[isalist] Re: ISA Intra Array Authentification

From: "Bogdan Florin" <florinb@xxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Date: Wed, 14 Feb 2007 08:33:32 +0200

1.      Your network definitions are broken  - just plain broken.
You're operating with the Edge Template, have no addresses assigned to
the Internal network and the only hosts using the "Intra-array" net are
the ISA servers

 

B> I would like to receive your opinion about network template keeping
in mind my intentions: purely two ISA servers for CACHE. I accept any
sugenstion about netowork template as long as I can have two ISA in
Array used for cache. The end users setup proxy manualy. This is my
wish, so sugest me what network template should I use and how many
network adapters and I will jump for it instantly. Before having Edge ..
I was using Single Network Adaper Template and I have EXACTLY the same
error having of corse only one single network interface on that
computer.

 

2.      You have GFI WebMonitor installed, but ISAInfo doesn't know how
to read this configuration (yet; David?)  Have you tried to disable or
remove the filter?

 

B> I do nto yet try to disable the WebMomnitor. I will try this too
today.

 

GFI WebMonitor3 filter

Enabled

 Description

GFI WebMonitor3 filter for ISA server

 Filter Direction

Forward

 Priority

Medium

 Relative Path

WebMonPlg.dll

 Vendor

GFi Software Ltd.

 Version

3.1.421

 

I can't speak to the version displayed (David again?), but you should
check to ensure you have the latest bits.

 

In the intra-array capture, Proxy2 (192.168.254.2) is attempting to
authenticate with Proxy1 (192.168.254.1) via a "GET
http://ms_proxy_intra_array_auth_query/"; request and receives a "400"
response from Proxy1.

Under normal circumstances, this response should never happen.  The
destination ISA would respond with a "407" if authentication actually
failed.

 

B> I do not know this behavoir so deep, that;s why I came here.

 

Because this request is strictly for authentication to the upstream ,
ISA interprets any non-200 response as "failed authentication" and
reports it back down the chain as such.

 

Repeat the test with isabpapack +repro on both servers and respond with
a link to both packages.

 

B> ok, I will done this today after I stop the WebMonitor as well.

 

One change - log on as a domain admin - the bizranet\florin account
failed to authenticate to MSDE and so we have no logs.

 

B> bizarnet\florinb it is a domain account !!!!!

 

This way, we can see what both servers thought of the communication.

 

B> no problem, you will have both reports today. I will work on 2
clients, eachone connect to a difrent ISA, but only one client will show
error because the Load is 1 % on PROXY2 and 100 % on PROXY1.

All mail to and from this domain is GFI-scanned.

Follow-Ups:
- [isalist] Re: ISA Intra Array Authentification
  - From: Jim Harrison

References:
- [isalist] Re: ISA Intra Array Authentification
  - From: Thor (Hammer of God)
- [isalist] Re: ISA Intra Array Authentification
  - From: Bogdan Florin
- [isalist] Re: ISA Intra Array Authentification
  - From: Bogdan Florin
- [isalist] Re: ISA Intra Array Authentification
  - From: Jim Harrison
- [isalist] Re: ISA Intra Array Authentification
  - From: Bogdan Florin
- [isalist] Re: ISA Intra Array Authentification
  - From: Jim Harrison
- [isalist] Re: ISA Intra Array Authentification
  - From: Bogdan Florin
- [isalist] Re: ISA Intra Array Authentification
  - From: Jim Harrison
- [isalist] Re: ISA Intra Array Authentification
  - From: Bogdan Florin
- [isalist] Re: ISA Intra Array Authentification
  - From: Jim Harrison
- [isalist] Re: ISA Intra Array Authentification
  - From: Bogdan Florin
- [isalist] Re: ISA Intra Array Authentification
  - From: Jim Harrison

[isalist] Re: ISA Intra Array Authentification

Other related posts: