RE: ISA 2004 SP2 and Direct Access

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 10 Feb 2006 06:47:18 -0800

Eric has posted this to the internal ISA alias.
The results should be very interesting indeed...

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] 
Sent: Friday, February 10, 2006 3:57 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 SP2 and Direct Access

http://www.ISAserver.org

Stefaan,

That's good point, I don't find a right answer from the list,
KB either!

> Hi Tom, 
> 
> Euh... It doesn't work in my case! Grrr....
> 
> Take the following case: 
> 1. we have to specify some IP ranges for direct access (VPN client
access
> passthrough). We can't use FQDN's or domain names for that.
> 2. we have to specify things such as '*.msn.com' and '*.hotmail.com'
for
> direct as well. 
> 
> In that case, the entries specified under 2. doesn't work anymore
unless you
> specify the IP ranges too. Needless to say that that is very often
> impossible and certainly not manageable.
> 
> Does any body have a solution for this one?  
> 
> Stefaan
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: vrijdag 10 februari 2006 4:18
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA 2004 SP2 and Direct Access
> 
> http://www.ISAserver.org
> 
> Ha Ha!
> 
> It worked!
> 
> Time to write up an article on this and provide some virtual tissue to
> handle the crying :)
> 
> Tom 
> 
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, February 09, 2006 9:06 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA 2004 SP2 and Direct Access
> 
> http://www.ISAserver.org
> 
> YIKES!!! That really suX0RS.
> 
> Now I need to take all the IP addresses out of my Direct Access List,
> because I have no idea how stable the addresses of Internet servers
are that
> have their FQDNs included in the Direct Access list.
> 
> BEGGING: is there a way to turn off this feature?
> 
> Thanks!
> Tom 
> 
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, February 09, 2006 1:40 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA 2004 SP2 and Direct Access
> 
> http://www.ISAserver.org
> 
> http://support.microsoft.com/kb/903746 
> 
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Thursday, February 09, 2006 06:45
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA 2004 SP2 and Direct Access
> 
> http://www.ISAserver.org
> 
> Can you re-send the KB link?  Or was it private?
> 
> t
> 
> -----
> "I don't want their respect, I want their obedience."
> Dr. Thomas W. Shinder, M.D.
> 
> 
> 
> ----- Original Message -----
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, February 09, 2006 6:27 AM
> Subject: [isalist] RE: ISA 2004 SP2 and Direct Access
> 
> 
> > http://www.ISAserver.org
> >
> > I sent a link to the KB.
> > There are no changes to autodetection; just how the script it
provides
> > causes the browser to behave.
> >
> > Stefaan - lemme know your case #, will you?
> >
> > --------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > --------------------------------------------
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > Sent: Thursday, February 09, 2006 12:38 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA 2004 SP2 and Direct Access
> >
> > http://www.ISAserver.org
> >
> > I feel strange answer from Jim already because he keeps saying the 
> > script to populate IP adress into direct access list but that IP 
> > address range is for protected network only, he has not answered 
> > anything about this new SP2 Autodection merchanism...
> >
> >
> >> Hi Tom,
> >>
> >> No comments from Jim? That's strange...
> >>
> >> Stefaan
> >>
> >> -----Original Message-----
> >> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> >> Sent: woensdag 8 februari 2006 18:21
> >> To: [ISAserver.org Discussion List]
> >> Subject: [isalist] RE: ISA 2004 SP2 and Direct Access
> >>
> >> http://www.ISAserver.org
> >>
> >> Hi Stefaan,
> >>
> >> Ha! I thought I was going crazy when I kept saying that SP2 broke
> > Direct
> >> Access. I'm glad you're seeing the same thing. I thought perhaps it
> > was
> >> something whack with my test bed.
> >>
> >> Tom
> >>
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://spaces.msn.com/members/drisa/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >>
> >>
> >> -----Original Message-----
> >> From: Stefaan Pouseele [mailto:Stefaan.Pouseele@xxxxxxx]
> >> Sent: Wednesday, February 08, 2006 10:42 AM
> >> To: [ISAserver.org Discussion List]
> >> Subject: [isalist] ISA 2004 SP2 and Direct Access
> >>
> >> http://www.ISAserver.org
> >>
> >> Hey guys,
> >>
> >> There is a change in behavior if you configure sites for direct
> access
> > (ISA
> >> Internal Network properties -> Web Browser). It doesn't work the
same
> > as in
> >> SP1!
> >>
> >> This is the configuration: a workstation with the Firewall client
> > installed
> >> and IE configured with the routing script.
> >>
> >> 1. If you configure only the IP range for direct access:
> >>    a) a request by FQDN in IE is sent as a Web Proxy client
request.
> >>    b) a request by IP in IE is sent as a Firewall client request.
> >>
> >> 2. If you configure only the domain for direct access:
> >>    a) a request by FQDN in IE is sent as a Web Proxy client
request.
> >>    b) a request by IP in IE is sent as a Web Proxy client request.
> >>
> >> 3. If you configure both the domain *and* the corresponding IP
range
> > for
> >> direct access:
> >>    a) a request by FQDN in IE is sent as a Firewall client request.
> >>    b) a request by IP in IE is sent as a Firewall client request.
> >>
> >>
> >> So, the question is obviously why is for case 2.a the request not
> sent
> > as a
> >> Firewall client request (this was the behavior in SP1)?
> >> Is this a bug and is there a workaround other than adding the
> > corresponding
> >> IP range?
> >>
> >>
> >> Thanks,
> >> Stefaan
> >>
> >> ----------------------------------------------------------------
> >>
> >> Disclaimer
> >>
> >> De informatie in dit bericht is uitsluitend bedoeld voor de
> > geadresseerde en
> >> kan vertrouwelijke en/of bevoorrechte gegevens en/of door 
> >> intellectuele-eigendomsrechten beschermde informatie bevatten.
> >> Als u niet de geadresseerde bent, gelieve dit bericht te
verwijderen
> > en de
> >> afzender te verwittigen. U mag dit bericht niet gebruiken,
wijzigen,
> >> dupliceren of verspreiden, noch de inhoud ervan bekendmaken aan een
> > derde.
> >> De veiligheid of juistheid van e-mailberichten kan niet
gegarandeerd
> > worden,
> >> vermits de informatie onderschept, verbasterd of vernietigd kan
> > worden, zoek
> >> kan raken, te laat of onvolledig kan aankomen of virussen kan
> > bevatten.
> >> Cevi NV aanvaardt geen enkele aansprakelijkheid voor verlies of
> schade
> > die
> >> op enigerlei wijze te wijten is aan het gebruik van het medium.
> >> Eventuele standpunten of meningen in dit bericht zijn die van de
> > auteur en
> >> geven niet noodzakelijk die van Cevi NV of zijn verbonden
> > ondernemingen
> >> weer.
> >> Bijgevolg bindt dit e-mailbericht Cevi NV niet, tenzij het een 
> >> uitdrukkelijke andersluidende verklaring van een gemachtigde 
> >> vertegenwoordiger bevat.
> >>
> >> Cevi NV, Bisdomplein 3, 9000 Gent - tel. 09 264 07 01 - Rek. nr.
> >> 091-0015991-15
> >>                            RPR Gent - BTW BE 0860.972.295 -
> > cevi@xxxxxxx
> >>
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org Discussion List
> as:
> >> tshinder@xxxxxxxxxxxxxxxxxx
> >> To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org Discussion List
> as:
> >> stefaan.pouseele@xxxxxxxxx To unsubscribe visit 
> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> 
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.



Other related posts: