[isalist] Re: Exclusions
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 18 May 2007 13:25:06 -0700
http://www.ISAserver.org
-------------------------------------------------------
Yeh - but at least it wasn't about upgrades & support...
:-p
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Friday, May 18, 2007 11:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
http://www.ISAserver.org
-------------------------------------------------------
Car analogies! My eyes!
t
----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Sent: Friday, May 18, 2007 11:02 AM
Subject: [isalist] Re: Exclusions
http://www.ISAserver.org
-------------------------------------------------------
Yes; let's blame the script for failing to work with the crapplication
that
doesn't know how to acquire or use it.
With this (il)logic, we should blame the car for not functioning for
someone
who can't locate; much less operate it?
As I stated, since these crapplications don't understand the wpad
process
(defined in 1999, BTW) or the script (defined in 1998, BTW) provided by
ISA,
then you have no choice but to use the static proxy / exclusions method.
This is not an ISA problem; ISA is operating in accordance with public
documents.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Friday, May 18, 2007 10:46 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
http://www.ISAserver.org
-------------------------------------------------------
I believed citrix was using IE and IE was using WPAD to configure
itself!
Now, if we cannot use BHO, AX control, Java crapplet, citrix or other
"chained" crapplication, is there not chances that probably we are in
front
of crapWPAD system?
Regarding the IP address of the internal websites, here you have one:
10.100.113.27
The ISA server and the client resides in the same subnet (10.200.*.*),
the
internal site resides on a different subnet that is part of the internal
network (so no network relation here). Anyway the following is the worst
part: the page the users are trying to access is the control for an IP
KVM
which is a JavaScript application.
So, since I know what are you going to answer and my company needs
citrix,
java, and all the other "crappy" things around. Which alternative do I
have?
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of Jim Harrison
Sent: Friday, May 18, 2007 12:51 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
http://www.ISAserver.org
-------------------------------------------------------
"..when he try to open a citrix application.." - it's these sort of
details
that make a world of difference to the questions you ask and the result
you
obtain.
Rule #1 for wpad-based configuration:
- you must NEVER assume that a BHO, AX control, Java crapplet or
"chained"
crapplication understands how to use the wpad script. If the
crapplication
only works when manual exceptions are defined, then the crapplication
doesn't know how to use the wpad script. End of story; nothing ISA can
do.
Rule #1 for wpad testing:
- because the browser caches the script for 1 hour, you *must* delete
previous versions on the test client after making changes at via ISA
manglement.
"..this is happening also on other internal websites accessed by IP and
not
residing on the same subnet of the ISA server.."
- any chance you can provide a description of:
+ the IP address of the "internal" sites?
+ the network relationship for ISA with respect to the client and
"internal"
site?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Friday, May 18, 2007 9:39 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
OK, I already deleted what you mentioned down there.
Beside that: the user is accessing https://citrix.mscgva.ch Since I just
noticed that the domain wasn't in my list, I added it and tried again,
but
with the same result. Attached you have the new WPAD file for you to
take a
look.
The weird part is that the user can access the website and login to it,
the
problem is when he try to open a citrix application.
As a comment, this is happening also on other internal websites accessed
by
IP and not residing on the same subnet of the ISA server (in this case
no
citrix stuff).
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of Jim Harrison
Sent: Friday, May 18, 2007 12:16 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
http://www.ISAserver.org
-------------------------------------------------------
Good stuff - now; what is the exact URL they're trying to access
directly?
I ask this because for two reasons:
1. you haven't stated this and it is important to how the wpad script
operates 2. you have some "interesting" entries in the "DirectNames"
list:
function MakeNames(){
this[0]="*.interlink-intranet.net";
this[1]="*/interlink-intranet.net/*";
this[2]="warren.interlink-intranet.net";
this[3]="us.interlink-intranet.net";
this[4]="*.usa.msc-intranet.net";
this[5]="lcs.interlink.bz";
this[6]="*.interlink-intranet.net";
}
DirectNames=new MakeNames();
Specifically:
- "*/interlink-intranet.net/*" - this is not valid, since "/" is not a
valid
host or FQDN character - make it disappear
- "warren.interlink-intranet.net", "us.interlink-intranet.net" - are
already included in the first entry
- "*.interlink-intranet.net" - is a duplicate of the first entry and
just
wastes processing time - make it disappear
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Friday, May 18, 2007 8:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
Clear the cached....
1- Did it
2- 1 file was deleted (but it was a copy I did on the desktop of the
WPAD.DAT). So you can take it as cero files deleted
3- 0
Test your WPAD.....
1- did it
2- yes
3- yes
4- yes
5- yes
6- did it
The file is attached.
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of Jim Harrison
Sent: Friday, May 18, 2007 11:36 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
http://www.ISAserver.org
-------------------------------------------------------
No; you will not see changes to the browser manual exclusion list when
using
automatic browser configuration.
Clear the cached auto-configuration files:
1. open a cmd window on the failing client 2. type del \wpad*.dat /s
<enter> - how many files got wiped?
3. type del \wpad.dat /s <enter> - how many files got wiped?
Test your wpad mechanism:
1. open the browser on the failing client 2. enter http://wpad/wpad.dat
<enter> - do you get prompted to save a file?
3. enter http://wpad:8080/wpad.dat <enter> - do you get prompted to save
a
file?
4. enter http://IsaIpAddress/wpad.dat <enter> - do you get prompted to
save
a file?
5. enter http://IsaIpAddress:8080/wpad.dat <enter> - do you get prompted
to
save a file?
6. close the browser
Attach your wpad to your response
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Friday, May 18, 2007 8:30 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
http://www.ISAserver.org
-------------------------------------------------------
The FC is configured to automatically detect ISA (WPAD) and it also has
the
"enable Web browser automatic configuration" option enabled, so I assume
this last one is telling IE what must do or not.
When I check the IE Lan Settings configuration, it have the right proxy,
and
the right port (according to what I configured on ISA) but there is no
exclusion list at all "I don't know if that is normal or not".
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of Jim Harrison
Sent: Friday, May 18, 2007 11:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
http://www.ISAserver.org
-------------------------------------------------------
IE needs to get this information from ISA - have you defined any
mechanism
where the browser gets it?
WPAD or "configuration URL" are the ONLY times the browser knows what
ISA
considers "internal".
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Friday, May 18, 2007 8:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
But there is a defined route on the Isa firewall. The server know
exactly
which one is the route to solve the requested address.
I guess the problem is the ISA firewall for some reason is not giving IE
the
right exclusion list, so IE no matter what will try to use the firewall.
Because if I leave the same proxy configured on IE but manually add the
exclusion it works.
But I have no idea how to fix this issue or where to search for the
error on
the configuration.
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Friday, May 18, 2007 11:02 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
If the Firewall client machine sends to a destination that is not part
of
the defintion of the ISA Firewall Network on which the client is
located,
the Firewall client will remote the connection to the ISA Firewall to
send
to another ISA Firewall Network (such as the default External Network if
there is no defined route on the ISA Firewall for the destination
Network).
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN
INTERLINK INFRA ASST MGR
Sent: Friday, May 18, 2007 9:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
Ok, open my original email go to Edit/replace and replace "ISA client"
for
"Microsoft Firewall client for ISA server 2004" J
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Friday, May 18, 2007 10:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Exclusions
What is the "ISA client"
There is a FIREWALL client, SecureNAT (SecureNET) client, and a Web
proxy
client.
THERE IS NO "ISA CLIENT".
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN
INTERLINK INFRA ASST MGR
Sent: Friday, May 18, 2007 9:27 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Exclusions
Good morning everybody (well, for most of you ;-) )
I have the following scenario:
Subnet 10.200.*.*(NY) and subnet 193.138.73.* (Geneva) both are
internals
and connected with a router no ISA in the middle.
For the NY users the Internet proxy (ISA 2004 array) is on the
10.200.*.*
subnet and they have the ISA 2004 client installed configuring IE
automatically.
The NY guys are trying to access a citrix server in Geneva with IE, the
Geneva range was included on the NY proxy array as part of the internal
network, also on the Web Browse TAB (internal network properties) so the
proxy is bypassed when accessing that subnet and the subnet was also
included on the routing table of both servers members of the array.
The point is citrix failed to open a desktop session.
They can reach the login page and even login, but session failed to
open.
Now, if I disable the ISA client and manually add on IE the Geneva
subnet
between the exclusions, everything works fine.
Any idea of what can be happening?
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
