed connection" to njpod18.adp.com. Since
this is the only https site that is facing this, I think maybe it got
something to do with SSL certificate assigned to client. 

Anyway I just don't know where else to look. Maybe Dan and Tom can send
me to a good reference.

Thanks again

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 11:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration

 

First of all, you need to quantify "slow access".

At which point in the process is the connection determined to be "slow"?

What do you find in the ISA logs for this process?

 

The fact that your application can reach the site without the direct
access rules means that you are on the wrong track with that attempt.

Remove those from your settings unless you *really* want to screw things
up..

 

If you followed Amy's blog steps, then you've done what you can to allow
access to the site.

 

Maybe Tom can dig up the "slow ISA" blog he posted some months ago...

He outlined some really good troubleshooting steps in there.

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ara Avvali
Sent: Friday, October 27, 2006 8:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration

 

Hi Jim,

Thanks for your response. The problem I have we are using a web based
ADP payroll by going to https://payex.adp.com. As you notice it requires
an assigned certificate to go to site. Client is a xp sp2 with pop up
blocker disabled and there is an allow rule on top going from internal
to *.adp.com which allows all users access.

Problem is behind ISA pages load slowly (2-3 times slower) and sometimes
they even time out. Checking on live monitoring I found that connections
are going to njpod18.adp.com which I think *.adp.com should cover it. If
I connect the client directly to the router in front of ISA then
everything works as fast as expected. Yesterday there was a threat about
speed and Tom mentioned increasing connections should help. Even that
gave me no luck.

I have convinced the accounting that we should migrate to installed
version of payroll program instead of web based. But that could be done
after January. For now on I just connect one of machines directly to
internet and let them do the payroll but that is not the practical
solution. Man what a mess it would be if I deploy IE7 and the
certificate check it has.

I was wondering if anyone has any experience with this problem. ADP
support as soon as they see a proxy server set in IE, then it is my side
to figure out the problem. They have no documents about it. I found some
instructions but that was no help either. That was why I tried the
direct access solution.

http://isainsbs.blogspot.com/2006/01/allowing-adp-through-isa-2004.html 

http://forums.isaserver.org/m_2002000597/mpage_1/key_/tm.htm#2002029215 

Appreciated 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, October 26, 2006 6:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration

 

You're shotgunning, Ara.

Creating an "allow all" rule has nothing to do with "speed".

Unless *.adp is part of the network structure that it "local" to the
browser client, adding it to the web browser and domains data is
inappropritate.

Proxycfg has nothing to do with IE settings or IE behavior.

Can you explain what you mean by "speed problems"?

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ara Avvali
Sent: Thursday, October 26, 2006 4:32 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] proxy configuration

 

Hello everyone.

 

I added *.adp.com for direct access to adp site. Created a rule to allow
all outbound traffic from internal to *.adp.com but I still have speed
issues. So I ran the proxycfg on the client which is xp sp2 with
firewall client installed and it is telling me nothing is set for direct
access. Any idea why? Appreciated 

 

 

All mail to and from this domain is GFI-scanned.

All mail to and from this domain is GFI-scanned.

All mail to and from this domain is GFI-scanned.

All mail to and from this domain is GFI-scanned.

Other related posts: