RE: Direct Access Issues w/SurfControl
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 10:09:10 -0500
Okay, if I remember right, the reason I went with DHCP for that is due
to multiple internal networks. I.e., if the 10.20.x.x subnet pulls the
wpad info from 10.20.1.1, while the 10.6.x.x subnet pulls the wpad info
from 10.6.254.90. If they pull the wpad info from the wrong IP, they'll
get the wrong connection information.
When I tried using the DNS to push out the wpad info, it kept resolving
to the wrong IP address, i.e. the 10.6.x.x subnet would try to pull the
wpad info from 10.20.1.1 instead. All subnets use the same forward
lookup zone, so even though there are several DNS servers on the
10.6.x.x subnet, they replicate the same information across all subnets.
Someone mentioned that you can define multiple IP addresses in the DNS
server for wpad, but I haven't quite fiqured out how that would work
yet. So, do you think that would speed things up dramatically if I
switched (provided I could figure out how to do it)?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, December 01, 2005 9:54 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Don't use DHCP wpad - it's crap.
We've found that WinInet (what IE uses) can take up to 10 seconds to
"digest" the DHCP data it gets.
Use only DNS or WINS (if you must).
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, December 01, 2005 6:20 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I had to take those setting off again this morning, so I'm not sure what
the heck is going on...
When opening up IE, it would take 2-3 minutes for the "Detecting Proxy
Settings" in the status bar to go away, and then things would run
sluggish. By un-checking the "Automatically detect settings" and "Use
automatic configuration script" in IE things sped up dramatically, so I
took them back off the ISA server.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 11:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
I've been through those articles many-many times trying to work this
out, and just went through them again. My eyes must be getting old,
although I read the last paragraph on the last page many times, I still
missed it until this last re-reading...
Your clue in the e-mail helped though, I had the "Automatically detect
settings" and "Use automatic configuration script" turned off on the
"Firewall Client" tab from when we had the SurfControl proxy bypass
problem several months ago. With the solution you thought up, that
might not be an issue anymore. In any case, I'll leave them enabled and
see if people start having troubles.
I don't see where it updated the setting in IE on the client, but I also
don't see it passing through the ISA server anymore, so it must be using
a different method.
Thanks!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 9:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
Check the articles again. It'll show you how to configure the Direct
Access list on the ISA firewall and how to configure the clients to use
the autoconfig script so that they can use the Direct Access list.
Also, make sure the Direct Access clients are configured with a DNS
server that allows them to resolve the name of the site to the site's
Internal address.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 8:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> This Direct Access issue is rearing its ugly head again here.
>
> I'm running ISA2004, with the newest version of SurfControl. Or at
> least I "think" it's the newest version, as I cannot locate any newer
> hotfixes for it...
>
> I've tried and tried to not loop the local webserver through the ISA
> server, but have been unable to figure out a way to do it. Tom
> mentioned a couple of weeks ago that SurfControl basically
> disables the
> Direct Access abilities of the ISA server, so that explains that part.
>
> Normally, I wouldn't mind the traffic passing through the ISA
> server, as
> it has a 1Gbps network connect. But, the problem I'm running into is
> that whenever we get a really heavy web traffic period, accessing our
> local webserver is pathetically slow, i.e. it'll take over a minute to
> display the first page. It probably has to do with 800+ people all
> clicking like mad at the same time...
>
> When I disable the Proxy settings in IE, I can browse our local
> webserver at full-speed, but cannot access the Internet. If I go into
> the IE->Tools->Internet Options->LAN Settings->Advanced menu and add
> "*.mapsnet.org" as addresses to bypass proxy, this also works.
>
> However, all the proxy settings are coming from the ISA server, so any
> entries into that area are overwritten whenever the FWC refreshes its
> info. I cannot push these settings out via GPO either,
> because the FWC
> would override them.
>
> Is there a way to get these settings pushed out from the ISA server?
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
