[isalist] Dan, Here is the thread you were seeking: Direct Access Issues...
- From: "Crockett, Gregory" <Gregory.Crockett@xxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 22 Aug 2006 06:21:01 -0500
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 13 Dec 2005 09:52:44 -0500
http://www.ISAserver.org
This sounds like a potentially extremely complex setup. (One could
almost refer to it as a split-split DNS! *grin*)
A little less than half of our network resides on that other subnet, so
it is definitely not small. It is all part of one AD Domain, and I
really hesitate to split it into multiple Domains. Due to the slow
speed of our WAN, each of our outer buildings has their own Domain
Controller, and each Domain Controller has a AD-Integrated DNS Server.
Each DC/DNS is set to look back to the PDC (and DC1) for upstream
resolution, and those servers are set to resolve names not in our local
network, creating the Split DNS.
Here is a rough diagram of the network structure
Internet
|
|
ISA--->10.20.1.1--->PDC
| |
| |--->DC2
|
|---->10.6.254.90--->10.6.8.x--->DC3
|
|--->10.6.9.x--->DC4
|
|--->10.6.10.x--->DC5
|
|--->10.6.12.x--->DC6
|
|--->10.6.14.x--->DC7
|
|--->10.6.15.x--->DC8
Right now it is configured as one big network, the Internal networks are
in "route" mode between them, and there is a firewall policy that allows
"All Protocols" to pass between those two subnets (come to think of it
though, I should move that to a higher precedence).
As it is currently configured, it works, for the most part. The only
problem appears to be the Auto-Configure feature to configure sites for
Direct Access. Without that feature working, all web browsing
(including our local webserver, OWA, and Grading server) pass through
the Web Proxy service. This isn't a "really" bad thing, but since
SurfControl is thrown into the mix, it messes everything up.
Since everything on the Internal Network is working with the DNS, the
only issue really in question is the DNS resolution of the ISA server.
If I forced a modified host file out to those workstations would that
override the DNS server?
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Monday, December 12, 2005 11:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
The Web proxy configuration will work, if you fudge by creating a split
DNS to support your second internal Network hosts. However, it can be
tricky, depending on what you want the hosts on the second internal
network to access on the other internal network, because the split DNS
zone (which I usually put on the ISA firewall) won't be a secondary to
the main zone -- it will need to be separate and distinct, because that
array name must resolve to the local Web proxy listener for the other
internal network. The firewall client will work fine, IF you allow the
LDAP protocols from the second internal Network into the first internal
Network (assuming that the first Internal Network hosts the DCs).
If the second internal Network is small and doesn't have that many hosts
that require authentication, you can always mirror the accounts, but I
prefer not to do that, because I lose too many of the advantages that
Active Directory provides.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Monday, December 12, 2005 9:55 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I queried the server to see what was actually being sent to the
> workstations, and they "appear" to be correct.
>
> When I query http://10.20.1.1/wpad.dat (local subnet), I get a
> configuration script matching the settings on the Network in the ISA
> server. When I query http://10.20.1.1/wspad.dat I get the firewall
> version of this file, with the appropriate settings for that Network
> also. When I query
> http://10.20.1.1:8080/array.dll?Get.Routing.Script,
> I get a duplicate of the wpad.dat file, all seems good.
>
> When I query the same files using the 10.6.254.90 address instead
> (Remote subnet), I get basically the same files, but the settings in
> them match the settings for the remote subnet, which they
> should, so I'm
> at a loss for what is causing the troubles. I made some
> changes in the
> network properties, and when I re-queried the scripts, the changes
> showed up on the appropriate network.
>
> Since I was having problems with the DNS wpad designation, I set
> everything up to use IPs instead. The only place I see referencing a
> hostname is the wpad.dat/getarray file, where it says:
>
> DirectNames=new MakeNames();
> cDirectNames=3;
> HttpPort="8080";
> cNodes=1;
> function MakeProxies(){
> this[0]=new Node("gateway.MAPSNET.ORG",0,1.000000);
> }
>
> I'm not sure what this function does, but I'm wondering if it resolves
> this hostname to the wrong subnet if that might be the cause.
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, December 12, 2005 9:58 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Indeed. The autoconfig script is going to be the pain point
> for all but
> one network, because there is only one autoconfig script maintained by
> the ISA firewall, so if they try to connect to the Web proxy listener
> that isn't local to their ISA firewall Network, then the connection
> attempt will fail. I tried publishing the Web listener on the
> non-local
> Network to the local Network, but no workie. I might try it again just
> for fun, though.
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Monday, December 12, 2005 2:26 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Stefaan, I went through your article quite thoroughly, and it
> > clarified
> > many things for me, thanks. I decided to put these
> settings in place
> > here, and have had mixed results.
> >
> > The difficulties seem to arise because I have multiple
> > internal networks
> > on my ISA server. I enabled the "Use automatic
> configuration script"
> > option on both of these internal networks, but only one seems to be
> > working good.
> >
> > On one of the subnets, when I have that option enabled, I
> watched the
> > logs and saw that instead of using the web proxy, it is
> > trying to access
> > the external site directly using Port 80. When I disable
> that option,
> > it goes through the web proxy like it should. However, I
> > tried another
> > computer on that same subnet, and everything worked perfect,
> > so it just
> > doesn't make sense.
> >
> > I've retrieved all the wspad.dat and wspad.dat files from
> > both internet
> > networks, and they appear to be correct. Any ideas?
> >
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 23:09:46 -0500
http://www.ISAserver.org
Hi Dan,
The Web proxy configuration will work, if you fudge by creating a split
DNS to support your second internal Network hosts. However, it can be
tricky, depending on what you want the hosts on the second internal
network to access on the other internal network, because the split DNS
zone (which I usually put on the ISA firewall) won't be a secondary to
the main zone -- it will need to be separate and distinct, because that
array name must resolve to the local Web proxy listener for the other
internal network. The firewall client will work fine, IF you allow the
LDAP protocols from the second internal Network into the first internal
Network (assuming that the first Internal Network hosts the DCs).
If the second internal Network is small and doesn't have that many hosts
that require authentication, you can always mirror the accounts, but I
prefer not to do that, because I lose too many of the advantages that
Active Directory provides.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Monday, December 12, 2005 9:55 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I queried the server to see what was actually being sent to the
> workstations, and they "appear" to be correct.
>
> When I query http://10.20.1.1/wpad.dat (local subnet), I get a
> configuration script matching the settings on the Network in the ISA
> server. When I query http://10.20.1.1/wspad.dat I get the firewall
> version of this file, with the appropriate settings for that Network
> also. When I query
> http://10.20.1.1:8080/array.dll?Get.Routing.Script,
> I get a duplicate of the wpad.dat file, all seems good.
>
> When I query the same files using the 10.6.254.90 address instead
> (Remote subnet), I get basically the same files, but the settings in
> them match the settings for the remote subnet, which they
> should, so I'm
> at a loss for what is causing the troubles. I made some
> changes in the
> network properties, and when I re-queried the scripts, the changes
> showed up on the appropriate network.
>
> Since I was having problems with the DNS wpad designation, I set
> everything up to use IPs instead. The only place I see referencing a
> hostname is the wpad.dat/getarray file, where it says:
>
> DirectNames=new MakeNames();
> cDirectNames=3;
> HttpPort="8080";
> cNodes=1;
> function MakeProxies(){
> this[0]=new Node("gateway.MAPSNET.ORG",0,1.000000);
> }
>
> I'm not sure what this function does, but I'm wondering if it resolves
> this hostname to the wrong subnet if that might be the cause.
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, December 12, 2005 9:58 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Indeed. The autoconfig script is going to be the pain point
> for all but
> one network, because there is only one autoconfig script maintained by
> the ISA firewall, so if they try to connect to the Web proxy listener
> that isn't local to their ISA firewall Network, then the connection
> attempt will fail. I tried publishing the Web listener on the
> non-local
> Network to the local Network, but no workie. I might try it again just
> for fun, though.
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Monday, December 12, 2005 2:26 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Stefaan, I went through your article quite thoroughly, and it
> > clarified
> > many things for me, thanks. I decided to put these
> settings in place
> > here, and have had mixed results.
> >
> > The difficulties seem to arise because I have multiple
> > internal networks
> > on my ISA server. I enabled the "Use automatic
> configuration script"
> > option on both of these internal networks, but only one seems to be
> > working good.
> >
> > On one of the subnets, when I have that option enabled, I
> watched the
> > logs and saw that instead of using the web proxy, it is
> > trying to access
> > the external site directly using Port 80. When I disable
> that option,
> > it goes through the web proxy like it should. However, I
> > tried another
> > computer on that same subnet, and everything worked perfect,
> > so it just
> > doesn't make sense.
> >
> > I've retrieved all the wspad.dat and wspad.dat files from
> > both internet
> > networks, and they appear to be correct. Any ideas?
> >
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: Monday, December 05, 2005 4:42 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Jim,
> >
> > Didn't you got my mail with the SRZ0505266000674 case
> history? I just
> > resend
> > the mail, just in case. ;-)
> >
> > After the usual first level blablabla the case was handled by Tommy
> > Walker
> > (second level) together with GTSC Matthew Rose and Christophe
> > Despoges.
> >
> > Thereafter, Kristin Thomas (third level) was the owner:
> >
> > Kristin Thomas, MCSE, MCP
> > Global Technical Support Center
> > Platforms - Networking
> > Microsoft Limited
> > Tel: +44 118 909 4399
> > Email: kthomas@xxxxxxxxxxxxx
> >
> > Then the case was transfered to Pierre Louis Coll, an Escalation
> > Engineer in
> > the Internet Explorer support team.
> > Tel: +33 1 69 86 66 90
> > Email: pierrelc@xxxxxxxxxxxxx
> >
> > That's all I have as contact information...
> >
> > Thanks,
> > Stefaan
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: maandag 5 december 2005 22:06
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Are you sure that's not typo'd?
> > Do you know what location took the case (US/CA, AP, Euro)?
> >
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: Monday, December 05, 2005 11:57
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Jim,
> >
> > I'm listening ....
> >
> > Stefaan
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: vrijdag 2 december 2005 20:59
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > I'll tell Stefaan, but no one else because I'm in a mood; so there,
> > thpthpthp.
> >
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Friday, December 02, 2005 11:54
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Please keep me informed of what you find out, that is a big problem
> > here.
> >
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: Friday, December 02, 2005 1:22 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Jim,
> >
> > Can you confirm what they (Microsoft PSS) have told me?
> >
> > Thanks,
> > Stefaan
> >
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: donderdag 1 december 2005 21:23
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Jim,
> >
> > I've mailed you the SRZ0505266000674 case history
> concerning the DHCP
> > issue
> > with IE.
> >
> > Regards,
> > Stefaan
> >
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: donderdag 1 december 2005 21:16
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Jim,
> >
> > Will answer you offline...
> >
> > Stefaan
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: donderdag 1 december 2005 21:01
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Worse yet - that KB isn't listed internally either.
> > Where did you get that #?
> >
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: Thursday, December 01, 2005 11:02
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Tom,
> >
> > unfortunately the KB906055 fix is not yet published. I've tested the
> > official release of the patch and it solves the problem for
> Windows XP
> > SP2.
> > Microsoft assured me that if you call PSS they will give
> you the fix.
> >
> > Also, the WinInet fix Jim was talking about has not yet
> been released.
> > I've
> > tested an interim version of the KB907455 fix but it didn't
> solve the
> > problem completely yet. However, this fix should be valid for
> > Windows XP
> > SP1
> > and SP2.
> >
> > HTH,
> > Stefaan
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: donderdag 1 december 2005 16:52
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Stefaan,
> >
> > Thank you very much for pointing out that information! I am really
> > remiss
> > for not remembering this fact that you mentioned in your article :(
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > > Sent: Thursday, December 01, 2005 9:08 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Jim,
> > >
> > > That's what described in my article
> > > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> > > l and related
> > > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
> > >
> > > A fix for Windows XP SP2 is officialy released on November
> > 11, 2005.
> > > The related knowledge base article is KB906055 and should
> > be available
> >
> > > soon on the web. IE uses an obsolete DHCP API but this
> API has been
> > > fixed (DHCPCSVC) for Windows XP SP2 only.
> > >
> > > HTH,
> > > Stefaan
> > >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: donderdag 1 december 2005 15:54
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> > >
> > > http://www.ISAserver.org
> > >
> > > Don't use DHCP wpad - it's crap.
> > > We've found that WinInet (what IE uses) can take up to 10
> > seconds to
> > > "digest" the DHCP data it gets.
> > >
> > > Use only DNS or WINS (if you must).
> > >
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > > Sent: Thursday, December 01, 2005 6:20 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> > >
> > > http://www.ISAserver.org
> > >
> > > I had to take those setting off again this morning, so
> I'm not sure
> > > what the heck is going on...
> > >
> > > When opening up IE, it would take 2-3 minutes for the
> > "Detecting Proxy
> > > > Settings" in the status bar to go away, and then things
> would run
> > sluggish.
> > > By un-checking the "Automatically detect settings" and "Use
> > automatic
> > > configuration script" in IE things sped up dramatically,
> so I took
> > > them back off the ISA server.
> > >
> > >
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > > Sent: Wednesday, November 30, 2005 11:06 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> > >
> > > http://www.ISAserver.org
> > >
> > > I've been through those articles many-many times trying to
> > work this
> > > out, and just went through them again. My eyes must be
> > getting old,
> > > although I read the last paragraph on the last page many times, I
> > > still missed it until this last re-reading...
> > >
> > > Your clue in the e-mail helped though, I had the
> > "Automatically detect
> >
> > > settings" and "Use automatic configuration script" turned
> > off on the
> > > "Firewall Client" tab from when we had the SurfControl
> proxy bypass
> > > problem several months ago. With the solution you
> thought up, that
> > > might not be an issue anymore. In any case, I'll leave
> > them enabled
> > > and see if people start having troubles.
> > >
> > > I don't see where it updated the setting in IE on the
> client, but I
> > > also don't see it passing through the ISA server anymore,
> > so it must
> > > be using a different method.
> > >
> > > Thanks!
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Wednesday, November 30, 2005 9:59 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Dan,
> > >
> > > Check the articles again. It'll show you how to configure
> > the Direct
> > > Access list on the ISA firewall and how to configure the
> clients to
> > > use the autoconfig script so that they can use the Direct
> > Access list.
> > >
> > > Also, make sure the Direct Access clients are configured
> with a DNS
> > > server that allows them to resolve the name of the site to
> > the site's
> > > Internal address.
> > >
> > > HTH,
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > > > Sent: Wednesday, November 30, 2005 8:54 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] Direct Access Issues w/SurfControl
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > This Direct Access issue is rearing its ugly head again here.
> > > >
> > > > I'm running ISA2004, with the newest version of
> > SurfControl. Or at
> > > > least I "think" it's the newest version, as I cannot locate
> > > any newer
> > > > hotfixes for it...
> > > >
> > > > I've tried and tried to not loop the local webserver
> > > through the ISA
> > > > server, but have been unable to figure out a way to do it. Tom
> > > > mentioned a couple of weeks ago that SurfControl
> > basically disables
> > > > the Direct Access abilities of the ISA server, so that
> > > explains that
> > > > part.
> > > >
> > > > Normally, I wouldn't mind the traffic passing through the
> > > ISA server,
> > > > as it has a 1Gbps network connect. But, the problem I'm
> > > running into
> > > > is that whenever we get a really heavy web traffic period,
> > > accessing
> > > > our local webserver is pathetically slow, i.e. it'll
> take over a
> > > > minute to display the first page. It probably has to do
> > with 800+
> > > > people all clicking like mad at the same time...
> > > >
> > > > When I disable the Proxy settings in IE, I can browse our local
> > > > webserver at full-speed, but cannot access the Internet.
> > > If I go into
> > > > the IE->Tools->Internet Options->LAN Settings->Advanced
> > > menu and add
> > > > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> > > >
> > > > However, all the proxy settings are coming from the ISA
> > > server, so any
> > > > entries into that area are overwritten whenever the FWC
> > > refreshes its
> > > > info. I cannot push these settings out via GPO either,
> > because the
> > > > FWC would override them.
> > > >
> > > > Is there a way to get these settings pushed out from the
> > ISA server?
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 22:54:32 -0500
http://www.ISAserver.org
I queried the server to see what was actually being sent to the
workstations, and they "appear" to be correct.
When I query http://10.20.1.1/wpad.dat (local subnet), I get a
configuration script matching the settings on the Network in the ISA
server. When I query http://10.20.1.1/wspad.dat I get the firewall
version of this file, with the appropriate settings for that Network
also. When I query http://10.20.1.1:8080/array.dll?Get.Routing.Script,
I get a duplicate of the wpad.dat file, all seems good.
When I query the same files using the 10.6.254.90 address instead
(Remote subnet), I get basically the same files, but the settings in
them match the settings for the remote subnet, which they should, so I'm
at a loss for what is causing the troubles. I made some changes in the
network properties, and when I re-queried the scripts, the changes
showed up on the appropriate network.
Since I was having problems with the DNS wpad designation, I set
everything up to use IPs instead. The only place I see referencing a
hostname is the wpad.dat/getarray file, where it says:
DirectNames=new MakeNames();
cDirectNames=3;
HttpPort="8080";
cNodes=1;
function MakeProxies(){
this[0]=new Node("gateway.MAPSNET.ORG",0,1.000000);
}
I'm not sure what this function does, but I'm wondering if it resolves
this hostname to the wrong subnet if that might be the cause.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Monday, December 12, 2005 9:58 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
Indeed. The autoconfig script is going to be the pain point for all but
one network, because there is only one autoconfig script maintained by
the ISA firewall, so if they try to connect to the Web proxy listener
that isn't local to their ISA firewall Network, then the connection
attempt will fail. I tried publishing the Web listener on the non-local
Network to the local Network, but no workie. I might try it again just
for fun, though.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Monday, December 12, 2005 2:26 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Stefaan, I went through your article quite thoroughly, and it
> clarified
> many things for me, thanks. I decided to put these settings in place
> here, and have had mixed results.
>
> The difficulties seem to arise because I have multiple
> internal networks
> on my ISA server. I enabled the "Use automatic configuration script"
> option on both of these internal networks, but only one seems to be
> working good.
>
> On one of the subnets, when I have that option enabled, I watched the
> logs and saw that instead of using the web proxy, it is
> trying to access
> the external site directly using Port 80. When I disable that option,
> it goes through the web proxy like it should. However, I
> tried another
> computer on that same subnet, and everything worked perfect,
> so it just
> doesn't make sense.
>
> I've retrieved all the wspad.dat and wspad.dat files from
> both internet
> networks, and they appear to be correct. Any ideas?
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Monday, December 05, 2005 4:42 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> Didn't you got my mail with the SRZ0505266000674 case history? I just
> resend
> the mail, just in case. ;-)
>
> After the usual first level blablabla the case was handled by Tommy
> Walker
> (second level) together with GTSC Matthew Rose and Christophe
> Despoges.
>
> Thereafter, Kristin Thomas (third level) was the owner:
>
> Kristin Thomas, MCSE, MCP
> Global Technical Support Center
> Platforms - Networking
> Microsoft Limited
> Tel: +44 118 909 4399
> Email: kthomas@xxxxxxxxxxxxx
>
> Then the case was transfered to Pierre Louis Coll, an Escalation
> Engineer in
> the Internet Explorer support team.
> Tel: +33 1 69 86 66 90
> Email: pierrelc@xxxxxxxxxxxxx
>
> That's all I have as contact information...
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: maandag 5 december 2005 22:06
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Are you sure that's not typo'd?
> Do you know what location took the case (US/CA, AP, Euro)?
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Monday, December 05, 2005 11:57
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> I'm listening ....
>
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: vrijdag 2 december 2005 20:59
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I'll tell Stefaan, but no one else because I'm in a mood; so there,
> thpthpthp.
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Friday, December 02, 2005 11:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Please keep me informed of what you find out, that is a big problem
> here.
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Friday, December 02, 2005 1:22 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> Can you confirm what they (Microsoft PSS) have told me?
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: donderdag 1 december 2005 21:23
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> I've mailed you the SRZ0505266000674 case history concerning the DHCP
> issue
> with IE.
>
> Regards,
> Stefaan
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: donderdag 1 december 2005 21:16
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> Will answer you offline...
>
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 21:01
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Worse yet - that KB isn't listed internally either.
> Where did you get that #?
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 11:02
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Tom,
>
> unfortunately the KB906055 fix is not yet published. I've tested the
> official release of the patch and it solves the problem for Windows XP
> SP2.
> Microsoft assured me that if you call PSS they will give you the fix.
>
> Also, the WinInet fix Jim was talking about has not yet been released.
> I've
> tested an interim version of the KB907455 fix but it didn't solve the
> problem completely yet. However, this fix should be valid for
> Windows XP
> SP1
> and SP2.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: donderdag 1 december 2005 16:52
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Stefaan,
>
> Thank you very much for pointing out that information! I am really
> remiss
> for not remembering this fact that you mentioned in your article :(
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: Thursday, December 01, 2005 9:08 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Jim,
> >
> > That's what described in my article
> > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> > l and related
> > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
> >
> > A fix for Windows XP SP2 is officialy released on November
> 11, 2005.
> > The related knowledge base article is KB906055 and should
> be available
>
> > soon on the web. IE uses an obsolete DHCP API but this API has been
> > fixed (DHCPCSVC) for Windows XP SP2 only.
> >
> > HTH,
> > Stefaan
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: donderdag 1 december 2005 15:54
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Don't use DHCP wpad - it's crap.
> > We've found that WinInet (what IE uses) can take up to 10
> seconds to
> > "digest" the DHCP data it gets.
> >
> > Use only DNS or WINS (if you must).
> >
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Thursday, December 01, 2005 6:20 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > I had to take those setting off again this morning, so I'm not sure
> > what the heck is going on...
> >
> > When opening up IE, it would take 2-3 minutes for the
> "Detecting Proxy
> > > Settings" in the status bar to go away, and then things would run
> sluggish.
> > By un-checking the "Automatically detect settings" and "Use
> automatic
> > configuration script" in IE things sped up dramatically, so I took
> > them back off the ISA server.
> >
> >
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 11:06 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > I've been through those articles many-many times trying to
> work this
> > out, and just went through them again. My eyes must be
> getting old,
> > although I read the last paragraph on the last page many times, I
> > still missed it until this last re-reading...
> >
> > Your clue in the e-mail helped though, I had the
> "Automatically detect
>
> > settings" and "Use automatic configuration script" turned
> off on the
> > "Firewall Client" tab from when we had the SurfControl proxy bypass
> > problem several months ago. With the solution you thought up, that
> > might not be an issue anymore. In any case, I'll leave
> them enabled
> > and see if people start having troubles.
> >
> > I don't see where it updated the setting in IE on the client, but I
> > also don't see it passing through the ISA server anymore,
> so it must
> > be using a different method.
> >
> > Thanks!
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 9:59 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Dan,
> >
> > Check the articles again. It'll show you how to configure
> the Direct
> > Access list on the ISA firewall and how to configure the clients to
> > use the autoconfig script so that they can use the Direct
> Access list.
> >
> > Also, make sure the Direct Access clients are configured with a DNS
> > server that allows them to resolve the name of the site to
> the site's
> > Internal address.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > > Sent: Wednesday, November 30, 2005 8:54 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Direct Access Issues w/SurfControl
> > >
> > > http://www.ISAserver.org
> > >
> > > This Direct Access issue is rearing its ugly head again here.
> > >
> > > I'm running ISA2004, with the newest version of
> SurfControl. Or at
> > > least I "think" it's the newest version, as I cannot locate
> > any newer
> > > hotfixes for it...
> > >
> > > I've tried and tried to not loop the local webserver
> > through the ISA
> > > server, but have been unable to figure out a way to do it. Tom
> > > mentioned a couple of weeks ago that SurfControl
> basically disables
> > > the Direct Access abilities of the ISA server, so that
> > explains that
> > > part.
> > >
> > > Normally, I wouldn't mind the traffic passing through the
> > ISA server,
> > > as it has a 1Gbps network connect. But, the problem I'm
> > running into
> > > is that whenever we get a really heavy web traffic period,
> > accessing
> > > our local webserver is pathetically slow, i.e. it'll take over a
> > > minute to display the first page. It probably has to do
> with 800+
> > > people all clicking like mad at the same time...
> > >
> > > When I disable the Proxy settings in IE, I can browse our local
> > > webserver at full-speed, but cannot access the Internet.
> > If I go into
> > > the IE->Tools->Internet Options->LAN Settings->Advanced
> > menu and add
> > > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> > >
> > > However, all the proxy settings are coming from the ISA
> > server, so any
> > > entries into that area are overwritten whenever the FWC
> > refreshes its
> > > info. I cannot push these settings out via GPO either,
> because the
> > > FWC would override them.
> > >
> > > Is there a way to get these settings pushed out from the
> ISA server?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 21:57:57 -0500
http://www.ISAserver.org
Hi Dan,
Indeed. The autoconfig script is going to be the pain point for all but
one network, because there is only one autoconfig script maintained by
the ISA firewall, so if they try to connect to the Web proxy listener
that isn't local to their ISA firewall Network, then the connection
attempt will fail. I tried publishing the Web listener on the non-local
Network to the local Network, but no workie. I might try it again just
for fun, though.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Monday, December 12, 2005 2:26 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Stefaan, I went through your article quite thoroughly, and it
> clarified
> many things for me, thanks. I decided to put these settings in place
> here, and have had mixed results.
>
> The difficulties seem to arise because I have multiple
> internal networks
> on my ISA server. I enabled the "Use automatic configuration script"
> option on both of these internal networks, but only one seems to be
> working good.
>
> On one of the subnets, when I have that option enabled, I watched the
> logs and saw that instead of using the web proxy, it is
> trying to access
> the external site directly using Port 80. When I disable that option,
> it goes through the web proxy like it should. However, I
> tried another
> computer on that same subnet, and everything worked perfect,
> so it just
> doesn't make sense.
>
> I've retrieved all the wspad.dat and wspad.dat files from
> both internet
> networks, and they appear to be correct. Any ideas?
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Monday, December 05, 2005 4:42 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> Didn't you got my mail with the SRZ0505266000674 case history? I just
> resend
> the mail, just in case. ;-)
>
> After the usual first level blablabla the case was handled by Tommy
> Walker
> (second level) together with GTSC Matthew Rose and Christophe
> Despoges.
>
> Thereafter, Kristin Thomas (third level) was the owner:
>
> Kristin Thomas, MCSE, MCP
> Global Technical Support Center
> Platforms - Networking
> Microsoft Limited
> Tel: +44 118 909 4399
> Email: kthomas@xxxxxxxxxxxxx
>
> Then the case was transfered to Pierre Louis Coll, an Escalation
> Engineer in
> the Internet Explorer support team.
> Tel: +33 1 69 86 66 90
> Email: pierrelc@xxxxxxxxxxxxx
>
> That's all I have as contact information...
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: maandag 5 december 2005 22:06
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Are you sure that's not typo'd?
> Do you know what location took the case (US/CA, AP, Euro)?
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Monday, December 05, 2005 11:57
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> I'm listening ....
>
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: vrijdag 2 december 2005 20:59
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I'll tell Stefaan, but no one else because I'm in a mood; so there,
> thpthpthp.
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Friday, December 02, 2005 11:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Please keep me informed of what you find out, that is a big problem
> here.
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Friday, December 02, 2005 1:22 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> Can you confirm what they (Microsoft PSS) have told me?
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: donderdag 1 december 2005 21:23
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> I've mailed you the SRZ0505266000674 case history concerning the DHCP
> issue
> with IE.
>
> Regards,
> Stefaan
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: donderdag 1 december 2005 21:16
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> Will answer you offline...
>
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 21:01
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Worse yet - that KB isn't listed internally either.
> Where did you get that #?
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 11:02
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Tom,
>
> unfortunately the KB906055 fix is not yet published. I've tested the
> official release of the patch and it solves the problem for Windows XP
> SP2.
> Microsoft assured me that if you call PSS they will give you the fix.
>
> Also, the WinInet fix Jim was talking about has not yet been released.
> I've
> tested an interim version of the KB907455 fix but it didn't solve the
> problem completely yet. However, this fix should be valid for
> Windows XP
> SP1
> and SP2.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: donderdag 1 december 2005 16:52
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Stefaan,
>
> Thank you very much for pointing out that information! I am really
> remiss
> for not remembering this fact that you mentioned in your article :(
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: Thursday, December 01, 2005 9:08 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Jim,
> >
> > That's what described in my article
> > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> > l and related
> > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
> >
> > A fix for Windows XP SP2 is officialy released on November
> 11, 2005.
> > The related knowledge base article is KB906055 and should
> be available
>
> > soon on the web. IE uses an obsolete DHCP API but this API has been
> > fixed (DHCPCSVC) for Windows XP SP2 only.
> >
> > HTH,
> > Stefaan
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: donderdag 1 december 2005 15:54
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Don't use DHCP wpad - it's crap.
> > We've found that WinInet (what IE uses) can take up to 10
> seconds to
> > "digest" the DHCP data it gets.
> >
> > Use only DNS or WINS (if you must).
> >
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Thursday, December 01, 2005 6:20 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > I had to take those setting off again this morning, so I'm not sure
> > what the heck is going on...
> >
> > When opening up IE, it would take 2-3 minutes for the
> "Detecting Proxy
> > > Settings" in the status bar to go away, and then things would run
> sluggish.
> > By un-checking the "Automatically detect settings" and "Use
> automatic
> > configuration script" in IE things sped up dramatically, so I took
> > them back off the ISA server.
> >
> >
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 11:06 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > I've been through those articles many-many times trying to
> work this
> > out, and just went through them again. My eyes must be
> getting old,
> > although I read the last paragraph on the last page many times, I
> > still missed it until this last re-reading...
> >
> > Your clue in the e-mail helped though, I had the
> "Automatically detect
>
> > settings" and "Use automatic configuration script" turned
> off on the
> > "Firewall Client" tab from when we had the SurfControl proxy bypass
> > problem several months ago. With the solution you thought up, that
> > might not be an issue anymore. In any case, I'll leave
> them enabled
> > and see if people start having troubles.
> >
> > I don't see where it updated the setting in IE on the client, but I
> > also don't see it passing through the ISA server anymore,
> so it must
> > be using a different method.
> >
> > Thanks!
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 9:59 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Dan,
> >
> > Check the articles again. It'll show you how to configure
> the Direct
> > Access list on the ISA firewall and how to configure the clients to
> > use the autoconfig script so that they can use the Direct
> Access list.
> >
> > Also, make sure the Direct Access clients are configured with a DNS
> > server that allows them to resolve the name of the site to
> the site's
> > Internal address.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > > Sent: Wednesday, November 30, 2005 8:54 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Direct Access Issues w/SurfControl
> > >
> > > http://www.ISAserver.org
> > >
> > > This Direct Access issue is rearing its ugly head again here.
> > >
> > > I'm running ISA2004, with the newest version of
> SurfControl. Or at
> > > least I "think" it's the newest version, as I cannot locate
> > any newer
> > > hotfixes for it...
> > >
> > > I've tried and tried to not loop the local webserver
> > through the ISA
> > > server, but have been unable to figure out a way to do it. Tom
> > > mentioned a couple of weeks ago that SurfControl
> basically disables
> > > the Direct Access abilities of the ISA server, so that
> > explains that
> > > part.
> > >
> > > Normally, I wouldn't mind the traffic passing through the
> > ISA server,
> > > as it has a 1Gbps network connect. But, the problem I'm
> > running into
> > > is that whenever we get a really heavy web traffic period,
> > accessing
> > > our local webserver is pathetically slow, i.e. it'll take over a
> > > minute to display the first page. It probably has to do
> with 800+
> > > people all clicking like mad at the same time...
> > >
> > > When I disable the Proxy settings in IE, I can browse our local
> > > webserver at full-speed, but cannot access the Internet.
> > If I go into
> > > the IE->Tools->Internet Options->LAN Settings->Advanced
> > menu and add
> > > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> > >
> > > However, all the proxy settings are coming from the ISA
> > server, so any
> > > entries into that area are overwritten whenever the FWC
> > refreshes its
> > > info. I cannot push these settings out via GPO either,
> because the
> > > FWC would override them.
> > >
> > > Is there a way to get these settings pushed out from the
> ISA server?
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 15:26:12 -0500
http://www.ISAserver.org
Stefaan, I went through your article quite thoroughly, and it clarified
many things for me, thanks. I decided to put these settings in place
here, and have had mixed results.
The difficulties seem to arise because I have multiple internal networks
on my ISA server. I enabled the "Use automatic configuration script"
option on both of these internal networks, but only one seems to be
working good.
On one of the subnets, when I have that option enabled, I watched the
logs and saw that instead of using the web proxy, it is trying to access
the external site directly using Port 80. When I disable that option,
it goes through the web proxy like it should. However, I tried another
computer on that same subnet, and everything worked perfect, so it just
doesn't make sense.
I've retrieved all the wspad.dat and wspad.dat files from both internet
networks, and they appear to be correct. Any ideas?
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Monday, December 05, 2005 4:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Didn't you got my mail with the SRZ0505266000674 case history? I just
resend
the mail, just in case. ;-)
After the usual first level blablabla the case was handled by Tommy
Walker
(second level) together with GTSC Matthew Rose and Christophe Despoges.
Thereafter, Kristin Thomas (third level) was the owner:
Kristin Thomas, MCSE, MCP
Global Technical Support Center
Platforms - Networking
Microsoft Limited
Tel: +44 118 909 4399
Email: kthomas@xxxxxxxxxxxxx
Then the case was transfered to Pierre Louis Coll, an Escalation
Engineer in
the Internet Explorer support team.
Tel: +33 1 69 86 66 90
Email: pierrelc@xxxxxxxxxxxxx
That's all I have as contact information...
Thanks,
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: maandag 5 december 2005 22:06
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Are you sure that's not typo'd?
Do you know what location took the case (US/CA, AP, Euro)?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Monday, December 05, 2005 11:57
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I'm listening ....
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: vrijdag 2 december 2005 20:59
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I'll tell Stefaan, but no one else because I'm in a mood; so there,
thpthpthp.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Friday, December 02, 2005 11:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Please keep me informed of what you find out, that is a big problem
here.
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Friday, December 02, 2005 1:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Can you confirm what they (Microsoft PSS) have told me?
Thanks,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I've mailed you the SRZ0505266000674 case history concerning the DHCP
issue
with IE.
Regards,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the
official release of the patch and it solves the problem for Windows XP
SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released.
I've
tested an interim version of the KB907455 fix but it didn't solve the
problem completely yet. However, this fix should be valid for Windows XP
SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really
remiss
for not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 16:41:37 -0500
http://www.ISAserver.org
Hi Jim,
Didn't you got my mail with the SRZ0505266000674 case history? I just resend
the mail, just in case. ;-)
After the usual first level blablabla the case was handled by Tommy Walker
(second level) together with GTSC Matthew Rose and Christophe Despoges.
Thereafter, Kristin Thomas (third level) was the owner:
Kristin Thomas, MCSE, MCP
Global Technical Support Center
Platforms - Networking
Microsoft Limited
Tel: +44 118 909 4399
Email: kthomas@xxxxxxxxxxxxx
Then the case was transfered to Pierre Louis Coll, an Escalation Engineer in
the Internet Explorer support team.
Tel: +33 1 69 86 66 90
Email: pierrelc@xxxxxxxxxxxxx
That's all I have as contact information...
Thanks,
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: maandag 5 december 2005 22:06
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Are you sure that's not typo'd?
Do you know what location took the case (US/CA, AP, Euro)?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Monday, December 05, 2005 11:57
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I'm listening ....
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: vrijdag 2 december 2005 20:59
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I'll tell Stefaan, but no one else because I'm in a mood; so there,
thpthpthp.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Friday, December 02, 2005 11:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Please keep me informed of what you find out, that is a big problem here.
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Friday, December 02, 2005 1:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Can you confirm what they (Microsoft PSS) have told me?
Thanks,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I've mailed you the SRZ0505266000674 case history concerning the DHCP issue
with IE.
Regards,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the
official release of the patch and it solves the problem for Windows XP SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released.
I've
tested an interim version of the KB907455 fix but it didn't solve the
problem completely yet. However, this fix should be valid for Windows XP
SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really remiss
for not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 16:05:33 -0500
http://www.ISAserver.org
Are you sure that's not typo'd?
Do you know what location took the case (US/CA, AP, Euro)?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Monday, December 05, 2005 11:57
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I'm listening ....
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: vrijdag 2 december 2005 20:59
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I'll tell Stefaan, but no one else because I'm in a mood; so there, thpthpthp.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Friday, December 02, 2005 11:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Please keep me informed of what you find out, that is a big problem here.
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Friday, December 02, 2005 1:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Can you confirm what they (Microsoft PSS) have told me?
Thanks,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I've mailed you the SRZ0505266000674 case history concerning the DHCP issue
with IE.
Regards,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the official
release of the patch and it solves the problem for Windows XP SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released.
I've
tested an interim version of the KB907455 fix but it didn't solve the problem
completely yet. However, this fix should be valid for Windows XP
SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really remiss for
not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 14:56:47 -0500
http://www.ISAserver.org
Hi Jim,
I'm listening ....
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: vrijdag 2 december 2005 20:59
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I'll tell Stefaan, but no one else because I'm in a mood; so there,
thpthpthp.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Friday, December 02, 2005 11:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Please keep me informed of what you find out, that is a big problem here.
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Friday, December 02, 2005 1:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Can you confirm what they (Microsoft PSS) have told me?
Thanks,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I've mailed you the SRZ0505266000674 case history concerning the DHCP issue
with IE.
Regards,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the
official release of the patch and it solves the problem for Windows XP SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released.
I've
tested an interim version of the KB907455 fix but it didn't solve the
problem completely yet. However, this fix should be valid for Windows XP
SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really remiss
for not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Dec 2005 15:13:49 -0500
http://www.ISAserver.org
So, you're feeling normal then?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Friday, December 02, 2005 2:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I'll tell Stefaan, but no one else because I'm in a mood; so there,
thpthpthp.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Friday, December 02, 2005 11:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Please keep me informed of what you find out, that is a big problem
here.
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Friday, December 02, 2005 1:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Can you confirm what they (Microsoft PSS) have told me?
Thanks,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I've mailed you the SRZ0505266000674 case history concerning the DHCP
issue with IE.
Regards,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the
official release of the patch and it solves the problem for Windows XP
SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released.
I've
tested an interim version of the KB907455 fix but it didn't solve the
problem completely yet. However, this fix should be valid for Windows XP
SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really
remiss for not remembering this fact that you mentioned in your article
:(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Dec 2005 14:59:08 -0500
http://www.ISAserver.org
I'll tell Stefaan, but no one else because I'm in a mood; so there, thpthpthp.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Friday, December 02, 2005 11:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Please keep me informed of what you find out, that is a big problem here.
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Friday, December 02, 2005 1:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Can you confirm what they (Microsoft PSS) have told me?
Thanks,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I've mailed you the SRZ0505266000674 case history concerning the DHCP issue
with IE.
Regards,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the official
release of the patch and it solves the problem for Windows XP SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released.
I've
tested an interim version of the KB907455 fix but it didn't solve the problem
completely yet. However, this fix should be valid for Windows XP
SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really remiss for
not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Dec 2005 14:53:34 -0500
http://www.ISAserver.org
Please keep me informed of what you find out, that is a big problem
here.
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Friday, December 02, 2005 1:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Can you confirm what they (Microsoft PSS) have told me?
Thanks,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I've mailed you the SRZ0505266000674 case history concerning the DHCP
issue
with IE.
Regards,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the
official release of the patch and it solves the problem for Windows XP
SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released.
I've
tested an interim version of the KB907455 fix but it didn't solve the
problem completely yet. However, this fix should be valid for Windows XP
SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really
remiss
for not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Dec 2005 13:22:29 -0500
http://www.ISAserver.org
Hi Jim,
Can you confirm what they (Microsoft PSS) have told me?
Thanks,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
I've mailed you the SRZ0505266000674 case history concerning the DHCP issue
with IE.
Regards,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the
official release of the patch and it solves the problem for Windows XP SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released. I've
tested an interim version of the KB907455 fix but it didn't solve the
problem completely yet. However, this fix should be valid for Windows XP SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really remiss
for not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 15:23:18 -0500
http://www.ISAserver.org
Hi Jim,
I've mailed you the SRZ0505266000674 case history concerning the DHCP issue
with IE.
Regards,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: donderdag 1 december 2005 21:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the
official release of the patch and it solves the problem for Windows XP SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released. I've
tested an interim version of the KB907455 fix but it didn't solve the
problem completely yet. However, this fix should be valid for Windows XP SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really remiss
for not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 15:15:49 -0500
http://www.ISAserver.org
Hi Jim,
Will answer you offline...
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 21:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the
official release of the patch and it solves the problem for Windows XP SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released. I've
tested an interim version of the KB907455 fix but it didn't solve the
problem completely yet. However, this fix should be valid for Windows XP SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really remiss
for not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> Settings" in the status bar to go away, and then things would run
> sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 15:00:52 -0500
http://www.ISAserver.org
Worse yet - that KB isn't listed internally either.
Where did you get that #?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 11:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the official
release of the patch and it solves the problem for Windows XP SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released. I've
tested an interim version of the KB907455 fix but it didn't solve the problem
completely yet. However, this fix should be valid for Windows XP SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really remiss for
not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> Settings" in the status bar to go away, and then things would run
> sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 14:01:50 -0500
http://www.ISAserver.org
Hi Tom,
unfortunately the KB906055 fix is not yet published. I've tested the
official release of the patch and it solves the problem for Windows XP SP2.
Microsoft assured me that if you call PSS they will give you the fix.
Also, the WinInet fix Jim was talking about has not yet been released. I've
tested an interim version of the KB907455 fix but it didn't solve the
problem completely yet. However, this fix should be valid for Windows XP SP1
and SP2.
HTH,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: donderdag 1 december 2005 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really remiss
for not remembering this fact that you mentioned in your article :(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November 11, 2005.
> The related knowledge base article is KB906055 and should be available
> soon on the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC) for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm not sure
> what the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> Settings" in the status bar to go away, and then things would run
> sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I took
> them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many times, I
> still missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them enabled
> and see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client, but I
> also don't see it passing through the ISA server anymore, so it must
> be using a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the clients to
> use the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 10:52:02 -0500
http://www.ISAserver.org
Hi Stefaan,
Thank you very much for pointing out that information! I am really
remiss for not remembering this fact that you mentioned in your article
:(
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> That's what described in my article
> http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm
> l and related
> topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
>
> A fix for Windows XP SP2 is officialy released on November
> 11, 2005. The
> related knowledge base article is KB906055 and should be
> available soon on
> the web. IE uses an obsolete DHCP API but this API has been
> fixed (DHCPCSVC)
> for Windows XP SP2 only.
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: donderdag 1 december 2005 15:54
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Don't use DHCP wpad - it's crap.
> We've found that WinInet (what IE uses) can take up to 10 seconds to
> "digest" the DHCP data it gets.
>
> Use only DNS or WINS (if you must).
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 6:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm
> not sure what the
> heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> Settings" in the status bar to go away, and then things would
> run sluggish.
> By un-checking the "Automatically detect settings" and "Use automatic
> configuration script" in IE things sped up dramatically, so I
> took them back
> off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to
> work this out,
> and just went through them again. My eyes must be getting
> old, although I
> read the last paragraph on the last page many times, I still
> missed it until
> this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy
> bypass problem
> several months ago. With the solution you thought up, that
> might not be an
> issue anymore. In any case, I'll leave them enabled and see
> if people start
> having troubles.
>
> I don't see where it updated the setting in IE on the client,
> but I also
> don't see it passing through the ISA server anymore, so it
> must be using a
> different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the
> Direct Access
> list on the ISA firewall and how to configure the clients to use the
> autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with
> a DNS server
> that allows them to resolve the name of the site to the
> site's Internal
> address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver
> through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically disables
> > the Direct Access abilities of the ISA server, so that
> explains that
> > part.
> >
> > Normally, I wouldn't mind the traffic passing through the
> ISA server,
> > as it has a 1Gbps network connect. But, the problem I'm
> running into
> > is that whenever we get a really heavy web traffic period,
> accessing
> > our local webserver is pathetically slow, i.e. it'll take over a
> > minute to display the first page. It probably has to do with 800+
> > people all clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either, because the
> > FWC would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 10:14:34 -0500
http://www.ISAserver.org
Cool! I'll have to spend more time reading that, but it looks like it
might clear some of the confusion I've had about the two settings that
seem to be causing me the most grief!
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Thursday, December 01, 2005 10:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Jim,
That's what described in my article
http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html and
related
topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
A fix for Windows XP SP2 is officialy released on November 11, 2005. The
related knowledge base article is KB906055 and should be available soon
on
the web. IE uses an obsolete DHCP API but this API has been fixed
(DHCPCSVC)
for Windows XP SP2 only.
HTH,
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 15:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Don't use DHCP wpad - it's crap.
We've found that WinInet (what IE uses) can take up to 10 seconds to
"digest" the DHCP data it gets.
Use only DNS or WINS (if you must).
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, December 01, 2005 6:20 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I had to take those setting off again this morning, so I'm not sure what
the
heck is going on...
When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
Settings" in the status bar to go away, and then things would run
sluggish.
By un-checking the "Automatically detect settings" and "Use automatic
configuration script" in IE things sped up dramatically, so I took them
back
off the ISA server.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 11:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I've been through those articles many-many times trying to work this
out,
and just went through them again. My eyes must be getting old, although
I
read the last paragraph on the last page many times, I still missed it
until
this last re-reading...
Your clue in the e-mail helped though, I had the "Automatically detect
settings" and "Use automatic configuration script" turned off on the
"Firewall Client" tab from when we had the SurfControl proxy bypass
problem
several months ago. With the solution you thought up, that might not be
an
issue anymore. In any case, I'll leave them enabled and see if people
start
having troubles.
I don't see where it updated the setting in IE on the client, but I also
don't see it passing through the ISA server anymore, so it must be using
a
different method.
Thanks!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 9:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
Check the articles again. It'll show you how to configure the Direct
Access
list on the ISA firewall and how to configure the clients to use the
autoconfig script so that they can use the Direct Access list.
Also, make sure the Direct Access clients are configured with a DNS
server
that allows them to resolve the name of the site to the site's Internal
address.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 8:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> This Direct Access issue is rearing its ugly head again here.
>
> I'm running ISA2004, with the newest version of SurfControl. Or at
> least I "think" it's the newest version, as I cannot locate any newer
> hotfixes for it...
>
> I've tried and tried to not loop the local webserver through the ISA
> server, but have been unable to figure out a way to do it. Tom
> mentioned a couple of weeks ago that SurfControl basically disables
> the Direct Access abilities of the ISA server, so that explains that
> part.
>
> Normally, I wouldn't mind the traffic passing through the ISA server,
> as it has a 1Gbps network connect. But, the problem I'm running into
> is that whenever we get a really heavy web traffic period, accessing
> our local webserver is pathetically slow, i.e. it'll take over a
> minute to display the first page. It probably has to do with 800+
> people all clicking like mad at the same time...
>
> When I disable the Proxy settings in IE, I can browse our local
> webserver at full-speed, but cannot access the Internet. If I go into
> the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> "*.mapsnet.org" as addresses to bypass proxy, this also works.
>
> However, all the proxy settings are coming from the ISA server, so any
> entries into that area are overwritten whenever the FWC refreshes its
> info. I cannot push these settings out via GPO either, because the
> FWC would override them.
>
> Is there a way to get these settings pushed out from the ISA server?
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 10:09:10 -0500
http://www.ISAserver.org
Okay, if I remember right, the reason I went with DHCP for that is due
to multiple internal networks. I.e., if the 10.20.x.x subnet pulls the
wpad info from 10.20.1.1, while the 10.6.x.x subnet pulls the wpad info
from 10.6.254.90. If they pull the wpad info from the wrong IP, they'll
get the wrong connection information.
When I tried using the DNS to push out the wpad info, it kept resolving
to the wrong IP address, i.e. the 10.6.x.x subnet would try to pull the
wpad info from 10.20.1.1 instead. All subnets use the same forward
lookup zone, so even though there are several DNS servers on the
10.6.x.x subnet, they replicate the same information across all subnets.
Someone mentioned that you can define multiple IP addresses in the DNS
server for wpad, but I haven't quite fiqured out how that would work
yet. So, do you think that would speed things up dramatically if I
switched (provided I could figure out how to do it)?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, December 01, 2005 9:54 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Don't use DHCP wpad - it's crap.
We've found that WinInet (what IE uses) can take up to 10 seconds to
"digest" the DHCP data it gets.
Use only DNS or WINS (if you must).
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, December 01, 2005 6:20 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I had to take those setting off again this morning, so I'm not sure what
the heck is going on...
When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
Settings" in the status bar to go away, and then things would run
sluggish. By un-checking the "Automatically detect settings" and "Use
automatic configuration script" in IE things sped up dramatically, so I
took them back off the ISA server.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 11:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I've been through those articles many-many times trying to work this
out, and just went through them again. My eyes must be getting old,
although I read the last paragraph on the last page many times, I still
missed it until this last re-reading...
Your clue in the e-mail helped though, I had the "Automatically detect
settings" and "Use automatic configuration script" turned off on the
"Firewall Client" tab from when we had the SurfControl proxy bypass
problem several months ago. With the solution you thought up, that
might not be an issue anymore. In any case, I'll leave them enabled and
see if people start having troubles.
I don't see where it updated the setting in IE on the client, but I also
don't see it passing through the ISA server anymore, so it must be using
a different method.
Thanks!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 9:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
Check the articles again. It'll show you how to configure the Direct
Access list on the ISA firewall and how to configure the clients to use
the autoconfig script so that they can use the Direct Access list.
Also, make sure the Direct Access clients are configured with a DNS
server that allows them to resolve the name of the site to the site's
Internal address.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 8:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> This Direct Access issue is rearing its ugly head again here.
>
> I'm running ISA2004, with the newest version of SurfControl. Or at
> least I "think" it's the newest version, as I cannot locate any newer
> hotfixes for it...
>
> I've tried and tried to not loop the local webserver through the ISA
> server, but have been unable to figure out a way to do it. Tom
> mentioned a couple of weeks ago that SurfControl basically
> disables the
> Direct Access abilities of the ISA server, so that explains that part.
>
> Normally, I wouldn't mind the traffic passing through the ISA
> server, as
> it has a 1Gbps network connect. But, the problem I'm running into is
> that whenever we get a really heavy web traffic period, accessing our
> local webserver is pathetically slow, i.e. it'll take over a minute to
> display the first page. It probably has to do with 800+ people all
> clicking like mad at the same time...
>
> When I disable the Proxy settings in IE, I can browse our local
> webserver at full-speed, but cannot access the Internet. If I go into
> the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> "*.mapsnet.org" as addresses to bypass proxy, this also works.
>
> However, all the proxy settings are coming from the ISA server, so any
> entries into that area are overwritten whenever the FWC refreshes its
> info. I cannot push these settings out via GPO either,
> because the FWC
> would override them.
>
> Is there a way to get these settings pushed out from the ISA server?
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 10:07:36 -0500
http://www.ISAserver.org
Hi Jim,
That's what described in my article
http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html and related
topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm.
A fix for Windows XP SP2 is officialy released on November 11, 2005. The
related knowledge base article is KB906055 and should be available soon on
the web. IE uses an obsolete DHCP API but this API has been fixed (DHCPCSVC)
for Windows XP SP2 only.
HTH,
Stefaan
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: donderdag 1 december 2005 15:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Don't use DHCP wpad - it's crap.
We've found that WinInet (what IE uses) can take up to 10 seconds to
"digest" the DHCP data it gets.
Use only DNS or WINS (if you must).
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, December 01, 2005 6:20 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I had to take those setting off again this morning, so I'm not sure what the
heck is going on...
When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
Settings" in the status bar to go away, and then things would run sluggish.
By un-checking the "Automatically detect settings" and "Use automatic
configuration script" in IE things sped up dramatically, so I took them back
off the ISA server.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 11:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I've been through those articles many-many times trying to work this out,
and just went through them again. My eyes must be getting old, although I
read the last paragraph on the last page many times, I still missed it until
this last re-reading...
Your clue in the e-mail helped though, I had the "Automatically detect
settings" and "Use automatic configuration script" turned off on the
"Firewall Client" tab from when we had the SurfControl proxy bypass problem
several months ago. With the solution you thought up, that might not be an
issue anymore. In any case, I'll leave them enabled and see if people start
having troubles.
I don't see where it updated the setting in IE on the client, but I also
don't see it passing through the ISA server anymore, so it must be using a
different method.
Thanks!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 9:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
Check the articles again. It'll show you how to configure the Direct Access
list on the ISA firewall and how to configure the clients to use the
autoconfig script so that they can use the Direct Access list.
Also, make sure the Direct Access clients are configured with a DNS server
that allows them to resolve the name of the site to the site's Internal
address.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 8:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> This Direct Access issue is rearing its ugly head again here.
>
> I'm running ISA2004, with the newest version of SurfControl. Or at
> least I "think" it's the newest version, as I cannot locate any newer
> hotfixes for it...
>
> I've tried and tried to not loop the local webserver through the ISA
> server, but have been unable to figure out a way to do it. Tom
> mentioned a couple of weeks ago that SurfControl basically disables
> the Direct Access abilities of the ISA server, so that explains that
> part.
>
> Normally, I wouldn't mind the traffic passing through the ISA server,
> as it has a 1Gbps network connect. But, the problem I'm running into
> is that whenever we get a really heavy web traffic period, accessing
> our local webserver is pathetically slow, i.e. it'll take over a
> minute to display the first page. It probably has to do with 800+
> people all clicking like mad at the same time...
>
> When I disable the Proxy settings in IE, I can browse our local
> webserver at full-speed, but cannot access the Internet. If I go into
> the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> "*.mapsnet.org" as addresses to bypass proxy, this also works.
>
> However, all the proxy settings are coming from the ISA server, so any
> entries into that area are overwritten whenever the FWC refreshes its
> info. I cannot push these settings out via GPO either, because the
> FWC would override them.
>
> Is there a way to get these settings pushed out from the ISA server?
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:57:37 -0500
http://www.ISAserver.org
Then confiugre the Firewall client to only deliver the autoconfig
script. I said that in a message yesterday.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 8:44 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> The configuration script is generated by ISA, right? Or is
> there a way
> to modify it manually?
>
> When I push it out via GPO, the FWC overrides any settings I
> made, so I
> can't use that method without disabling the configuration from FWC.
>
> You know, the more I try to explain it, the more I get confused! Time
> to go back to bed...
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:38 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> That's what I always do as well, or configure the configuration script
> via GPO or script.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Thursday, December 01, 2005 8:20 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > I had to take those setting off again this morning, so I'm
> > not sure what
> > the heck is going on...
> >
> > When opening up IE, it would take 2-3 minutes for the
> "Detecting Proxy
> > Settings" in the status bar to go away, and then things would run
> > sluggish. By un-checking the "Automatically detect
> settings" and "Use
> > automatic configuration script" in IE things sped up
> > dramatically, so I
> > took them back off the ISA server.
> >
> >
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 11:06 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > I've been through those articles many-many times trying to work this
> > out, and just went through them again. My eyes must be getting old,
> > although I read the last paragraph on the last page many
> > times, I still
> > missed it until this last re-reading...
> >
> > Your clue in the e-mail helped though, I had the
> "Automatically detect
> > settings" and "Use automatic configuration script" turned off on the
> > "Firewall Client" tab from when we had the SurfControl proxy bypass
> > problem several months ago. With the solution you thought up, that
> > might not be an issue anymore. In any case, I'll leave them
> > enabled and
> > see if people start having troubles.
> >
> > I don't see where it updated the setting in IE on the client,
> > but I also
> > don't see it passing through the ISA server anymore, so it
> > must be using
> > a different method.
> >
> > Thanks!
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 9:59 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Hi Dan,
> >
> > Check the articles again. It'll show you how to configure the Direct
> > Access list on the ISA firewall and how to configure the
> > clients to use
> > the autoconfig script so that they can use the Direct Access list.
> >
> > Also, make sure the Direct Access clients are configured with a DNS
> > server that allows them to resolve the name of the site to
> the site's
> > Internal address.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > > Sent: Wednesday, November 30, 2005 8:54 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Direct Access Issues w/SurfControl
> > >
> > > http://www.ISAserver.org
> > >
> > > This Direct Access issue is rearing its ugly head again here.
> > >
> > > I'm running ISA2004, with the newest version of
> SurfControl. Or at
> > > least I "think" it's the newest version, as I cannot locate
> > any newer
> > > hotfixes for it...
> > >
> > > I've tried and tried to not loop the local webserver
> through the ISA
> > > server, but have been unable to figure out a way to do it. Tom
> > > mentioned a couple of weeks ago that SurfControl basically
> > > disables the
> > > Direct Access abilities of the ISA server, so that explains
> > that part.
> > >
> > > Normally, I wouldn't mind the traffic passing through the ISA
> > > server, as
> > > it has a 1Gbps network connect. But, the problem I'm
> > running into is
> > > that whenever we get a really heavy web traffic period,
> > accessing our
> > > local webserver is pathetically slow, i.e. it'll take over
> > a minute to
> > > display the first page. It probably has to do with 800+
> people all
> > > clicking like mad at the same time...
> > >
> > > When I disable the Proxy settings in IE, I can browse our local
> > > webserver at full-speed, but cannot access the Internet.
> > If I go into
> > > the IE->Tools->Internet Options->LAN Settings->Advanced
> menu and add
> > > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> > >
> > > However, all the proxy settings are coming from the ISA
> > server, so any
> > > entries into that area are overwritten whenever the FWC
> > refreshes its
> > > info. I cannot push these settings out via GPO either,
> > > because the FWC
> > > would override them.
> > >
> > > Is there a way to get these settings pushed out from the
> ISA server?
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > dball@xxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:54:17 -0500
http://www.ISAserver.org
Don't use DHCP wpad - it's crap.
We've found that WinInet (what IE uses) can take up to 10 seconds to
"digest" the DHCP data it gets.
Use only DNS or WINS (if you must).
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, December 01, 2005 6:20 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I had to take those setting off again this morning, so I'm not sure what
the heck is going on...
When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
Settings" in the status bar to go away, and then things would run
sluggish. By un-checking the "Automatically detect settings" and "Use
automatic configuration script" in IE things sped up dramatically, so I
took them back off the ISA server.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 11:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I've been through those articles many-many times trying to work this
out, and just went through them again. My eyes must be getting old,
although I read the last paragraph on the last page many times, I still
missed it until this last re-reading...
Your clue in the e-mail helped though, I had the "Automatically detect
settings" and "Use automatic configuration script" turned off on the
"Firewall Client" tab from when we had the SurfControl proxy bypass
problem several months ago. With the solution you thought up, that
might not be an issue anymore. In any case, I'll leave them enabled and
see if people start having troubles.
I don't see where it updated the setting in IE on the client, but I also
don't see it passing through the ISA server anymore, so it must be using
a different method.
Thanks!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 9:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
Check the articles again. It'll show you how to configure the Direct
Access list on the ISA firewall and how to configure the clients to use
the autoconfig script so that they can use the Direct Access list.
Also, make sure the Direct Access clients are configured with a DNS
server that allows them to resolve the name of the site to the site's
Internal address.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 8:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> This Direct Access issue is rearing its ugly head again here.
>
> I'm running ISA2004, with the newest version of SurfControl. Or at
> least I "think" it's the newest version, as I cannot locate any newer
> hotfixes for it...
>
> I've tried and tried to not loop the local webserver through the ISA
> server, but have been unable to figure out a way to do it. Tom
> mentioned a couple of weeks ago that SurfControl basically
> disables the
> Direct Access abilities of the ISA server, so that explains that part.
>
> Normally, I wouldn't mind the traffic passing through the ISA
> server, as
> it has a 1Gbps network connect. But, the problem I'm running into is
> that whenever we get a really heavy web traffic period, accessing our
> local webserver is pathetically slow, i.e. it'll take over a minute to
> display the first page. It probably has to do with 800+ people all
> clicking like mad at the same time...
>
> When I disable the Proxy settings in IE, I can browse our local
> webserver at full-speed, but cannot access the Internet. If I go into
> the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> "*.mapsnet.org" as addresses to bypass proxy, this also works.
>
> However, all the proxy settings are coming from the ISA server, so any
> entries into that area are overwritten whenever the FWC refreshes its
> info. I cannot push these settings out via GPO either,
> because the FWC
> would override them.
>
> Is there a way to get these settings pushed out from the ISA server?
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:43:33 -0500
http://www.ISAserver.org
The configuration script is generated by ISA, right? Or is there a way
to modify it manually?
When I push it out via GPO, the FWC overrides any settings I made, so I
can't use that method without disabling the configuration from FWC.
You know, the more I try to explain it, the more I get confused! Time
to go back to bed...
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, December 01, 2005 9:38 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
That's what I always do as well, or configure the configuration script
via GPO or script.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 8:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm
> not sure what
> the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> Settings" in the status bar to go away, and then things would run
> sluggish. By un-checking the "Automatically detect settings" and "Use
> automatic configuration script" in IE things sped up
> dramatically, so I
> took them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many
> times, I still
> missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them
> enabled and
> see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client,
> but I also
> don't see it passing through the ISA server anymore, so it
> must be using
> a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the
> clients to use
> the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically
> > disables the
> > Direct Access abilities of the ISA server, so that explains
> that part.
> >
> > Normally, I wouldn't mind the traffic passing through the ISA
> > server, as
> > it has a 1Gbps network connect. But, the problem I'm
> running into is
> > that whenever we get a really heavy web traffic period,
> accessing our
> > local webserver is pathetically slow, i.e. it'll take over
> a minute to
> > display the first page. It probably has to do with 800+ people all
> > clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either,
> > because the FWC
> > would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:38:02 -0500
http://www.ISAserver.org
Hi Dan,
That's what I always do as well, or configure the configuration script
via GPO or script.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 8:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I had to take those setting off again this morning, so I'm
> not sure what
> the heck is going on...
>
> When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
> Settings" in the status bar to go away, and then things would run
> sluggish. By un-checking the "Automatically detect settings" and "Use
> automatic configuration script" in IE things sped up
> dramatically, so I
> took them back off the ISA server.
>
>
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 11:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I've been through those articles many-many times trying to work this
> out, and just went through them again. My eyes must be getting old,
> although I read the last paragraph on the last page many
> times, I still
> missed it until this last re-reading...
>
> Your clue in the e-mail helped though, I had the "Automatically detect
> settings" and "Use automatic configuration script" turned off on the
> "Firewall Client" tab from when we had the SurfControl proxy bypass
> problem several months ago. With the solution you thought up, that
> might not be an issue anymore. In any case, I'll leave them
> enabled and
> see if people start having troubles.
>
> I don't see where it updated the setting in IE on the client,
> but I also
> don't see it passing through the ISA server anymore, so it
> must be using
> a different method.
>
> Thanks!
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 9:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Check the articles again. It'll show you how to configure the Direct
> Access list on the ISA firewall and how to configure the
> clients to use
> the autoconfig script so that they can use the Direct Access list.
>
> Also, make sure the Direct Access clients are configured with a DNS
> server that allows them to resolve the name of the site to the site's
> Internal address.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Wednesday, November 30, 2005 8:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > This Direct Access issue is rearing its ugly head again here.
> >
> > I'm running ISA2004, with the newest version of SurfControl. Or at
> > least I "think" it's the newest version, as I cannot locate
> any newer
> > hotfixes for it...
> >
> > I've tried and tried to not loop the local webserver through the ISA
> > server, but have been unable to figure out a way to do it. Tom
> > mentioned a couple of weeks ago that SurfControl basically
> > disables the
> > Direct Access abilities of the ISA server, so that explains
> that part.
> >
> > Normally, I wouldn't mind the traffic passing through the ISA
> > server, as
> > it has a 1Gbps network connect. But, the problem I'm
> running into is
> > that whenever we get a really heavy web traffic period,
> accessing our
> > local webserver is pathetically slow, i.e. it'll take over
> a minute to
> > display the first page. It probably has to do with 800+ people all
> > clicking like mad at the same time...
> >
> > When I disable the Proxy settings in IE, I can browse our local
> > webserver at full-speed, but cannot access the Internet.
> If I go into
> > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> > "*.mapsnet.org" as addresses to bypass proxy, this also works.
> >
> > However, all the proxy settings are coming from the ISA
> server, so any
> > entries into that area are overwritten whenever the FWC
> refreshes its
> > info. I cannot push these settings out via GPO either,
> > because the FWC
> > would override them.
> >
> > Is there a way to get these settings pushed out from the ISA server?
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> dball@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:20:12 -0500
http://www.ISAserver.org
I had to take those setting off again this morning, so I'm not sure what
the heck is going on...
When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
Settings" in the status bar to go away, and then things would run
sluggish. By un-checking the "Automatically detect settings" and "Use
automatic configuration script" in IE things sped up dramatically, so I
took them back off the ISA server.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 11:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I've been through those articles many-many times trying to work this
out, and just went through them again. My eyes must be getting old,
although I read the last paragraph on the last page many times, I still
missed it until this last re-reading...
Your clue in the e-mail helped though, I had the "Automatically detect
settings" and "Use automatic configuration script" turned off on the
"Firewall Client" tab from when we had the SurfControl proxy bypass
problem several months ago. With the solution you thought up, that
might not be an issue anymore. In any case, I'll leave them enabled and
see if people start having troubles.
I don't see where it updated the setting in IE on the client, but I also
don't see it passing through the ISA server anymore, so it must be using
a different method.
Thanks!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 9:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
Check the articles again. It'll show you how to configure the Direct
Access list on the ISA firewall and how to configure the clients to use
the autoconfig script so that they can use the Direct Access list.
Also, make sure the Direct Access clients are configured with a DNS
server that allows them to resolve the name of the site to the site's
Internal address.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 8:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> This Direct Access issue is rearing its ugly head again here.
>
> I'm running ISA2004, with the newest version of SurfControl. Or at
> least I "think" it's the newest version, as I cannot locate any newer
> hotfixes for it...
>
> I've tried and tried to not loop the local webserver through the ISA
> server, but have been unable to figure out a way to do it. Tom
> mentioned a couple of weeks ago that SurfControl basically
> disables the
> Direct Access abilities of the ISA server, so that explains that part.
>
> Normally, I wouldn't mind the traffic passing through the ISA
> server, as
> it has a 1Gbps network connect. But, the problem I'm running into is
> that whenever we get a really heavy web traffic period, accessing our
> local webserver is pathetically slow, i.e. it'll take over a minute to
> display the first page. It probably has to do with 800+ people all
> clicking like mad at the same time...
>
> When I disable the Proxy settings in IE, I can browse our local
> webserver at full-speed, but cannot access the Internet. If I go into
> the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> "*.mapsnet.org" as addresses to bypass proxy, this also works.
>
> However, all the proxy settings are coming from the ISA server, so any
> entries into that area are overwritten whenever the FWC refreshes its
> info. I cannot push these settings out via GPO either,
> because the FWC
> would override them.
>
> Is there a way to get these settings pushed out from the ISA server?
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 11:05:44 -0500
http://www.ISAserver.org
I've been through those articles many-many times trying to work this
out, and just went through them again. My eyes must be getting old,
although I read the last paragraph on the last page many times, I still
missed it until this last re-reading...
Your clue in the e-mail helped though, I had the "Automatically detect
settings" and "Use automatic configuration script" turned off on the
"Firewall Client" tab from when we had the SurfControl proxy bypass
problem several months ago. With the solution you thought up, that
might not be an issue anymore. In any case, I'll leave them enabled and
see if people start having troubles.
I don't see where it updated the setting in IE on the client, but I also
don't see it passing through the ISA server anymore, so it must be using
a different method.
Thanks!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 9:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
Check the articles again. It'll show you how to configure the Direct
Access list on the ISA firewall and how to configure the clients to use
the autoconfig script so that they can use the Direct Access list.
Also, make sure the Direct Access clients are configured with a DNS
server that allows them to resolve the name of the site to the site's
Internal address.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 8:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> This Direct Access issue is rearing its ugly head again here.
>
> I'm running ISA2004, with the newest version of SurfControl. Or at
> least I "think" it's the newest version, as I cannot locate any newer
> hotfixes for it...
>
> I've tried and tried to not loop the local webserver through the ISA
> server, but have been unable to figure out a way to do it. Tom
> mentioned a couple of weeks ago that SurfControl basically
> disables the
> Direct Access abilities of the ISA server, so that explains that part.
>
> Normally, I wouldn't mind the traffic passing through the ISA
> server, as
> it has a 1Gbps network connect. But, the problem I'm running into is
> that whenever we get a really heavy web traffic period, accessing our
> local webserver is pathetically slow, i.e. it'll take over a minute to
> display the first page. It probably has to do with 800+ people all
> clicking like mad at the same time...
>
> When I disable the Proxy settings in IE, I can browse our local
> webserver at full-speed, but cannot access the Internet. If I go into
> the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> "*.mapsnet.org" as addresses to bypass proxy, this also works.
>
> However, all the proxy settings are coming from the ISA server, so any
> entries into that area are overwritten whenever the FWC refreshes its
> info. I cannot push these settings out via GPO either,
> because the FWC
> would override them.
>
> Is there a way to get these settings pushed out from the ISA server?
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 09:58:39 -0500
http://www.ISAserver.org
Hi Dan,
Check the articles again. It'll show you how to configure the Direct
Access list on the ISA firewall and how to configure the clients to use
the autoconfig script so that they can use the Direct Access list.
Also, make sure the Direct Access clients are configured with a DNS
server that allows them to resolve the name of the site to the site's
Internal address.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 8:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> This Direct Access issue is rearing its ugly head again here.
>
> I'm running ISA2004, with the newest version of SurfControl. Or at
> least I "think" it's the newest version, as I cannot locate any newer
> hotfixes for it...
>
> I've tried and tried to not loop the local webserver through the ISA
> server, but have been unable to figure out a way to do it. Tom
> mentioned a couple of weeks ago that SurfControl basically
> disables the
> Direct Access abilities of the ISA server, so that explains that part.
>
> Normally, I wouldn't mind the traffic passing through the ISA
> server, as
> it has a 1Gbps network connect. But, the problem I'm running into is
> that whenever we get a really heavy web traffic period, accessing our
> local webserver is pathetically slow, i.e. it'll take over a minute to
> display the first page. It probably has to do with 800+ people all
> clicking like mad at the same time...
>
> When I disable the Proxy settings in IE, I can browse our local
> webserver at full-speed, but cannot access the Internet. If I go into
> the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> "*.mapsnet.org" as addresses to bypass proxy, this also works.
>
> However, all the proxy settings are coming from the ISA server, so any
> entries into that area are overwritten whenever the FWC refreshes its
> info. I cannot push these settings out via GPO either,
> because the FWC
> would override them.
>
> Is there a way to get these settings pushed out from the ISA server?
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 09:53:45 -0500
http://www.ISAserver.org
This Direct Access issue is rearing its ugly head again here.
I'm running ISA2004, with the newest version of SurfControl. Or at
least I "think" it's the newest version, as I cannot locate any newer
hotfixes for it...
I've tried and tried to not loop the local webserver through the ISA
server, but have been unable to figure out a way to do it. Tom
mentioned a couple of weeks ago that SurfControl basically disables the
Direct Access abilities of the ISA server, so that explains that part.
Normally, I wouldn't mind the traffic passing through the ISA server, as
it has a 1Gbps network connect. But, the problem I'm running into is
that whenever we get a really heavy web traffic period, accessing our
local webserver is pathetically slow, i.e. it'll take over a minute to
display the first page. It probably has to do with 800+ people all
clicking like mad at the same time...
When I disable the Proxy settings in IE, I can browse our local
webserver at full-speed, but cannot access the Internet. If I go into
the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
"*.mapsnet.org" as addresses to bypass proxy, this also works.
However, all the proxy settings are coming from the ISA server, so any
entries into that area are overwritten whenever the FWC refreshes its
info. I cannot push these settings out via GPO either, because the FWC
would override them.
Is there a way to get these settings pushed out from the ISA server?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
Other related posts:
