RE: FW Client (ISA2004)
- From: "Ruba Al Omari, Eng." <romari@xxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 3 Jan 2005 12:55:35 +0300
Hi,
The policy is on top.
Blocking access is no problem at all; and allowing all users is no
problem at all.
MSN Instant Messenger is version 6.2.
I have isa2004
Monitoring the logs shows me that everything works fine at first,
connection initiated with the correct username, everything is fine,
suddenly the connection is switched to anonymous and denied access.
I assume I can create a rule for allow All Users and then another rule
to Deny all users except for the users I want to allow, but this doesn't
seem right. Because All users include anonymous.
Can you send me the exact details of the rule u have that allows a
specific group of users, I know it sounds easy but am missing something.
My rule is:
Action: Allow; Protocols: MSN Messenger (and others); From: Internal;
To: Local Host, External; Users: Help Desk (For example); Schedule:
Always; Content Type: All content types.
Thanks
r.
-----Original Message-----
From: Ara [mailto:ara@xxxxxxxxxx]
Sent: Saturday, January 01, 2005 12:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW Client (ISA2004)
http://www.ISAserver.org
Hello
Have you checked your policies order? Maybe it is getting caught in
wrong
turn. I didn't get any problem creating an access rule for specified
group
to be allowed and use MSN. Also you may want to use http signatures to
block
people too.
http://www.microsoft.com/technet/prodtechnol/isa/2000/maintain/isaimsec.
mspx
also
http://www.isaserver.org/articles/2004blockp2pim.html
> -----Original Message-----
> From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx]
> Sent: Monday, January 03, 2005 12:28 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FW Client (ISA2004)
>
> http://www.ISAserver.org
>
> I could find http://www.isaserver.org/pages/article_p.asp?id=1247
which
> is about blocking, blocking is working great, am having trouble with
> allowing, allowing only works if I do the exact same rule as in the
> article and allow "All Users", my problem is I want to allow specific
> group of users and not All Users.
> Did any one try to allow MSN Instant Messenger for a specific group of
> users and it worked?
>
> Thanks
> r.
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Monday, January 03, 2005 9:05 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FW Client (ISA2004)
>
> http://www.ISAserver.org
>
> Take a search in www.isaserver.org.
> There are several articles there about blocking and allowing IM
traffic.
>
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
> -----Original Message-----
> From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx]
> Sent: Sunday, January 02, 2005 9:42 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FW Client (ISA2004)
>
> http://www.ISAserver.org
>
> MSN.. Instant Messenger.
>
> Thanx
> r.
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Sunday, January 02, 2005 6:03 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FW Client (ISA2004)
>
> http://www.ISAserver.org
>
> MSN.. what?
> Instant Messenger, Internet Exploder..?
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
> -----Original Message-----
> From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx]
> Sent: Sunday, January 02, 2005 12:52 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FW Client (ISA2004)
>
> http://www.ISAserver.org
>
> Wonderful, thank you
> I changed the port on the IIS and the FW Client can auto detect now,
>
> Anything wrong with the authentication in the isainfo file? Because I
> still can't get msn to work without having to add the All Users to the
> rule that allows the msn traffic.
>
> Thanks
> r.
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Sunday, January 02, 2005 10:31 AM
> To: Ruba Al Omari, Eng.
> Subject: RE: [isalist] RE: FW Client (ISA2004)
>
> You're still getting the old file.
> The version should be reporting as 1.0.2161.5.
>
> Something I was able to see in the ISAInfo you sent before:
> The Web Proxy filter failed to bind its socket to 10.92.60.20 port 80.
> This may have been caused by another service that is already using the
> same port or by a network adapter that is not functional. To resolve
> this issue, restart the Microsoft Firewall service. The error code
> specified in the data area of the event properties indicates the cause
> of the failure. The failure is due to error: 0x80072740
>
> ..this means that the web proxy is seeing an IP/protocol/port conflict
> for TCP:80.
> Are you also running IIS on this machine?
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Sunday, January 02, 2005 9:31 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> Now we need your ISAInfo.
>
> http://isatools.org/isainfo/isainfo.zip.
>
>
>
> Follow the instructions in the readme.
>
>
>
> Jim Harrison
>
> MCP(NT4, W2K), A+, Network+, PCG
>
> http://isaserver.org/Jim_Harrison/
>
> http://isatools.org
>
> Read the help / books / articles!
>
>
>
>
>
> -----Original Message-----
>
> From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx]
>
> Sent: Saturday, January 01, 2005 10:05 PM
>
> To: [ISAserver.org Discussion List]
>
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> Do I open the browser at the server or the client? I opened it at both
>
> and got the same results.
>
> I followed the instructions exactly, the results are:
>
>
>
> - The browser issues "The Page cannot be displayed" error for both
links
>
> http://wpad/wspad.dat and http://wpad/wspad.dat
>
>
>
> So I couldn't find the files to answer the questions :(
>
>
>
> Where do we go now?
>
>
>
> Additional information:
>
> When I try to browse to these links the logging shows me the traffic
is
>
> denied because of Allow_IT policy, I disabled the policy and tried
>
> again, the logging says the traffic is denied because of the Blocked
>
> Sites policy, I did the same, then it says traffic is denied because
of
>
> the default rule.
>
>
>
> Auto discovery is listening on the default port 80, if I type
>
> http://wpad:80/wpad.dat I still get the same results.
>
>
>
>
>
> thanx
>
> r.
>
>
>
>
>
> -----Original Message-----
>
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
>
> Sent: Saturday, January 01, 2005 7:36 PM
>
> To: [ISAserver.org Discussion List]
>
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> Ok; now open we're going to use a browser to see what your wpad data
>
> gets you...
>
> Please follow the instructions exactly as written and respond to all
>
> questions.
>
>
>
> 1. Open your browser (IE, Firefox, whatever)
>
> 2. In the address bar, type http://wpad/wpad.dat
>
> If you're prompted to "open or save", choose "save" and stash it on
>
> your desktop as "wpad.js".
>
> If not, your automatic discovery listener isn't listening
>
> 4. In the address bar, type http://wpad/wspad.dat
>
> If you're prompted to "open or save", choose "save" and stash it on
>
> your desktop as "wspad.txt".
>
> If not, your automatic discovery listener isn't listening
>
>
>
> ..now let's use the data in those files...
>
> Use your favorite text editor (Notepad or equivalent; NOT Word or
>
> WordPerfect, etc.) to open these files
>
>
>
>
>
> - WPAD.JS - this file is used by browsers and the FW client, so we
MUST
>
> start here:
>
>
>
> 1. Look for "function MakeProxies()". You'll see one or more entries
>
> listed as:
>
> "new Node( -hostname-,#,#.###### );"
>
>
>
> Q1 - what is the name found in "-hostname-"?
>
> Q2 - what is the result of ping -thatnameexactlyasseen-?
>
>
>
>
>
> - WSPAD.TXT - this file is used only by the FW client:
>
>
>
> Q1 - what is the name found as "WWW-Proxy=" under "[Common]"?
>
> Q2 - what is the result of "ping -thatnameexactlyasseen-"?
>
> Q3 - what is the name found as "Name=" under [Servers Ip Addresses]?
>
> Q4 - what is the result of "ping -thatnameexactlyasseen-"?
>
>
>
> Jim Harrison
>
> MCP(NT4, W2K), A+, Network+, PCG
>
> http://isaserver.org/Jim_Harrison/
>
> http://isatools.org
>
> Read the help / books / articles!
>
>
>
>
>
>
>
> -----Original Message-----
>
> From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx]
>
> Sent: Friday, December 31, 2004 9:41 PM
>
> To: [ISAserver.org Discussion List]
>
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> The client can ping wpad.
>
>
>
> C:\>ping wpad
>
>
>
> Pinging 8000-srv.dac.edu [10.92.60.20] with 32 bytes of data:
>
>
>
> Reply from 10.92.60.20: bytes=32 time<1ms TTL=126
>
> Reply from 10.92.60.20: bytes=32 time<1ms TTL=126
>
> Reply from 10.92.60.20: bytes=32 time<1ms TTL=126
>
> Reply from 10.92.60.20: bytes=32 time<1ms TTL=126
>
>
>
> ?
>
>
>
> Thanx
>
> r.
>
>
>
> -----Original Message-----
>
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
>
> Sent: Wednesday, December 29, 2004 7:31 PM
>
> To: [ISAserver.org Discussion List]
>
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> The good news is that it doesn't seem to be a problem between internal
>
> and external names.
>
> Forget using nslookup to troubleshoot client name resolution problems;
>
> that's how DNS servers, not clients perform name lookups.
>
>
>
> Use "ping wpad" and see what the result is.
>
> If this fails, it's time for a network capture.
>
>
>
> -------------------------------------------------------
>
> Jim Harrison
>
> MCP(NT4, W2K), A+, Network+, PCG
>
> http://isaserver.org/Jim_Harrison/
>
> http://isatools.org
>
> Read the help / books / articles!
>
> -------------------------------------------------------
>
>
>
> -----Original Message-----
>
> From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx]
>
> Sent: Wednesday, December 29, 2004 00:20
>
> To: [ISAserver.org Discussion List]
>
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> I have it cleared (the check box was cleared from before)
>
> In the authentication method it is Integrated the one that is
selected,
>
> and the check box is cleared, but auto detection is not working.
>
> ?
>
>
>
> Note: the Auto Discovery is enabled, the FW Client auto detection is
>
> enabled and uses automatic configuration script.
>
> Thanks
>
> r.
>
>
>
> -----Original Message-----
>
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
>
> Sent: Tuesday, December 28, 2004 7:09 PM
>
> To: [ISAserver.org Discussion List]
>
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> Make sure you have "Require all users to authenticate" unchecked in
the
>
> Internal network Web Proxy settings.
>
>
>
>
>
> -------------------------------------------------------
>
> Jim Harrison
>
> MCP(NT4, W2K), A+, Network+, PCG
>
> http://isaserver.org/Jim_Harrison/
>
> http://isatools.org
>
> Read the help / books / articles!
>
> -------------------------------------------------------
>
>
>
> -----Original Message-----
>
> From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx]
>
> Sent: Tuesday, December 28, 2004 00:27
>
> To: [ISAserver.org Discussion List]
>
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> Hi,
>
> I added the PTR to the reverse lookup zone and the wpad is ok now, the
>
> FW Client still can't auto detect the ISA.
>
>
>
> C:\>nslookup wpad
>
> Server: 6k-srv.dac.edu
>
> Address: 10.92.60.10
>
>
>
> Name: 8000-srv.dac.edu
>
> Address: 10.92.60.20
>
> Aliases: wpad.dac.edu
>
>
>
> ?
>
>
>
> thanks
>
> r.
>
>
>
> -----Original Message-----
>
> From: Ruba Al Omari, Eng.
>
> Sent: Wednesday, December 22, 2004 9:29 AM
>
> To: [ISAserver.org Discussion List]
>
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> Hi Mr. Tom,
>
>
>
> It gives me this:
>
>
>
> C:\>nslookup wpad
>
> *** Can't find server name for address 10.92.60.10: Non-existent
domain
>
> *** Default servers are not available
>
> Server: UnKnown
>
> Address: 10.92.60.10
>
>
>
> Name: 8000-srv.dac.edu
>
> Address: 10.92.60.20
>
> Aliases: wpad.dac.edu
>
>
>
> 10.92.60.10 is our internal DNS, 10.92.60.20 is the ISA internal NIC,
>
> the client is on 10.80.60.0 subnet, we have no PTR in the reverse
lookup
>
> zone.
>
>
>
> Thanx
>
> r.
>
>
>
> -----Original Message-----
>
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
>
> Sent: Tuesday, December 21, 2004 6:44 PM
>
> To: [ISAserver.org Discussion List]
>
> Subject: [isalist] RE: FW Client (ISA2004)
>
>
>
> http://www.ISAserver.org
>
>
>
> Hi Ruba,
>
>
>
> When you do an nslookup for wpad what do you see? If should look
>
> something like this (with different names, of course):
>
>
>
> F:\>nslookup wpad
>
> Server: marsoutpost.tacteam.net
>
> Address: 192.168.1.34
>
>
>
> Name: celestix-h5l4cs.tacteam.net
>
> Address: 192.168.1.60
>
> Aliases: wpad.tacteam.net
>
> F:\>
>
>
>
> Thanks!
>
>
>
> Tom
>
> www.isaserver.org/shinder <http://www.isaserver.org/shinder>
>
> Tom and Deb Shinder's Configuring ISA Server 2004
>
> http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>
> MVP -- ISA Firewalls
>
>
Other related posts:
