--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 13 Dec 2005 09:52:44 -0500
http://www.ISAserver.org This sounds like a potentially extremely complex setup. (One could almost refer to it as a split-split DNS! *grin*) A little less than half of our network resides on that other subnet, so it is definitely not small. It is all part of one AD Domain, and I really hesitate to split it into multiple Domains. Due to the slow speed of our WAN, each of our outer buildings has their own Domain Controller, and each Domain Controller has a AD-Integrated DNS Server. Each DC/DNS is set to look back to the PDC (and DC1) for upstream resolution, and those servers are set to resolve names not in our local network, creating the Split DNS. Here is a rough diagram of the network structure Internet | | ISA--->10.20.1.1--->PDC | | | |--->DC2 | |---->10.6.254.90--->10.6.8.x--->DC3 | |--->10.6.9.x--->DC4 | |--->10.6.10.x--->DC5 | |--->10.6.12.x--->DC6 | |--->10.6.14.x--->DC7 | |--->10.6.15.x--->DC8 Right now it is configured as one big network, the Internal networks are in "route" mode between them, and there is a firewall policy that allows "All Protocols" to pass between those two subnets (come to think of it though, I should move that to a higher precedence). As it is currently configured, it works, for the most part. The only problem appears to be the Auto-Configure feature to configure sites for Direct Access. Without that feature working, all web browsing (including our local webserver, OWA, and Grading server) pass through the Web Proxy service. This isn't a "really" bad thing, but since SurfControl is thrown into the mix, it messes everything up. Since everything on the Internal Network is working with the DNS, the only issue really in question is the DNS resolution of the ISA server. If I forced a modified host file out to those workstations would that override the DNS server? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, December 12, 2005 11:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Dan, The Web proxy configuration will work, if you fudge by creating a split DNS to support your second internal Network hosts. However, it can be tricky, depending on what you want the hosts on the second internal network to access on the other internal network, because the split DNS zone (which I usually put on the ISA firewall) won't be a secondary to the main zone -- it will need to be separate and distinct, because that array name must resolve to the local Web proxy listener for the other internal network. The firewall client will work fine, IF you allow the LDAP protocols from the second internal Network into the first internal Network (assuming that the first Internal Network hosts the DCs). If the second internal Network is small and doesn't have that many hosts that require authentication, you can always mirror the accounts, but I prefer not to do that, because I lose too many of the advantages that Active Directory provides. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Monday, December 12, 2005 9:55 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I queried the server to see what was actually being sent to the > workstations, and they "appear" to be correct. > > When I query http://10.20.1.1/wpad.dat (local subnet), I get a > configuration script matching the settings on the Network in the ISA > server. When I query http://10.20.1.1/wspad.dat I get the firewall > version of this file, with the appropriate settings for that Network > also. When I query > http://10.20.1.1:8080/array.dll?Get.Routing.Script, > I get a duplicate of the wpad.dat file, all seems good. > > When I query the same files using the 10.6.254.90 address instead > (Remote subnet), I get basically the same files, but the settings in > them match the settings for the remote subnet, which they > should, so I'm > at a loss for what is causing the troubles. I made some > changes in the > network properties, and when I re-queried the scripts, the changes > showed up on the appropriate network. > > Since I was having problems with the DNS wpad designation, I set > everything up to use IPs instead. The only place I see referencing a > hostname is the wpad.dat/getarray file, where it says: > > DirectNames=new MakeNames(); > cDirectNames=3; > HttpPort="8080"; > cNodes=1; > function MakeProxies(){ > this[0]=new Node("gateway.MAPSNET.ORG",0,1.000000); > } > > I'm not sure what this function does, but I'm wondering if it resolves > this hostname to the wrong subnet if that might be the cause. > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Monday, December 12, 2005 9:58 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Indeed. The autoconfig script is going to be the pain point > for all but > one network, because there is only one autoconfig script maintained by > the ISA firewall, so if they try to connect to the Web proxy listener > that isn't local to their ISA firewall Network, then the connection > attempt will fail. I tried publishing the Web listener on the > non-local > Network to the local Network, but no workie. I might try it again just > for fun, though. > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Monday, December 12, 2005 2:26 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Stefaan, I went through your article quite thoroughly, and it > > clarified > > many things for me, thanks. I decided to put these > settings in place > > here, and have had mixed results. > > > > The difficulties seem to arise because I have multiple > > internal networks > > on my ISA server. I enabled the "Use automatic > configuration script" > > option on both of these internal networks, but only one seems to be > > working good. > > > > On one of the subnets, when I have that option enabled, I > watched the > > logs and saw that instead of using the web proxy, it is > > trying to access > > the external site directly using Port 80. When I disable > that option, > > it goes through the web proxy like it should. However, I > > tried another > > computer on that same subnet, and everything worked perfect, > > so it just > > doesn't make sense. > > > > I've retrieved all the wspad.dat and wspad.dat files from > > both internet > > networks, and they appear to be correct. Any ideas? > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 23:09:46 -0500
http://www.ISAserver.org Hi Dan, The Web proxy configuration will work, if you fudge by creating a split DNS to support your second internal Network hosts. However, it can be tricky, depending on what you want the hosts on the second internal network to access on the other internal network, because the split DNS zone (which I usually put on the ISA firewall) won't be a secondary to the main zone -- it will need to be separate and distinct, because that array name must resolve to the local Web proxy listener for the other internal network. The firewall client will work fine, IF you allow the LDAP protocols from the second internal Network into the first internal Network (assuming that the first Internal Network hosts the DCs). If the second internal Network is small and doesn't have that many hosts that require authentication, you can always mirror the accounts, but I prefer not to do that, because I lose too many of the advantages that Active Directory provides. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Monday, December 12, 2005 9:55 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I queried the server to see what was actually being sent to the > workstations, and they "appear" to be correct. > > When I query http://10.20.1.1/wpad.dat (local subnet), I get a > configuration script matching the settings on the Network in the ISA > server. When I query http://10.20.1.1/wspad.dat I get the firewall > version of this file, with the appropriate settings for that Network > also. When I query > http://10.20.1.1:8080/array.dll?Get.Routing.Script, > I get a duplicate of the wpad.dat file, all seems good. > > When I query the same files using the 10.6.254.90 address instead > (Remote subnet), I get basically the same files, but the settings in > them match the settings for the remote subnet, which they > should, so I'm > at a loss for what is causing the troubles. I made some > changes in the > network properties, and when I re-queried the scripts, the changes > showed up on the appropriate network. > > Since I was having problems with the DNS wpad designation, I set > everything up to use IPs instead. The only place I see referencing a > hostname is the wpad.dat/getarray file, where it says: > > DirectNames=new MakeNames(); > cDirectNames=3; > HttpPort="8080"; > cNodes=1; > function MakeProxies(){ > this[0]=new Node("gateway.MAPSNET.ORG",0,1.000000); > } > > I'm not sure what this function does, but I'm wondering if it resolves > this hostname to the wrong subnet if that might be the cause. > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Monday, December 12, 2005 9:58 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Indeed. The autoconfig script is going to be the pain point > for all but > one network, because there is only one autoconfig script maintained by > the ISA firewall, so if they try to connect to the Web proxy listener > that isn't local to their ISA firewall Network, then the connection > attempt will fail. I tried publishing the Web listener on the > non-local > Network to the local Network, but no workie. I might try it again just > for fun, though. > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Monday, December 12, 2005 2:26 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Stefaan, I went through your article quite thoroughly, and it > > clarified > > many things for me, thanks. I decided to put these > settings in place > > here, and have had mixed results. > > > > The difficulties seem to arise because I have multiple > > internal networks > > on my ISA server. I enabled the "Use automatic > configuration script" > > option on both of these internal networks, but only one seems to be > > working good. > > > > On one of the subnets, when I have that option enabled, I > watched the > > logs and saw that instead of using the web proxy, it is > > trying to access > > the external site directly using Port 80. When I disable > that option, > > it goes through the web proxy like it should. However, I > > tried another > > computer on that same subnet, and everything worked perfect, > > so it just > > doesn't make sense. > > > > I've retrieved all the wspad.dat and wspad.dat files from > > both internet > > networks, and they appear to be correct. Any ideas? > > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > Sent: Monday, December 05, 2005 4:42 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Jim, > > > > Didn't you got my mail with the SRZ0505266000674 case > history? I just > > resend > > the mail, just in case. ;-) > > > > After the usual first level blablabla the case was handled by Tommy > > Walker > > (second level) together with GTSC Matthew Rose and Christophe > > Despoges. > > > > Thereafter, Kristin Thomas (third level) was the owner: > > > > Kristin Thomas, MCSE, MCP > > Global Technical Support Center > > Platforms - Networking > > Microsoft Limited > > Tel: +44 118 909 4399 > > Email: kthomas@xxxxxxxxxxxxx > > > > Then the case was transfered to Pierre Louis Coll, an Escalation > > Engineer in > > the Internet Explorer support team. > > Tel: +33 1 69 86 66 90 > > Email: pierrelc@xxxxxxxxxxxxx > > > > That's all I have as contact information... > > > > Thanks, > > Stefaan > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: maandag 5 december 2005 22:06 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Are you sure that's not typo'd? > > Do you know what location took the case (US/CA, AP, Euro)? > > > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > Sent: Monday, December 05, 2005 11:57 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Jim, > > > > I'm listening .... > > > > Stefaan > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: vrijdag 2 december 2005 20:59 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > I'll tell Stefaan, but no one else because I'm in a mood; so there, > > thpthpthp. > > > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Friday, December 02, 2005 11:54 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Please keep me informed of what you find out, that is a big problem > > here. > > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > Sent: Friday, December 02, 2005 1:22 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Jim, > > > > Can you confirm what they (Microsoft PSS) have told me? > > > > Thanks, > > Stefaan > > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > Sent: donderdag 1 december 2005 21:23 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Jim, > > > > I've mailed you the SRZ0505266000674 case history > concerning the DHCP > > issue > > with IE. > > > > Regards, > > Stefaan > > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > Sent: donderdag 1 december 2005 21:16 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Jim, > > > > Will answer you offline... > > > > Stefaan > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: donderdag 1 december 2005 21:01 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Worse yet - that KB isn't listed internally either. > > Where did you get that #? > > > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > Sent: Thursday, December 01, 2005 11:02 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Tom, > > > > unfortunately the KB906055 fix is not yet published. I've tested the > > official release of the patch and it solves the problem for > Windows XP > > SP2. > > Microsoft assured me that if you call PSS they will give > you the fix. > > > > Also, the WinInet fix Jim was talking about has not yet > been released. > > I've > > tested an interim version of the KB907455 fix but it didn't > solve the > > problem completely yet. However, this fix should be valid for > > Windows XP > > SP1 > > and SP2. > > > > HTH, > > Stefaan > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: donderdag 1 december 2005 16:52 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Stefaan, > > > > Thank you very much for pointing out that information! I am really > > remiss > > for not remembering this fact that you mentioned in your article :( > > > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > > Sent: Thursday, December 01, 2005 9:08 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > > > http://www.ISAserver.org > > > > > > Hi Jim, > > > > > > That's what described in my article > > > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > > > l and related > > > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > > > > > A fix for Windows XP SP2 is officialy released on November > > 11, 2005. > > > The related knowledge base article is KB906055 and should > > be available > > > > > soon on the web. IE uses an obsolete DHCP API but this > API has been > > > fixed (DHCPCSVC) for Windows XP SP2 only. > > > > > > HTH, > > > Stefaan > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: donderdag 1 december 2005 15:54 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > > > http://www.ISAserver.org > > > > > > Don't use DHCP wpad - it's crap. > > > We've found that WinInet (what IE uses) can take up to 10 > > seconds to > > > "digest" the DHCP data it gets. > > > > > > Use only DNS or WINS (if you must). > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Thursday, December 01, 2005 6:20 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > > > http://www.ISAserver.org > > > > > > I had to take those setting off again this morning, so > I'm not sure > > > what the heck is going on... > > > > > > When opening up IE, it would take 2-3 minutes for the > > "Detecting Proxy > > > > Settings" in the status bar to go away, and then things > would run > > sluggish. > > > By un-checking the "Automatically detect settings" and "Use > > automatic > > > configuration script" in IE things sped up dramatically, > so I took > > > them back off the ISA server. > > > > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Wednesday, November 30, 2005 11:06 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > > > http://www.ISAserver.org > > > > > > I've been through those articles many-many times trying to > > work this > > > out, and just went through them again. My eyes must be > > getting old, > > > although I read the last paragraph on the last page many times, I > > > still missed it until this last re-reading... > > > > > > Your clue in the e-mail helped though, I had the > > "Automatically detect > > > > > settings" and "Use automatic configuration script" turned > > off on the > > > "Firewall Client" tab from when we had the SurfControl > proxy bypass > > > problem several months ago. With the solution you > thought up, that > > > might not be an issue anymore. In any case, I'll leave > > them enabled > > > and see if people start having troubles. > > > > > > I don't see where it updated the setting in IE on the > client, but I > > > also don't see it passing through the ISA server anymore, > > so it must > > > be using a different method. > > > > > > Thanks! > > > > > > -----Original Message----- > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > Sent: Wednesday, November 30, 2005 9:59 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > > > http://www.ISAserver.org > > > > > > Hi Dan, > > > > > > Check the articles again. It'll show you how to configure > > the Direct > > > Access list on the ISA firewall and how to configure the > clients to > > > use the autoconfig script so that they can use the Direct > > Access list. > > > > > > Also, make sure the Direct Access clients are configured > with a DNS > > > server that allows them to resolve the name of the site to > > the site's > > > Internal address. > > > > > > HTH, > > > Tom > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://spaces.msn.com/members/drisa/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > **Who is John Galt?** > > > > > > > > > > > > > -----Original Message----- > > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > > Sent: Wednesday, November 30, 2005 8:54 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > > > > > http://www.ISAserver.org > > > > > > > > This Direct Access issue is rearing its ugly head again here. > > > > > > > > I'm running ISA2004, with the newest version of > > SurfControl. Or at > > > > least I "think" it's the newest version, as I cannot locate > > > any newer > > > > hotfixes for it... > > > > > > > > I've tried and tried to not loop the local webserver > > > through the ISA > > > > server, but have been unable to figure out a way to do it. Tom > > > > mentioned a couple of weeks ago that SurfControl > > basically disables > > > > the Direct Access abilities of the ISA server, so that > > > explains that > > > > part. > > > > > > > > Normally, I wouldn't mind the traffic passing through the > > > ISA server, > > > > as it has a 1Gbps network connect. But, the problem I'm > > > running into > > > > is that whenever we get a really heavy web traffic period, > > > accessing > > > > our local webserver is pathetically slow, i.e. it'll > take over a > > > > minute to display the first page. It probably has to do > > with 800+ > > > > people all clicking like mad at the same time... > > > > > > > > When I disable the Proxy settings in IE, I can browse our local > > > > webserver at full-speed, but cannot access the Internet. > > > If I go into > > > > the IE->Tools->Internet Options->LAN Settings->Advanced > > > menu and add > > > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > > > > > However, all the proxy settings are coming from the ISA > > > server, so any > > > > entries into that area are overwritten whenever the FWC > > > refreshes its > > > > info. I cannot push these settings out via GPO either, > > because the > > > > FWC would override them. > > > > > > > > Is there a way to get these settings pushed out from the > > ISA server? > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 22:54:32 -0500
http://www.ISAserver.org I queried the server to see what was actually being sent to the workstations, and they "appear" to be correct. When I query http://10.20.1.1/wpad.dat (local subnet), I get a configuration script matching the settings on the Network in the ISA server. When I query http://10.20.1.1/wspad.dat I get the firewall version of this file, with the appropriate settings for that Network also. When I query http://10.20.1.1:8080/array.dll?Get.Routing.Script, I get a duplicate of the wpad.dat file, all seems good. When I query the same files using the 10.6.254.90 address instead (Remote subnet), I get basically the same files, but the settings in them match the settings for the remote subnet, which they should, so I'm at a loss for what is causing the troubles. I made some changes in the network properties, and when I re-queried the scripts, the changes showed up on the appropriate network. Since I was having problems with the DNS wpad designation, I set everything up to use IPs instead. The only place I see referencing a hostname is the wpad.dat/getarray file, where it says: DirectNames=new MakeNames(); cDirectNames=3; HttpPort="8080"; cNodes=1; function MakeProxies(){ this[0]=new Node("gateway.MAPSNET.ORG",0,1.000000); } I'm not sure what this function does, but I'm wondering if it resolves this hostname to the wrong subnet if that might be the cause. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, December 12, 2005 9:58 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Dan, Indeed. The autoconfig script is going to be the pain point for all but one network, because there is only one autoconfig script maintained by the ISA firewall, so if they try to connect to the Web proxy listener that isn't local to their ISA firewall Network, then the connection attempt will fail. I tried publishing the Web listener on the non-local Network to the local Network, but no workie. I might try it again just for fun, though. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Monday, December 12, 2005 2:26 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Stefaan, I went through your article quite thoroughly, and it > clarified > many things for me, thanks. I decided to put these settings in place > here, and have had mixed results. > > The difficulties seem to arise because I have multiple > internal networks > on my ISA server. I enabled the "Use automatic configuration script" > option on both of these internal networks, but only one seems to be > working good. > > On one of the subnets, when I have that option enabled, I watched the > logs and saw that instead of using the web proxy, it is > trying to access > the external site directly using Port 80. When I disable that option, > it goes through the web proxy like it should. However, I > tried another > computer on that same subnet, and everything worked perfect, > so it just > doesn't make sense. > > I've retrieved all the wspad.dat and wspad.dat files from > both internet > networks, and they appear to be correct. Any ideas? > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Monday, December 05, 2005 4:42 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > Didn't you got my mail with the SRZ0505266000674 case history? I just > resend > the mail, just in case. ;-) > > After the usual first level blablabla the case was handled by Tommy > Walker > (second level) together with GTSC Matthew Rose and Christophe > Despoges. > > Thereafter, Kristin Thomas (third level) was the owner: > > Kristin Thomas, MCSE, MCP > Global Technical Support Center > Platforms - Networking > Microsoft Limited > Tel: +44 118 909 4399 > Email: kthomas@xxxxxxxxxxxxx > > Then the case was transfered to Pierre Louis Coll, an Escalation > Engineer in > the Internet Explorer support team. > Tel: +33 1 69 86 66 90 > Email: pierrelc@xxxxxxxxxxxxx > > That's all I have as contact information... > > Thanks, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: maandag 5 december 2005 22:06 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Are you sure that's not typo'd? > Do you know what location took the case (US/CA, AP, Euro)? > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Monday, December 05, 2005 11:57 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > I'm listening .... > > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: vrijdag 2 december 2005 20:59 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I'll tell Stefaan, but no one else because I'm in a mood; so there, > thpthpthp. > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Friday, December 02, 2005 11:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Please keep me informed of what you find out, that is a big problem > here. > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Friday, December 02, 2005 1:22 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > Can you confirm what they (Microsoft PSS) have told me? > > Thanks, > Stefaan > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: donderdag 1 december 2005 21:23 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > I've mailed you the SRZ0505266000674 case history concerning the DHCP > issue > with IE. > > Regards, > Stefaan > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: donderdag 1 december 2005 21:16 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > Will answer you offline... > > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 21:01 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Worse yet - that KB isn't listed internally either. > Where did you get that #? > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 11:02 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Tom, > > unfortunately the KB906055 fix is not yet published. I've tested the > official release of the patch and it solves the problem for Windows XP > SP2. > Microsoft assured me that if you call PSS they will give you the fix. > > Also, the WinInet fix Jim was talking about has not yet been released. > I've > tested an interim version of the KB907455 fix but it didn't solve the > problem completely yet. However, this fix should be valid for > Windows XP > SP1 > and SP2. > > HTH, > Stefaan > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: donderdag 1 december 2005 16:52 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Stefaan, > > Thank you very much for pointing out that information! I am really > remiss > for not remembering this fact that you mentioned in your article :( > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > Sent: Thursday, December 01, 2005 9:08 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Jim, > > > > That's what described in my article > > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > > l and related > > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > > > A fix for Windows XP SP2 is officialy released on November > 11, 2005. > > The related knowledge base article is KB906055 and should > be available > > > soon on the web. IE uses an obsolete DHCP API but this API has been > > fixed (DHCPCSVC) for Windows XP SP2 only. > > > > HTH, > > Stefaan > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: donderdag 1 december 2005 15:54 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Don't use DHCP wpad - it's crap. > > We've found that WinInet (what IE uses) can take up to 10 > seconds to > > "digest" the DHCP data it gets. > > > > Use only DNS or WINS (if you must). > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Thursday, December 01, 2005 6:20 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > I had to take those setting off again this morning, so I'm not sure > > what the heck is going on... > > > > When opening up IE, it would take 2-3 minutes for the > "Detecting Proxy > > > Settings" in the status bar to go away, and then things would run > sluggish. > > By un-checking the "Automatically detect settings" and "Use > automatic > > configuration script" in IE things sped up dramatically, so I took > > them back off the ISA server. > > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 11:06 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > I've been through those articles many-many times trying to > work this > > out, and just went through them again. My eyes must be > getting old, > > although I read the last paragraph on the last page many times, I > > still missed it until this last re-reading... > > > > Your clue in the e-mail helped though, I had the > "Automatically detect > > > settings" and "Use automatic configuration script" turned > off on the > > "Firewall Client" tab from when we had the SurfControl proxy bypass > > problem several months ago. With the solution you thought up, that > > might not be an issue anymore. In any case, I'll leave > them enabled > > and see if people start having troubles. > > > > I don't see where it updated the setting in IE on the client, but I > > also don't see it passing through the ISA server anymore, > so it must > > be using a different method. > > > > Thanks! > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 9:59 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Dan, > > > > Check the articles again. It'll show you how to configure > the Direct > > Access list on the ISA firewall and how to configure the clients to > > use the autoconfig script so that they can use the Direct > Access list. > > > > Also, make sure the Direct Access clients are configured with a DNS > > server that allows them to resolve the name of the site to > the site's > > Internal address. > > > > HTH, > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Wednesday, November 30, 2005 8:54 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > > > http://www.ISAserver.org > > > > > > This Direct Access issue is rearing its ugly head again here. > > > > > > I'm running ISA2004, with the newest version of > SurfControl. Or at > > > least I "think" it's the newest version, as I cannot locate > > any newer > > > hotfixes for it... > > > > > > I've tried and tried to not loop the local webserver > > through the ISA > > > server, but have been unable to figure out a way to do it. Tom > > > mentioned a couple of weeks ago that SurfControl > basically disables > > > the Direct Access abilities of the ISA server, so that > > explains that > > > part. > > > > > > Normally, I wouldn't mind the traffic passing through the > > ISA server, > > > as it has a 1Gbps network connect. But, the problem I'm > > running into > > > is that whenever we get a really heavy web traffic period, > > accessing > > > our local webserver is pathetically slow, i.e. it'll take over a > > > minute to display the first page. It probably has to do > with 800+ > > > people all clicking like mad at the same time... > > > > > > When I disable the Proxy settings in IE, I can browse our local > > > webserver at full-speed, but cannot access the Internet. > > If I go into > > > the IE->Tools->Internet Options->LAN Settings->Advanced > > menu and add > > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > > > However, all the proxy settings are coming from the ISA > > server, so any > > > entries into that area are overwritten whenever the FWC > > refreshes its > > > info. I cannot push these settings out via GPO either, > because the > > > FWC would override them. > > > > > > Is there a way to get these settings pushed out from the > ISA server? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 21:57:57 -0500
http://www.ISAserver.org Hi Dan, Indeed. The autoconfig script is going to be the pain point for all but one network, because there is only one autoconfig script maintained by the ISA firewall, so if they try to connect to the Web proxy listener that isn't local to their ISA firewall Network, then the connection attempt will fail. I tried publishing the Web listener on the non-local Network to the local Network, but no workie. I might try it again just for fun, though. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Monday, December 12, 2005 2:26 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Stefaan, I went through your article quite thoroughly, and it > clarified > many things for me, thanks. I decided to put these settings in place > here, and have had mixed results. > > The difficulties seem to arise because I have multiple > internal networks > on my ISA server. I enabled the "Use automatic configuration script" > option on both of these internal networks, but only one seems to be > working good. > > On one of the subnets, when I have that option enabled, I watched the > logs and saw that instead of using the web proxy, it is > trying to access > the external site directly using Port 80. When I disable that option, > it goes through the web proxy like it should. However, I > tried another > computer on that same subnet, and everything worked perfect, > so it just > doesn't make sense. > > I've retrieved all the wspad.dat and wspad.dat files from > both internet > networks, and they appear to be correct. Any ideas? > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Monday, December 05, 2005 4:42 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > Didn't you got my mail with the SRZ0505266000674 case history? I just > resend > the mail, just in case. ;-) > > After the usual first level blablabla the case was handled by Tommy > Walker > (second level) together with GTSC Matthew Rose and Christophe > Despoges. > > Thereafter, Kristin Thomas (third level) was the owner: > > Kristin Thomas, MCSE, MCP > Global Technical Support Center > Platforms - Networking > Microsoft Limited > Tel: +44 118 909 4399 > Email: kthomas@xxxxxxxxxxxxx > > Then the case was transfered to Pierre Louis Coll, an Escalation > Engineer in > the Internet Explorer support team. > Tel: +33 1 69 86 66 90 > Email: pierrelc@xxxxxxxxxxxxx > > That's all I have as contact information... > > Thanks, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: maandag 5 december 2005 22:06 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Are you sure that's not typo'd? > Do you know what location took the case (US/CA, AP, Euro)? > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Monday, December 05, 2005 11:57 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > I'm listening .... > > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: vrijdag 2 december 2005 20:59 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I'll tell Stefaan, but no one else because I'm in a mood; so there, > thpthpthp. > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Friday, December 02, 2005 11:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Please keep me informed of what you find out, that is a big problem > here. > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Friday, December 02, 2005 1:22 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > Can you confirm what they (Microsoft PSS) have told me? > > Thanks, > Stefaan > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: donderdag 1 december 2005 21:23 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > I've mailed you the SRZ0505266000674 case history concerning the DHCP > issue > with IE. > > Regards, > Stefaan > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: donderdag 1 december 2005 21:16 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > Will answer you offline... > > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 21:01 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Worse yet - that KB isn't listed internally either. > Where did you get that #? > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 11:02 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Tom, > > unfortunately the KB906055 fix is not yet published. I've tested the > official release of the patch and it solves the problem for Windows XP > SP2. > Microsoft assured me that if you call PSS they will give you the fix. > > Also, the WinInet fix Jim was talking about has not yet been released. > I've > tested an interim version of the KB907455 fix but it didn't solve the > problem completely yet. However, this fix should be valid for > Windows XP > SP1 > and SP2. > > HTH, > Stefaan > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: donderdag 1 december 2005 16:52 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Stefaan, > > Thank you very much for pointing out that information! I am really > remiss > for not remembering this fact that you mentioned in your article :( > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > Sent: Thursday, December 01, 2005 9:08 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Jim, > > > > That's what described in my article > > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > > l and related > > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > > > A fix for Windows XP SP2 is officialy released on November > 11, 2005. > > The related knowledge base article is KB906055 and should > be available > > > soon on the web. IE uses an obsolete DHCP API but this API has been > > fixed (DHCPCSVC) for Windows XP SP2 only. > > > > HTH, > > Stefaan > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: donderdag 1 december 2005 15:54 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Don't use DHCP wpad - it's crap. > > We've found that WinInet (what IE uses) can take up to 10 > seconds to > > "digest" the DHCP data it gets. > > > > Use only DNS or WINS (if you must). > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Thursday, December 01, 2005 6:20 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > I had to take those setting off again this morning, so I'm not sure > > what the heck is going on... > > > > When opening up IE, it would take 2-3 minutes for the > "Detecting Proxy > > > Settings" in the status bar to go away, and then things would run > sluggish. > > By un-checking the "Automatically detect settings" and "Use > automatic > > configuration script" in IE things sped up dramatically, so I took > > them back off the ISA server. > > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 11:06 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > I've been through those articles many-many times trying to > work this > > out, and just went through them again. My eyes must be > getting old, > > although I read the last paragraph on the last page many times, I > > still missed it until this last re-reading... > > > > Your clue in the e-mail helped though, I had the > "Automatically detect > > > settings" and "Use automatic configuration script" turned > off on the > > "Firewall Client" tab from when we had the SurfControl proxy bypass > > problem several months ago. With the solution you thought up, that > > might not be an issue anymore. In any case, I'll leave > them enabled > > and see if people start having troubles. > > > > I don't see where it updated the setting in IE on the client, but I > > also don't see it passing through the ISA server anymore, > so it must > > be using a different method. > > > > Thanks! > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 9:59 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Dan, > > > > Check the articles again. It'll show you how to configure > the Direct > > Access list on the ISA firewall and how to configure the clients to > > use the autoconfig script so that they can use the Direct > Access list. > > > > Also, make sure the Direct Access clients are configured with a DNS > > server that allows them to resolve the name of the site to > the site's > > Internal address. > > > > HTH, > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Wednesday, November 30, 2005 8:54 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > > > http://www.ISAserver.org > > > > > > This Direct Access issue is rearing its ugly head again here. > > > > > > I'm running ISA2004, with the newest version of > SurfControl. Or at > > > least I "think" it's the newest version, as I cannot locate > > any newer > > > hotfixes for it... > > > > > > I've tried and tried to not loop the local webserver > > through the ISA > > > server, but have been unable to figure out a way to do it. Tom > > > mentioned a couple of weeks ago that SurfControl > basically disables > > > the Direct Access abilities of the ISA server, so that > > explains that > > > part. > > > > > > Normally, I wouldn't mind the traffic passing through the > > ISA server, > > > as it has a 1Gbps network connect. But, the problem I'm > > running into > > > is that whenever we get a really heavy web traffic period, > > accessing > > > our local webserver is pathetically slow, i.e. it'll take over a > > > minute to display the first page. It probably has to do > with 800+ > > > people all clicking like mad at the same time... > > > > > > When I disable the Proxy settings in IE, I can browse our local > > > webserver at full-speed, but cannot access the Internet. > > If I go into > > > the IE->Tools->Internet Options->LAN Settings->Advanced > > menu and add > > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > > > However, all the proxy settings are coming from the ISA > > server, so any > > > entries into that area are overwritten whenever the FWC > > refreshes its > > > info. I cannot push these settings out via GPO either, > because the > > > FWC would override them. > > > > > > Is there a way to get these settings pushed out from the > ISA server? > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 15:26:12 -0500
http://www.ISAserver.org Stefaan, I went through your article quite thoroughly, and it clarified many things for me, thanks. I decided to put these settings in place here, and have had mixed results. The difficulties seem to arise because I have multiple internal networks on my ISA server. I enabled the "Use automatic configuration script" option on both of these internal networks, but only one seems to be working good. On one of the subnets, when I have that option enabled, I watched the logs and saw that instead of using the web proxy, it is trying to access the external site directly using Port 80. When I disable that option, it goes through the web proxy like it should. However, I tried another computer on that same subnet, and everything worked perfect, so it just doesn't make sense. I've retrieved all the wspad.dat and wspad.dat files from both internet networks, and they appear to be correct. Any ideas? -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Monday, December 05, 2005 4:42 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Didn't you got my mail with the SRZ0505266000674 case history? I just resend the mail, just in case. ;-) After the usual first level blablabla the case was handled by Tommy Walker (second level) together with GTSC Matthew Rose and Christophe Despoges. Thereafter, Kristin Thomas (third level) was the owner: Kristin Thomas, MCSE, MCP Global Technical Support Center Platforms - Networking Microsoft Limited Tel: +44 118 909 4399 Email: kthomas@xxxxxxxxxxxxx Then the case was transfered to Pierre Louis Coll, an Escalation Engineer in the Internet Explorer support team. Tel: +33 1 69 86 66 90 Email: pierrelc@xxxxxxxxxxxxx That's all I have as contact information... Thanks, Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: maandag 5 december 2005 22:06 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Are you sure that's not typo'd? Do you know what location took the case (US/CA, AP, Euro)? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Monday, December 05, 2005 11:57 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I'm listening .... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: vrijdag 2 december 2005 20:59 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I'll tell Stefaan, but no one else because I'm in a mood; so there, thpthpthp. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Friday, December 02, 2005 11:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Please keep me informed of what you find out, that is a big problem here. -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Friday, December 02, 2005 1:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Can you confirm what they (Microsoft PSS) have told me? Thanks, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I've mailed you the SRZ0505266000674 case history concerning the DHCP issue with IE. Regards, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > > Settings" in the status bar to go away, and then things would run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 16:41:37 -0500
http://www.ISAserver.org Hi Jim, Didn't you got my mail with the SRZ0505266000674 case history? I just resend the mail, just in case. ;-) After the usual first level blablabla the case was handled by Tommy Walker (second level) together with GTSC Matthew Rose and Christophe Despoges. Thereafter, Kristin Thomas (third level) was the owner: Kristin Thomas, MCSE, MCP Global Technical Support Center Platforms - Networking Microsoft Limited Tel: +44 118 909 4399 Email: kthomas@xxxxxxxxxxxxx Then the case was transfered to Pierre Louis Coll, an Escalation Engineer in the Internet Explorer support team. Tel: +33 1 69 86 66 90 Email: pierrelc@xxxxxxxxxxxxx That's all I have as contact information... Thanks, Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: maandag 5 december 2005 22:06 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Are you sure that's not typo'd? Do you know what location took the case (US/CA, AP, Euro)? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Monday, December 05, 2005 11:57 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I'm listening .... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: vrijdag 2 december 2005 20:59 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I'll tell Stefaan, but no one else because I'm in a mood; so there, thpthpthp. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Friday, December 02, 2005 11:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Please keep me informed of what you find out, that is a big problem here. -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Friday, December 02, 2005 1:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Can you confirm what they (Microsoft PSS) have told me? Thanks, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I've mailed you the SRZ0505266000674 case history concerning the DHCP issue with IE. Regards, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > > Settings" in the status bar to go away, and then things would run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 16:05:33 -0500
http://www.ISAserver.org Are you sure that's not typo'd? Do you know what location took the case (US/CA, AP, Euro)? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Monday, December 05, 2005 11:57 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I'm listening .... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: vrijdag 2 december 2005 20:59 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I'll tell Stefaan, but no one else because I'm in a mood; so there, thpthpthp. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Friday, December 02, 2005 11:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Please keep me informed of what you find out, that is a big problem here. -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Friday, December 02, 2005 1:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Can you confirm what they (Microsoft PSS) have told me? Thanks, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I've mailed you the SRZ0505266000674 case history concerning the DHCP issue with IE. Regards, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > > Settings" in the status bar to go away, and then things would run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 14:56:47 -0500
http://www.ISAserver.org Hi Jim, I'm listening .... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: vrijdag 2 december 2005 20:59 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I'll tell Stefaan, but no one else because I'm in a mood; so there, thpthpthp. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Friday, December 02, 2005 11:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Please keep me informed of what you find out, that is a big problem here. -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Friday, December 02, 2005 1:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Can you confirm what they (Microsoft PSS) have told me? Thanks, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I've mailed you the SRZ0505266000674 case history concerning the DHCP issue with IE. Regards, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > > Settings" in the status bar to go away, and then things would run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Dec 2005 15:13:49 -0500
http://www.ISAserver.org So, you're feeling normal then? -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Friday, December 02, 2005 2:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I'll tell Stefaan, but no one else because I'm in a mood; so there, thpthpthp. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Friday, December 02, 2005 11:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Please keep me informed of what you find out, that is a big problem here. -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Friday, December 02, 2005 1:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Can you confirm what they (Microsoft PSS) have told me? Thanks, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I've mailed you the SRZ0505266000674 case history concerning the DHCP issue with IE. Regards, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > > Settings" in the status bar to go away, and then things would run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Dec 2005 14:59:08 -0500
http://www.ISAserver.org I'll tell Stefaan, but no one else because I'm in a mood; so there, thpthpthp. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Friday, December 02, 2005 11:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Please keep me informed of what you find out, that is a big problem here. -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Friday, December 02, 2005 1:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Can you confirm what they (Microsoft PSS) have told me? Thanks, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I've mailed you the SRZ0505266000674 case history concerning the DHCP issue with IE. Regards, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > > Settings" in the status bar to go away, and then things would run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Dec 2005 14:53:34 -0500
http://www.ISAserver.org Please keep me informed of what you find out, that is a big problem here. -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Friday, December 02, 2005 1:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Can you confirm what they (Microsoft PSS) have told me? Thanks, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I've mailed you the SRZ0505266000674 case history concerning the DHCP issue with IE. Regards, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > > Settings" in the status bar to go away, and then things would run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Dec 2005 13:22:29 -0500
http://www.ISAserver.org Hi Jim, Can you confirm what they (Microsoft PSS) have told me? Thanks, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, I've mailed you the SRZ0505266000674 case history concerning the DHCP issue with IE. Regards, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > > Settings" in the status bar to go away, and then things would run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 15:23:18 -0500
http://www.ISAserver.org Hi Jim, I've mailed you the SRZ0505266000674 case history concerning the DHCP issue with IE. Regards, Stefaan -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: donderdag 1 december 2005 21:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > > Settings" in the status bar to go away, and then things would run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 15:15:49 -0500
http://www.ISAserver.org Hi Jim, Will answer you offline... Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 21:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > Settings" in the status bar to go away, and then things would run > sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 15:00:52 -0500
http://www.ISAserver.org Worse yet - that KB isn't listed internally either. Where did you get that #? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 11:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > Settings" in the status bar to go away, and then things would run > sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 14:01:50 -0500
http://www.ISAserver.org Hi Tom, unfortunately the KB906055 fix is not yet published. I've tested the official release of the patch and it solves the problem for Windows XP SP2. Microsoft assured me that if you call PSS they will give you the fix. Also, the WinInet fix Jim was talking about has not yet been released. I've tested an interim version of the KB907455 fix but it didn't solve the problem completely yet. However, this fix should be valid for Windows XP SP1 and SP2. HTH, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: donderdag 1 december 2005 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November 11, 2005. > The related knowledge base article is KB906055 and should be available > soon on the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm not sure > what the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > Settings" in the status bar to go away, and then things would run > sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I took > them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many times, I > still missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them enabled > and see if people start having troubles. > > I don't see where it updated the setting in IE on the client, but I > also don't see it passing through the ISA server anymore, so it must > be using a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the clients to > use the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 10:52:02 -0500
http://www.ISAserver.org Hi Stefaan, Thank you very much for pointing out that information! I am really remiss for not remembering this fact that you mentioned in your article :( Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Thursday, December 01, 2005 9:08 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Jim, > > That's what described in my article > http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.htm > l and related > topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. > > A fix for Windows XP SP2 is officialy released on November > 11, 2005. The > related knowledge base article is KB906055 and should be > available soon on > the web. IE uses an obsolete DHCP API but this API has been > fixed (DHCPCSVC) > for Windows XP SP2 only. > > HTH, > Stefaan > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: donderdag 1 december 2005 15:54 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Don't use DHCP wpad - it's crap. > We've found that WinInet (what IE uses) can take up to 10 seconds to > "digest" the DHCP data it gets. > > Use only DNS or WINS (if you must). > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 6:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm > not sure what the > heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > Settings" in the status bar to go away, and then things would > run sluggish. > By un-checking the "Automatically detect settings" and "Use automatic > configuration script" in IE things sped up dramatically, so I > took them back > off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to > work this out, > and just went through them again. My eyes must be getting > old, although I > read the last paragraph on the last page many times, I still > missed it until > this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy > bypass problem > several months ago. With the solution you thought up, that > might not be an > issue anymore. In any case, I'll leave them enabled and see > if people start > having troubles. > > I don't see where it updated the setting in IE on the client, > but I also > don't see it passing through the ISA server anymore, so it > must be using a > different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the > Direct Access > list on the ISA firewall and how to configure the clients to use the > autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with > a DNS server > that allows them to resolve the name of the site to the > site's Internal > address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver > through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically disables > > the Direct Access abilities of the ISA server, so that > explains that > > part. > > > > Normally, I wouldn't mind the traffic passing through the > ISA server, > > as it has a 1Gbps network connect. But, the problem I'm > running into > > is that whenever we get a really heavy web traffic period, > accessing > > our local webserver is pathetically slow, i.e. it'll take over a > > minute to display the first page. It probably has to do with 800+ > > people all clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, because the > > FWC would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 10:14:34 -0500
http://www.ISAserver.org Cool! I'll have to spend more time reading that, but it looks like it might clear some of the confusion I've had about the two settings that seem to be causing me the most grief! -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] Sent: Thursday, December 01, 2005 10:08 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Jim, That's what described in my article http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html and related topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. A fix for Windows XP SP2 is officialy released on November 11, 2005. The related knowledge base article is KB906055 and should be available soon on the web. IE uses an obsolete DHCP API but this API has been fixed (DHCPCSVC) for Windows XP SP2 only. HTH, Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 15:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Don't use DHCP wpad - it's crap. We've found that WinInet (what IE uses) can take up to 10 seconds to "digest" the DHCP data it gets. Use only DNS or WINS (if you must). -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Thursday, December 01, 2005 6:20 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I had to take those setting off again this morning, so I'm not sure what the heck is going on... When opening up IE, it would take 2-3 minutes for the "Detecting Proxy Settings" in the status bar to go away, and then things would run sluggish. By un-checking the "Automatically detect settings" and "Use automatic configuration script" in IE things sped up dramatically, so I took them back off the ISA server. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 11:06 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I've been through those articles many-many times trying to work this out, and just went through them again. My eyes must be getting old, although I read the last paragraph on the last page many times, I still missed it until this last re-reading... Your clue in the e-mail helped though, I had the "Automatically detect settings" and "Use automatic configuration script" turned off on the "Firewall Client" tab from when we had the SurfControl proxy bypass problem several months ago. With the solution you thought up, that might not be an issue anymore. In any case, I'll leave them enabled and see if people start having troubles. I don't see where it updated the setting in IE on the client, but I also don't see it passing through the ISA server anymore, so it must be using a different method. Thanks! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 9:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Dan, Check the articles again. It'll show you how to configure the Direct Access list on the ISA firewall and how to configure the clients to use the autoconfig script so that they can use the Direct Access list. Also, make sure the Direct Access clients are configured with a DNS server that allows them to resolve the name of the site to the site's Internal address. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 8:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > This Direct Access issue is rearing its ugly head again here. > > I'm running ISA2004, with the newest version of SurfControl. Or at > least I "think" it's the newest version, as I cannot locate any newer > hotfixes for it... > > I've tried and tried to not loop the local webserver through the ISA > server, but have been unable to figure out a way to do it. Tom > mentioned a couple of weeks ago that SurfControl basically disables > the Direct Access abilities of the ISA server, so that explains that > part. > > Normally, I wouldn't mind the traffic passing through the ISA server, > as it has a 1Gbps network connect. But, the problem I'm running into > is that whenever we get a really heavy web traffic period, accessing > our local webserver is pathetically slow, i.e. it'll take over a > minute to display the first page. It probably has to do with 800+ > people all clicking like mad at the same time... > > When I disable the Proxy settings in IE, I can browse our local > webserver at full-speed, but cannot access the Internet. If I go into > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > However, all the proxy settings are coming from the ISA server, so any > entries into that area are overwritten whenever the FWC refreshes its > info. I cannot push these settings out via GPO either, because the > FWC would override them. > > Is there a way to get these settings pushed out from the ISA server? > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 10:09:10 -0500
http://www.ISAserver.org Okay, if I remember right, the reason I went with DHCP for that is due to multiple internal networks. I.e., if the 10.20.x.x subnet pulls the wpad info from 10.20.1.1, while the 10.6.x.x subnet pulls the wpad info from 10.6.254.90. If they pull the wpad info from the wrong IP, they'll get the wrong connection information. When I tried using the DNS to push out the wpad info, it kept resolving to the wrong IP address, i.e. the 10.6.x.x subnet would try to pull the wpad info from 10.20.1.1 instead. All subnets use the same forward lookup zone, so even though there are several DNS servers on the 10.6.x.x subnet, they replicate the same information across all subnets. Someone mentioned that you can define multiple IP addresses in the DNS server for wpad, but I haven't quite fiqured out how that would work yet. So, do you think that would speed things up dramatically if I switched (provided I could figure out how to do it)? -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, December 01, 2005 9:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Don't use DHCP wpad - it's crap. We've found that WinInet (what IE uses) can take up to 10 seconds to "digest" the DHCP data it gets. Use only DNS or WINS (if you must). -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Thursday, December 01, 2005 6:20 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I had to take those setting off again this morning, so I'm not sure what the heck is going on... When opening up IE, it would take 2-3 minutes for the "Detecting Proxy Settings" in the status bar to go away, and then things would run sluggish. By un-checking the "Automatically detect settings" and "Use automatic configuration script" in IE things sped up dramatically, so I took them back off the ISA server. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 11:06 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I've been through those articles many-many times trying to work this out, and just went through them again. My eyes must be getting old, although I read the last paragraph on the last page many times, I still missed it until this last re-reading... Your clue in the e-mail helped though, I had the "Automatically detect settings" and "Use automatic configuration script" turned off on the "Firewall Client" tab from when we had the SurfControl proxy bypass problem several months ago. With the solution you thought up, that might not be an issue anymore. In any case, I'll leave them enabled and see if people start having troubles. I don't see where it updated the setting in IE on the client, but I also don't see it passing through the ISA server anymore, so it must be using a different method. Thanks! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 9:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Dan, Check the articles again. It'll show you how to configure the Direct Access list on the ISA firewall and how to configure the clients to use the autoconfig script so that they can use the Direct Access list. Also, make sure the Direct Access clients are configured with a DNS server that allows them to resolve the name of the site to the site's Internal address. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 8:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > This Direct Access issue is rearing its ugly head again here. > > I'm running ISA2004, with the newest version of SurfControl. Or at > least I "think" it's the newest version, as I cannot locate any newer > hotfixes for it... > > I've tried and tried to not loop the local webserver through the ISA > server, but have been unable to figure out a way to do it. Tom > mentioned a couple of weeks ago that SurfControl basically > disables the > Direct Access abilities of the ISA server, so that explains that part. > > Normally, I wouldn't mind the traffic passing through the ISA > server, as > it has a 1Gbps network connect. But, the problem I'm running into is > that whenever we get a really heavy web traffic period, accessing our > local webserver is pathetically slow, i.e. it'll take over a minute to > display the first page. It probably has to do with 800+ people all > clicking like mad at the same time... > > When I disable the Proxy settings in IE, I can browse our local > webserver at full-speed, but cannot access the Internet. If I go into > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > However, all the proxy settings are coming from the ISA server, so any > entries into that area are overwritten whenever the FWC refreshes its > info. I cannot push these settings out via GPO either, > because the FWC > would override them. > > Is there a way to get these settings pushed out from the ISA server? > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 10:07:36 -0500
http://www.ISAserver.org Hi Jim, That's what described in my article http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html and related topic http://forums.isaserver.org/m_350016600/mpage_1/tm.htm. A fix for Windows XP SP2 is officialy released on November 11, 2005. The related knowledge base article is KB906055 and should be available soon on the web. IE uses an obsolete DHCP API but this API has been fixed (DHCPCSVC) for Windows XP SP2 only. HTH, Stefaan -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: donderdag 1 december 2005 15:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Don't use DHCP wpad - it's crap. We've found that WinInet (what IE uses) can take up to 10 seconds to "digest" the DHCP data it gets. Use only DNS or WINS (if you must). -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Thursday, December 01, 2005 6:20 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I had to take those setting off again this morning, so I'm not sure what the heck is going on... When opening up IE, it would take 2-3 minutes for the "Detecting Proxy Settings" in the status bar to go away, and then things would run sluggish. By un-checking the "Automatically detect settings" and "Use automatic configuration script" in IE things sped up dramatically, so I took them back off the ISA server. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 11:06 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I've been through those articles many-many times trying to work this out, and just went through them again. My eyes must be getting old, although I read the last paragraph on the last page many times, I still missed it until this last re-reading... Your clue in the e-mail helped though, I had the "Automatically detect settings" and "Use automatic configuration script" turned off on the "Firewall Client" tab from when we had the SurfControl proxy bypass problem several months ago. With the solution you thought up, that might not be an issue anymore. In any case, I'll leave them enabled and see if people start having troubles. I don't see where it updated the setting in IE on the client, but I also don't see it passing through the ISA server anymore, so it must be using a different method. Thanks! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 9:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Dan, Check the articles again. It'll show you how to configure the Direct Access list on the ISA firewall and how to configure the clients to use the autoconfig script so that they can use the Direct Access list. Also, make sure the Direct Access clients are configured with a DNS server that allows them to resolve the name of the site to the site's Internal address. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 8:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > This Direct Access issue is rearing its ugly head again here. > > I'm running ISA2004, with the newest version of SurfControl. Or at > least I "think" it's the newest version, as I cannot locate any newer > hotfixes for it... > > I've tried and tried to not loop the local webserver through the ISA > server, but have been unable to figure out a way to do it. Tom > mentioned a couple of weeks ago that SurfControl basically disables > the Direct Access abilities of the ISA server, so that explains that > part. > > Normally, I wouldn't mind the traffic passing through the ISA server, > as it has a 1Gbps network connect. But, the problem I'm running into > is that whenever we get a really heavy web traffic period, accessing > our local webserver is pathetically slow, i.e. it'll take over a > minute to display the first page. It probably has to do with 800+ > people all clicking like mad at the same time... > > When I disable the Proxy settings in IE, I can browse our local > webserver at full-speed, but cannot access the Internet. If I go into > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > However, all the proxy settings are coming from the ISA server, so any > entries into that area are overwritten whenever the FWC refreshes its > info. I cannot push these settings out via GPO either, because the > FWC would override them. > > Is there a way to get these settings pushed out from the ISA server? > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:57:37 -0500
http://www.ISAserver.org Then confiugre the Firewall client to only deliver the autoconfig script. I said that in a message yesterday. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 8:44 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > The configuration script is generated by ISA, right? Or is > there a way > to modify it manually? > > When I push it out via GPO, the FWC overrides any settings I > made, so I > can't use that method without disabling the configuration from FWC. > > You know, the more I try to explain it, the more I get confused! Time > to go back to bed... > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 9:38 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > That's what I always do as well, or configure the configuration script > via GPO or script. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Thursday, December 01, 2005 8:20 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > I had to take those setting off again this morning, so I'm > > not sure what > > the heck is going on... > > > > When opening up IE, it would take 2-3 minutes for the > "Detecting Proxy > > Settings" in the status bar to go away, and then things would run > > sluggish. By un-checking the "Automatically detect > settings" and "Use > > automatic configuration script" in IE things sped up > > dramatically, so I > > took them back off the ISA server. > > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 11:06 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > I've been through those articles many-many times trying to work this > > out, and just went through them again. My eyes must be getting old, > > although I read the last paragraph on the last page many > > times, I still > > missed it until this last re-reading... > > > > Your clue in the e-mail helped though, I had the > "Automatically detect > > settings" and "Use automatic configuration script" turned off on the > > "Firewall Client" tab from when we had the SurfControl proxy bypass > > problem several months ago. With the solution you thought up, that > > might not be an issue anymore. In any case, I'll leave them > > enabled and > > see if people start having troubles. > > > > I don't see where it updated the setting in IE on the client, > > but I also > > don't see it passing through the ISA server anymore, so it > > must be using > > a different method. > > > > Thanks! > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 9:59 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > Hi Dan, > > > > Check the articles again. It'll show you how to configure the Direct > > Access list on the ISA firewall and how to configure the > > clients to use > > the autoconfig script so that they can use the Direct Access list. > > > > Also, make sure the Direct Access clients are configured with a DNS > > server that allows them to resolve the name of the site to > the site's > > Internal address. > > > > HTH, > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Wednesday, November 30, 2005 8:54 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > > > http://www.ISAserver.org > > > > > > This Direct Access issue is rearing its ugly head again here. > > > > > > I'm running ISA2004, with the newest version of > SurfControl. Or at > > > least I "think" it's the newest version, as I cannot locate > > any newer > > > hotfixes for it... > > > > > > I've tried and tried to not loop the local webserver > through the ISA > > > server, but have been unable to figure out a way to do it. Tom > > > mentioned a couple of weeks ago that SurfControl basically > > > disables the > > > Direct Access abilities of the ISA server, so that explains > > that part. > > > > > > Normally, I wouldn't mind the traffic passing through the ISA > > > server, as > > > it has a 1Gbps network connect. But, the problem I'm > > running into is > > > that whenever we get a really heavy web traffic period, > > accessing our > > > local webserver is pathetically slow, i.e. it'll take over > > a minute to > > > display the first page. It probably has to do with 800+ > people all > > > clicking like mad at the same time... > > > > > > When I disable the Proxy settings in IE, I can browse our local > > > webserver at full-speed, but cannot access the Internet. > > If I go into > > > the IE->Tools->Internet Options->LAN Settings->Advanced > menu and add > > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > > > However, all the proxy settings are coming from the ISA > > server, so any > > > entries into that area are overwritten whenever the FWC > > refreshes its > > > info. I cannot push these settings out via GPO either, > > > because the FWC > > > would override them. > > > > > > Is there a way to get these settings pushed out from the > ISA server? > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > dball@xxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:54:17 -0500
http://www.ISAserver.org Don't use DHCP wpad - it's crap. We've found that WinInet (what IE uses) can take up to 10 seconds to "digest" the DHCP data it gets. Use only DNS or WINS (if you must). -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Thursday, December 01, 2005 6:20 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I had to take those setting off again this morning, so I'm not sure what the heck is going on... When opening up IE, it would take 2-3 minutes for the "Detecting Proxy Settings" in the status bar to go away, and then things would run sluggish. By un-checking the "Automatically detect settings" and "Use automatic configuration script" in IE things sped up dramatically, so I took them back off the ISA server. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 11:06 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I've been through those articles many-many times trying to work this out, and just went through them again. My eyes must be getting old, although I read the last paragraph on the last page many times, I still missed it until this last re-reading... Your clue in the e-mail helped though, I had the "Automatically detect settings" and "Use automatic configuration script" turned off on the "Firewall Client" tab from when we had the SurfControl proxy bypass problem several months ago. With the solution you thought up, that might not be an issue anymore. In any case, I'll leave them enabled and see if people start having troubles. I don't see where it updated the setting in IE on the client, but I also don't see it passing through the ISA server anymore, so it must be using a different method. Thanks! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 9:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Dan, Check the articles again. It'll show you how to configure the Direct Access list on the ISA firewall and how to configure the clients to use the autoconfig script so that they can use the Direct Access list. Also, make sure the Direct Access clients are configured with a DNS server that allows them to resolve the name of the site to the site's Internal address. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 8:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > This Direct Access issue is rearing its ugly head again here. > > I'm running ISA2004, with the newest version of SurfControl. Or at > least I "think" it's the newest version, as I cannot locate any newer > hotfixes for it... > > I've tried and tried to not loop the local webserver through the ISA > server, but have been unable to figure out a way to do it. Tom > mentioned a couple of weeks ago that SurfControl basically > disables the > Direct Access abilities of the ISA server, so that explains that part. > > Normally, I wouldn't mind the traffic passing through the ISA > server, as > it has a 1Gbps network connect. But, the problem I'm running into is > that whenever we get a really heavy web traffic period, accessing our > local webserver is pathetically slow, i.e. it'll take over a minute to > display the first page. It probably has to do with 800+ people all > clicking like mad at the same time... > > When I disable the Proxy settings in IE, I can browse our local > webserver at full-speed, but cannot access the Internet. If I go into > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > However, all the proxy settings are coming from the ISA server, so any > entries into that area are overwritten whenever the FWC refreshes its > info. I cannot push these settings out via GPO either, > because the FWC > would override them. > > Is there a way to get these settings pushed out from the ISA server? > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:43:33 -0500
http://www.ISAserver.org The configuration script is generated by ISA, right? Or is there a way to modify it manually? When I push it out via GPO, the FWC overrides any settings I made, so I can't use that method without disabling the configuration from FWC. You know, the more I try to explain it, the more I get confused! Time to go back to bed... -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, December 01, 2005 9:38 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Dan, That's what I always do as well, or configure the configuration script via GPO or script. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 8:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm > not sure what > the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > Settings" in the status bar to go away, and then things would run > sluggish. By un-checking the "Automatically detect settings" and "Use > automatic configuration script" in IE things sped up > dramatically, so I > took them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many > times, I still > missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them > enabled and > see if people start having troubles. > > I don't see where it updated the setting in IE on the client, > but I also > don't see it passing through the ISA server anymore, so it > must be using > a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the > clients to use > the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically > > disables the > > Direct Access abilities of the ISA server, so that explains > that part. > > > > Normally, I wouldn't mind the traffic passing through the ISA > > server, as > > it has a 1Gbps network connect. But, the problem I'm > running into is > > that whenever we get a really heavy web traffic period, > accessing our > > local webserver is pathetically slow, i.e. it'll take over > a minute to > > display the first page. It probably has to do with 800+ people all > > clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, > > because the FWC > > would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:38:02 -0500
http://www.ISAserver.org Hi Dan, That's what I always do as well, or configure the configuration script via GPO or script. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, December 01, 2005 8:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I had to take those setting off again this morning, so I'm > not sure what > the heck is going on... > > When opening up IE, it would take 2-3 minutes for the "Detecting Proxy > Settings" in the status bar to go away, and then things would run > sluggish. By un-checking the "Automatically detect settings" and "Use > automatic configuration script" in IE things sped up > dramatically, so I > took them back off the ISA server. > > > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 11:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > I've been through those articles many-many times trying to work this > out, and just went through them again. My eyes must be getting old, > although I read the last paragraph on the last page many > times, I still > missed it until this last re-reading... > > Your clue in the e-mail helped though, I had the "Automatically detect > settings" and "Use automatic configuration script" turned off on the > "Firewall Client" tab from when we had the SurfControl proxy bypass > problem several months ago. With the solution you thought up, that > might not be an issue anymore. In any case, I'll leave them > enabled and > see if people start having troubles. > > I don't see where it updated the setting in IE on the client, > but I also > don't see it passing through the ISA server anymore, so it > must be using > a different method. > > Thanks! > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 9:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > Hi Dan, > > Check the articles again. It'll show you how to configure the Direct > Access list on the ISA firewall and how to configure the > clients to use > the autoconfig script so that they can use the Direct Access list. > > Also, make sure the Direct Access clients are configured with a DNS > server that allows them to resolve the name of the site to the site's > Internal address. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, November 30, 2005 8:54 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Direct Access Issues w/SurfControl > > > > http://www.ISAserver.org > > > > This Direct Access issue is rearing its ugly head again here. > > > > I'm running ISA2004, with the newest version of SurfControl. Or at > > least I "think" it's the newest version, as I cannot locate > any newer > > hotfixes for it... > > > > I've tried and tried to not loop the local webserver through the ISA > > server, but have been unable to figure out a way to do it. Tom > > mentioned a couple of weeks ago that SurfControl basically > > disables the > > Direct Access abilities of the ISA server, so that explains > that part. > > > > Normally, I wouldn't mind the traffic passing through the ISA > > server, as > > it has a 1Gbps network connect. But, the problem I'm > running into is > > that whenever we get a really heavy web traffic period, > accessing our > > local webserver is pathetically slow, i.e. it'll take over > a minute to > > display the first page. It probably has to do with 800+ people all > > clicking like mad at the same time... > > > > When I disable the Proxy settings in IE, I can browse our local > > webserver at full-speed, but cannot access the Internet. > If I go into > > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add > > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > > > However, all the proxy settings are coming from the ISA > server, so any > > entries into that area are overwritten whenever the FWC > refreshes its > > info. I cannot push these settings out via GPO either, > > because the FWC > > would override them. > > > > Is there a way to get these settings pushed out from the ISA server? > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > dball@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 09:20:12 -0500
http://www.ISAserver.org I had to take those setting off again this morning, so I'm not sure what the heck is going on... When opening up IE, it would take 2-3 minutes for the "Detecting Proxy Settings" in the status bar to go away, and then things would run sluggish. By un-checking the "Automatically detect settings" and "Use automatic configuration script" in IE things sped up dramatically, so I took them back off the ISA server. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 11:06 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org I've been through those articles many-many times trying to work this out, and just went through them again. My eyes must be getting old, although I read the last paragraph on the last page many times, I still missed it until this last re-reading... Your clue in the e-mail helped though, I had the "Automatically detect settings" and "Use automatic configuration script" turned off on the "Firewall Client" tab from when we had the SurfControl proxy bypass problem several months ago. With the solution you thought up, that might not be an issue anymore. In any case, I'll leave them enabled and see if people start having troubles. I don't see where it updated the setting in IE on the client, but I also don't see it passing through the ISA server anymore, so it must be using a different method. Thanks! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 9:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Dan, Check the articles again. It'll show you how to configure the Direct Access list on the ISA firewall and how to configure the clients to use the autoconfig script so that they can use the Direct Access list. Also, make sure the Direct Access clients are configured with a DNS server that allows them to resolve the name of the site to the site's Internal address. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 8:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > This Direct Access issue is rearing its ugly head again here. > > I'm running ISA2004, with the newest version of SurfControl. Or at > least I "think" it's the newest version, as I cannot locate any newer > hotfixes for it... > > I've tried and tried to not loop the local webserver through the ISA > server, but have been unable to figure out a way to do it. Tom > mentioned a couple of weeks ago that SurfControl basically > disables the > Direct Access abilities of the ISA server, so that explains that part. > > Normally, I wouldn't mind the traffic passing through the ISA > server, as > it has a 1Gbps network connect. But, the problem I'm running into is > that whenever we get a really heavy web traffic period, accessing our > local webserver is pathetically slow, i.e. it'll take over a minute to > display the first page. It probably has to do with 800+ people all > clicking like mad at the same time... > > When I disable the Proxy settings in IE, I can browse our local > webserver at full-speed, but cannot access the Internet. If I go into > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > However, all the proxy settings are coming from the ISA server, so any > entries into that area are overwritten whenever the FWC refreshes its > info. I cannot push these settings out via GPO either, > because the FWC > would override them. > > Is there a way to get these settings pushed out from the ISA server? > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 11:05:44 -0500
http://www.ISAserver.org I've been through those articles many-many times trying to work this out, and just went through them again. My eyes must be getting old, although I read the last paragraph on the last page many times, I still missed it until this last re-reading... Your clue in the e-mail helped though, I had the "Automatically detect settings" and "Use automatic configuration script" turned off on the "Firewall Client" tab from when we had the SurfControl proxy bypass problem several months ago. With the solution you thought up, that might not be an issue anymore. In any case, I'll leave them enabled and see if people start having troubles. I don't see where it updated the setting in IE on the client, but I also don't see it passing through the ISA server anymore, so it must be using a different method. Thanks! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, November 30, 2005 9:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Direct Access Issues w/SurfControl http://www.ISAserver.org Hi Dan, Check the articles again. It'll show you how to configure the Direct Access list on the ISA firewall and how to configure the clients to use the autoconfig script so that they can use the Direct Access list. Also, make sure the Direct Access clients are configured with a DNS server that allows them to resolve the name of the site to the site's Internal address. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 8:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > This Direct Access issue is rearing its ugly head again here. > > I'm running ISA2004, with the newest version of SurfControl. Or at > least I "think" it's the newest version, as I cannot locate any newer > hotfixes for it... > > I've tried and tried to not loop the local webserver through the ISA > server, but have been unable to figure out a way to do it. Tom > mentioned a couple of weeks ago that SurfControl basically > disables the > Direct Access abilities of the ISA server, so that explains that part. > > Normally, I wouldn't mind the traffic passing through the ISA > server, as > it has a 1Gbps network connect. But, the problem I'm running into is > that whenever we get a really heavy web traffic period, accessing our > local webserver is pathetically slow, i.e. it'll take over a minute to > display the first page. It probably has to do with 800+ people all > clicking like mad at the same time... > > When I disable the Proxy settings in IE, I can browse our local > webserver at full-speed, but cannot access the Internet. If I go into > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > However, all the proxy settings are coming from the ISA server, so any > entries into that area are overwritten whenever the FWC refreshes its > info. I cannot push these settings out via GPO either, > because the FWC > would override them. > > Is there a way to get these settings pushed out from the ISA server? > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 09:58:39 -0500
http://www.ISAserver.org Hi Dan, Check the articles again. It'll show you how to configure the Direct Access list on the ISA firewall and how to configure the clients to use the autoconfig script so that they can use the Direct Access list. Also, make sure the Direct Access clients are configured with a DNS server that allows them to resolve the name of the site to the site's Internal address. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, November 30, 2005 8:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Direct Access Issues w/SurfControl > > http://www.ISAserver.org > > This Direct Access issue is rearing its ugly head again here. > > I'm running ISA2004, with the newest version of SurfControl. Or at > least I "think" it's the newest version, as I cannot locate any newer > hotfixes for it... > > I've tried and tried to not loop the local webserver through the ISA > server, but have been unable to figure out a way to do it. Tom > mentioned a couple of weeks ago that SurfControl basically > disables the > Direct Access abilities of the ISA server, so that explains that part. > > Normally, I wouldn't mind the traffic passing through the ISA > server, as > it has a 1Gbps network connect. But, the problem I'm running into is > that whenever we get a really heavy web traffic period, accessing our > local webserver is pathetically slow, i.e. it'll take over a minute to > display the first page. It probably has to do with 800+ people all > clicking like mad at the same time... > > When I disable the Proxy settings in IE, I can browse our local > webserver at full-speed, but cannot access the Internet. If I go into > the IE->Tools->Internet Options->LAN Settings->Advanced menu and add > "*.mapsnet.org" as addresses to bypass proxy, this also works. > > However, all the proxy settings are coming from the ISA server, so any > entries into that area are overwritten whenever the FWC refreshes its > info. I cannot push these settings out via GPO either, > because the FWC > would override them. > > Is there a way to get these settings pushed out from the ISA server? > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---
--- Begin Message ---
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 09:53:45 -0500
http://www.ISAserver.org This Direct Access issue is rearing its ugly head again here. I'm running ISA2004, with the newest version of SurfControl. Or at least I "think" it's the newest version, as I cannot locate any newer hotfixes for it... I've tried and tried to not loop the local webserver through the ISA server, but have been unable to figure out a way to do it. Tom mentioned a couple of weeks ago that SurfControl basically disables the Direct Access abilities of the ISA server, so that explains that part. Normally, I wouldn't mind the traffic passing through the ISA server, as it has a 1Gbps network connect. But, the problem I'm running into is that whenever we get a really heavy web traffic period, accessing our local webserver is pathetically slow, i.e. it'll take over a minute to display the first page. It probably has to do with 800+ people all clicking like mad at the same time... When I disable the Proxy settings in IE, I can browse our local webserver at full-speed, but cannot access the Internet. If I go into the IE->Tools->Internet Options->LAN Settings->Advanced menu and add "*.mapsnet.org" as addresses to bypass proxy, this also works. However, all the proxy settings are coming from the ISA server, so any entries into that area are overwritten whenever the FWC refreshes its info. I cannot push these settings out via GPO either, because the FWC would override them. Is there a way to get these settings pushed out from the ISA server? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
--- End Message ---