Re: Possible problem with Jim's Client Article #1

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sun, 12 Oct 2003 06:47:15 -0700

..and here's the answer...

John has MANY destination sets used to limit access to various inappropriate 
sites.  This is a good thing, but it also brings one of ISA's "features" to the 
forefront of a deployment.

When validating destination set data against user requests, ISA will attempt to 
resolve names to IPs and vice-versa.  The idea here is to ensure that the user 
can't circumvent FQDN-based destination sets by using IP addresses.  
Unfortunately, it also means that ISA is dependent not only on how well YOU 
configure name resolution, but also how well other folks on the Internet 
maintain their own namespace.

John's DNS and IP structures were just fine, but the blocked sites were causing 
his ISA to go into timeout waiting for the name queries to return (I didn't 
ask, but I'll bet there were BUNCHES of NetBIOS name queries in the IP logs).  

Many folks (yes, even in this list) are guilty of not maintaining a proper DNS 
structure for their domains and this causes a lot of H&D for those of us trying 
to double-check Internet names.

The answer in his case was to keep the FW and Web Proxy DNs caches disabled, 
but to also add another registry entry as spelled out in 
http://support.microsoft.com/default.aspx?scid=819128.

The overall effect is that ISA will apply the rules without the name resolving 
double-checking technique.  This provides a much faster decision process for 
ISA requests, but it also means that you may need to apply IP addresses as well 
as names in your destination sets.

HTH,

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Thu, 2 Oct 2003 07:56:30 -0700
 "Jim Harrison" <jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org


I'd be very interested in your ISAInfo.
Changing those settings should actually improve ISA performance.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, October 02, 2003 05:30
Subject: [isalist] Possible problem with Jim's Client Article #1


http://www.ISAserver.org


Hi Jim



Forgive the subject heading as I don't mean to be accusatory, I simply meant
to try and explain my problem.



In another thread "How do IE & ISA use DNS.?" I raised the question of how
to change ISA's method of using DNS, at which point you referred me to your
article
(http://www.isaserver.org/tutorials/ISA_Clients__Part_1__General_ISA_Server_
Configuration.html) which I duly followed with particular reference to the
"Web Proxy and Firewall DNS cache" section.



After disabling the WEB Proxy and Firewall DNS Cache (by setting the
msFPCDnsCacheSize=0), I now had problems accessing websites (by IP Address)
over a private WAN link. The problems were that I would get timeouts to the
one site (which uses IIS Integrated authentication) and ***REALLY*** slow
performance to another (not sure what auth is used on this one.) While
testing workarounds etc I found that by creating an ANY-ANY Site&Content
Rule (I already have a protocol rule allowing EVERYBODY access to the FTP,
HTTP & HTTPS protocols), ***AS WELL AS*** disabling my DENY S&C Rule for the
Real Media Player site (207.188.7.85), the problem would be resolved. Go
figure!!!



Anyway, if I tried to disable the ANY-ANY S&C rule, or enable the RealMedia
rule, or any other combined form of enabled/disabled between these 2, the
problem would reappear.



As a last resort I reversed the registry changes as described in your
article and Eureka!!! I then disabled my ANY-ANY S&C Rule, enabled my
RealMedia DENY rule, and now everything is back to normal.



I know it sounds confusing, deluded and probably a whole lot wacky, but do
you believe you may be able to interpret some logic out of the above
dilemma?



Thanks for your time,

Thanks

William R.



  _____


William Robertson

AST Mpumalanga


Systems House / Consultant: Software


Tel: 013-2472703 / 083 638 0354

   Fax: 013-2462236





------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

Other related posts:

• » Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1

1. Home
2. isalist
3. Archive
4. 10-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---