[isalist] Re: Client Configuration Issues/Questions
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 16 Jan 2009 11:39:06 -0800
Some things you want to keep in mind:
1. *_NOTHING_* you set in ISA client configuration is of any value if the
clients can't get the information. ISA doesn't "push" anything to the clients;
they *_MUST_* request it from ISA.
2. unless you can configure the client to use autodiscovery (and of course
configure WPAD in your environment) or a configuration URL, the client will
*_NOT_* request this data from ISA.
3. ISA will attempt to perform PTR lookups for IP-based requests, but since
Internet-based PTR zones are as worthwhile as a teenager on a Sat morning, this
frequently fails.
One of my fav examples for #3:
1. ISA has an allow rule for 'www.microsoft.com'
2. 'www.microsoft.com' resolves to (in my location):
C:\>nslookup www.microsoft.com<http://www.microsoft.com> 4.2.2.2
Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2
Non-authoritative answer:
Name: lb1.www.ms.akadns.net
Addresses: 65.55.12.249, 207.46.192.254, 207.46.193.254
Aliases: www.microsoft.com<http://www.microsoft.com>, toggle.www.ms.akadns.net
g.www.ms.akadns.net
3. client makes a connection to 207.46.192.254
4. ISA asks Windows to resolve the IP to a name
5. Windows queries DNS for a PTR record relative to 207.46.192.254.
C:\>nslookup -type=ptr 207.46.192.254 4.2.2.2
Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2
Non-authoritative answer:
254.192.46.207.in-addr.arpa name = wwwtk2test1.microsoft.com
Guess what; not only does 'wwwtk2test1.microsoft.com not match
'www.microsoft.com', it doesn't match any of the aliases also related to this
IP address. Therefore, there is no mapping from the IP to the names ISA has
available to it and the request must fail.
'This stuff ain't magic...'
Jim
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of
Mayo, Bill [bemayo@xxxxxxxxxxxxxxxx]
Sent: Thursday, January 15, 2009 12:43 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Client Configuration Issues/Questions
We are having a couple of issues related to client configuration/access for
outbound traffic through ISA Server 2006 Enterprise Edition. I realize that
these issues may be somewhat off-topic, but I hope someone may have some
insight.
The first issue is that we have some clients for whom browser traffic
originates via the Firewall Client instead of the Web Proxy (to put it another
way, ISA logging shows the Log Record Type to be Firewall, as opposed to Web
Proxy Filter). This is mainly problematic because we have some clients that
have access to only specific web sites, that are defined in rules using domain
name sets. The problem is that the traffic hits ISA server by IP instead of
DNS name and it doesn't match the rules. Unless I am missing something, this
is because the Firewall Client is doing the DNS lookup itself and just asking
to access the IP. Because the rules use the DNS name, ISA doesn't detect it as
a match. We are publishing the proxy server in both DHCP and DNS, in addition
to pushing the value through group policy. Nonetheless, some client's browsers
don't seem to be respecting the setting. I have had some success in
kick-starting the setting by hitting the "Configure Now" button on the web
browser tab in the firewall client, but that does not work for everyone. It
sure seems to be a registry problem, but having to delete profiles and/or
re-image the computers is a bit extreme for resolving this. I can verify that,
in at least one of these situations, Internet Explorer showed the correct proxy
server address in LAN Settings, but the traffic continued to go through the
firewall client.
The second issue has to do with local addresses going through the proxy server
(this issue affects folks who are correctly going through the web proxy).
Despite the way I believe it is configured, access to internal sites is going
through the proxy server. In most cases this doesn't cause a major issue, but
there are some instances where it does (e.g. an internal dvr-appliance that
tries to establish an SSL connection over port 8129). On the Internal network
properties dialog, I have the internal address range listed (Addresses tab) and
I have the "Directly access computers specified in the Addresses tab" checkbox
enabled on the Web Browser tab. Nonetheless, the traffic is being sent
throught the ISA Server web proxy (and, in the case of the non-standard SSL
port, is blowing up). Is there something I am missing here?
If I can provide any further information about our configuration that would be
helpful, I would be happy to provide it.
~~~~~~~~~~
Bill Mayo
Pitt County MIS
Other related posts:
