[isalist] Re: Client Configuration Issues/Questions
- From: "Mayo, Bill" <bemayo@xxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Jan 2009 16:29:00 -0500
Thanks much for the reply, Jim. When I set it up, I used the info at
http://www.shijaz.com/isaserver/isa2004_nlb.htm to configure it. I
realize that it is for 2004 and I am using 2006, but that was the best
thing I could find at the time. I have made that change. In some quick
testing, it does appear to have resolved some of my issues. At least
some of the things that weren't directly accessing before are now, but
some seem to still be handled by the web proxy filter.
A big THANKS, Jim, on what is clearly an improvement in my situation.
Can I be so brazen to ask if you can shed any light on my 1 and 2
questions below?
Bill Mayo
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, January 28, 2009 3:43 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Client Configuration Issues/Questions
The correct solution (as opposed to the "tribal knowledge") is to set
the Intra-array address properly.
If the wpad includes IP addresses which the clients cannot reach, it's
because the server Communication" tab includes the wrong address.
Fix this first; it's also blocking intra-array communication..
JimmyJoeBob Alooba
Office 2007 on Win7 Beta
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Mayo, Bill
Sent: Wednesday, January 28, 2009 10:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Client Configuration Issues/Questions
I have (somewhat) answered my own question on the "makeproxies"
question. I found other references to this issue and the solution being
roll your own wpad, which I have done. Proxy access works with my
tweaked wpad, but I still have some challenges related to my original
message. Because my descriptions tend to ramble, I offer the
consolidated list of questions below, in the hopes that some of you fine
folks might be able to help without having to take a No-Doze.
1) I am seeing inconsistent results with bypassing local domains,
address ranges, et al. My "Web Browser" tab in ISA configuration is
populated according to the info at KB920715 (e.g. *.site.com/*), as I
have to have an IP address in there. I note that the interface doesn't
dictate this and the article is for ISA 2004 SP-2 (I am running ISA
2006). Can anyone confirm/deny that the information in this article is
applicable to ISA 2006?
2) I have (temporarily) configured my browser to use the modified
configuration script and cleared the proxy server info in IE's
configuration. When configured like this, my traffic is logged in ISA
as going through the web proxy filter (as desired). However, the
"destination host name" and "url" fields show the IP of the site instead
of the DNS name. If I clear the configuration script (and all auto
detect checkboxes) and manually enter the proxy server info, I see the
FQDN in those fields. My question is, "Is this normal?"
Thanks,
Bill Mayo
________________________________
From: Mayo, Bill
Sent: Wednesday, January 28, 2009 10:45 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: RE: [isalist] Re: Client Configuration Issues/Questions
Problems sprung back up with this while I was out last week, and I have
spent the entire morning researching how exactly all of this works and
trying to figure out where my problem is. Resultingly, I understand
some things better and am thorougly confused on others (what I am
reading does not match what I am hearing).
In trying to figure out what might not be working with the
auto-discovery, I have downloaded and reviewed the WPAD file
(automatically generated). I note something in their that I *think* may
be the issue, but am hoping that someone can confirm (or set me
straight).
Our ISA servers are in an NLB. To that end, I have 3 NICs on each
server. NIC-1 is the internal connection. It has an IP address to
which our internal clients can connect. It also shows that the
NLB-specific IP is bound to it. NIC-2 faces the internet. The IP
address it technically reachable by clients, but shouldn't be. This
adapter has the default gateway. NIC-3 is the NLB adapter. This NIC
uses a private network address and is on a private network that is not
routable. The IP address here is 192.168.1.x.
The (not currently enabled) autodiscovery information pointed to the
NLB-specific IP (which is bound to NIC-1). This is the NIC/IP to which
I would expect traffic to be routed. At this point, I get to what I
think may be the problem. When I examine the "wpad.dat" file in
notepad, I see:
function MakeProxies(){
this[0]=new Node("192.168.1.12",1965764837,1.000000);
this[1]=new Node("192.168.1.7",3977323674,1.000000);
This looks to me like the WPAD file is telling the clients to use
192.168.1.12 and 192.168.1.7 as the proxy addresses. These are not
addresses the client can reach and is (intentionally) sitting on a
private network, as I believed was supposed to be the case. In every
respect that I can measure, NLB seems to be working properly so I am
assuming I have it configured correctly.
Am I interpreting this correctly? If so, is this indicative that I have
a configuration problem with NLB, or is there some other reason why
those addresses are showing up? Most importantly, what can I do about
it?
Thanks,
Bill Mayo
________________________________
...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Mayo, Bill [bemayo@xxxxxxxxxxxxxxxx]
Sent: Thursday, January 15, 2009 12:43 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Client Configuration Issues/Questions
We are having a couple of issues related to client configuration/access
for outbound traffic through ISA Server 2006 Enterprise Edition. I
realize that these issues may be somewhat off-topic, but I hope someone
may have some insight.
The first issue is that we have some clients for whom browser traffic
originates via the Firewall Client instead of the Web Proxy (to put it
another way, ISA logging shows the Log Record Type to be Firewall, as
opposed to Web Proxy Filter). This is mainly problematic because we
have some clients that have access to only specific web sites, that are
defined in rules using domain name sets. The problem is that the
traffic hits ISA server by IP instead of DNS name and it doesn't match
the rules. Unless I am missing something, this is because the Firewall
Client is doing the DNS lookup itself and just asking to access the IP.
Because the rules use the DNS name, ISA doesn't detect it as a match.
We are publishing the proxy server in both DHCP and DNS, in addition to
pushing the value through group policy. Nonetheless, some client's
browsers don't seem to be respecting the setting. I have had some
success in kick-starting the setting by hitting the "Configure Now"
button on the web browser tab in the firewall client, but that does not
work for everyone. It sure seems to be a registry problem, but having
to delete profiles and/or re-image the computers is a bit extreme for
resolving this. I can verify that, in at least one of these situations,
Internet Explorer showed the correct proxy server address in LAN
Settings, but the traffic continued to go through the firewall client.
The second issue has to do with local addresses going through the proxy
server (this issue affects folks who are correctly going through the web
proxy). Despite the way I believe it is configured, access to internal
sites is going through the proxy server. In most cases this doesn't
cause a major issue, but there are some instances where it does (e.g. an
internal dvr-appliance that tries to establish an SSL connection over
port 8129). On the Internal network properties dialog, I have the
internal address range listed (Addresses tab) and I have the "Directly
access computers specified in the Addresses tab" checkbox enabled on the
Web Browser tab. Nonetheless, the traffic is being sent throught the
ISA Server web proxy (and, in the case of the non-standard SSL port, is
blowing up). Is there something I am missing here?
If I can provide any further information about our configuration that
would be helpful, I would be happy to provide it.
~~~~~~~~~~
Bill Mayo
Pitt County MIS
Other related posts:
