Re: +AFs-isalist+AF0- Web Proxy and other woes
- From: "Mark Strangways" <strangconst@xxxxxxxx>
- To: "+AFs-ISAserver.org Discussion List+AF0-" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 9 Sep 2001 15:12:30 -0400
I had some dns issues, when I was setting up my ISA, but the set-up was
different.
I eventually started a DNS server on the ISA box, which just forwarded to the
ISP dns server for
client resolutions.
My AD DNS server forwards it's requests to this server on the ISA server.
You might actually what to create a zone on the ISA box that will define the
ISA Server name , just
in case you refer to it by name not IP.
How is you LAT, any problems there ?
So suggestions anyways.
regards,
Mark
----- Original Message -----
From: +ACI-Perry H. Sweetser+ACI- +ADw-perryhs+AEA-online.no+AD4-
To: +ACIAWw-ISAserver.org Discussion List+AF0AIg-
+ADw-isalist+AEA-webelists.com+AD4-
Sent: Sunday, September 09, 2001 2:01 PM
Subject: +AFs-isalist+AF0- Web Proxy and other woes
+AD4- http://www.ISAserver.org
+AD4-
+AD4-
+AD4- We are using BackOffice servers in native mode with only
+AD4- w2k clients. I thought I was doing the right thing by reading
+AD4- Dr. Shindler's excellent book BEFORE installing and
+AD4- configuring ISA 2000, but now I don't know. I have a problem
+AD4- to be sure, and there is probably a simple reason for it,
+AD4- but for the life of me I can't figure it out.
+AD4-
+AD4- Back Office installs ISA in integrated mode, which was what
+AD4- I wanted. I configured what I considered to be the necessary
+AD4- rules for the domain using secure NAT clients with a standalone
+AD4- ISA server:
+AD4-
+AD4- client sets
+AD4- destination sets
+AD4- protocol rules
+AD4- routing rules
+AD4-
+AD4- I then tested this configuration by setting the client's
+AD4- default gateway to point to the ISA server, thus making it a
+AD4- secure NAT client.
+AD4-
+AD4- The client worked just fine. However, to be on the safe
+AD4- side, as Dr. Shindler points out in his book and in the
+AD4- article published in the learning zone, I set the client's
+AD4- IE5 settings to use the Web proxy service at the default 8080
+AD4- port on the ISA server. IE6 hung. I also tried this with
+AD4- Opera 5.12 and Netscape 6.1. They hung too. (I noticed that
+AD4- Manfred Fink reported something similar and was advised to
+AD4- check his DNS settings. I will come back to this point.)
+AD4-
+AD4- So I've spent the last 5 days configuring and reconfiguring
+AD4- ISA, as well as uninstalling and reinstalling. These 5 days
+AD4- produced meager, if interesting results, which I will sum
+AD4- up as follows:
+AD4-
+AD4- I turned on all of the logging options first to see if I could
+AD4- uncover any errors in this manner. Fortunately (or unfortunately?),
+AD4- the event log reports no errors or alerts, and the report
+AD4- files produced by ISA show that there has been no activity.
+AD4-
+AD4- At this point I got suspicious, as I recalled that I had
+AD4- never seen any client reported in the +AFw-monitoring+AFw-sessions
+AD4- window. I don't recall reading anywhere about what I should
+AD4- see in this window, but when I am +ACI-successfully+ACI- running a
+AD4- secure NAT client without the Web Proxy setting activated, I
+AD4- don't see anything in this window. Dr. Shindler mentions that
+AD4- NAT clients are +ACI-transparent+ACI- to ISA but I was wondering if
+AD4- this transparency includes not showing up in the session
+AD4- window...
+AD4-
+AD4- So I used performance monitor to monitor disk activity on
+AD4- the separate disk that I am using for the cache. I figured that
+AD4- if the NAT client is getting through, there must be some
+AD4- caching going on, but performance monitor reported no disk
+AD4- activty for the cache disk whatsoever.
+AD4-
+AD4- At this point I tried using the scheduled download option
+AD4- to see if that would affect anything, and it did - it gave
+AD4- me the first and only warning message in the event log -
+AD4- event ID 13107, which reported that the download was stopped
+AD4- with 0 pages visited - without giving me a reason for why it
+AD4- was stopped.
+AD4-
+AD4- I rechecked my routing options - yes, HTTP was being routed
+AD4- to the ISA proxy, so I figured I had configured one of the
+AD4- rules incorrectly. I tried several changes to the rules,
+AD4- stopping and restarting the server, but nothing helped.
+AD4-
+AD4- I checked the DNS configuration (we use an internal DNS
+AD4- which is integrated with AD) and this was ok, as well as
+AD4- our DHCP server and option settings. I tried using one
+AD4- client with static settings (without DHCP delivery) on the
+AD4- NIC, but that did no good either.
+AD4-
+AD4- So I completely uninstalled ISA and reinstalled it in caching
+AD4- only mode only to see if any of the protocols were misconfigured.
+AD4- This made configuration much simpler since there were so few
+AD4- options to configure.
+AD4-
+AD4- My client still did not work, so I did the only thing left to
+AD4- do - I configured all of the rules to allow everything for
+AD4- everybody at all times and everywhere. Guess what? My client
+AD4- with the static NIC information now worked and showed up in
+AD4- the sessions window.
+AD4-
+AD4- At this point I had thought I had solved part of the problem,
+AD4- so I closed IE6 on the client and went upstairs for a cup of
+AD4- coffee. When I came back, I thought I would test the client against
+AD4- ISA again for speed - to see if the pages that I had visited
+AD4- when I first had connected came back at super something speeds
+AD4- or whatever...
+AD4-
+AD4- Guess what? The client hung again. In fact, I was never able
+AD4- to get the client to talk to ISA again despite rebooting both
+AD4- client and server. The logs show that the client was successfully
+AD4- logged in the first time, but there is no subsequent report, no
+AD4- errors, no nothing....
+AD4-
+AD4- So my question to all of you who know ISA real well is WHAT
+AD4- THE HECK IS GOING ON HERE? Is there something so simple I have
+AD4- forgotten that rates for 2000 ISA demerit points or what?
+AD4-
+AD4- I would appreciate any advice, hints or reprimands on this one.
+AD4- Otherwise I will have to go back to Iplanet's Proxy Server, which
+AD4- we were using before we upgraded to BackOffice.
+AD4-
+AD4- By the way, you have a very nice and informative site here+ACE-
+AD4-
+AD4- phs
+AD4-
+AD4- ------------------------------------------------------
+AD4- You are currently subscribed to this ISAserver.org Discussion List as:
strangconst+AEA-home.com
+AD4- To unsubscribe send a blank email to
leave-isalist-244646K+AEA-webelists.com
Other related posts:
- » Re: +AFs-isalist+AF0- Web Proxy and other woes
