Sorry; i don't know where "John" came from... This is what happens when I try to think and type at the same time... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Mon, 13 Oct 2003 07:50:28 +0200 "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Thanks for the feedback Jim. Although the downside to this config change is as you say: I need to define rules based on IP as well as FQDN, bit in my case that's not a huge trainsmash as I have a WEB Filter (SurfControl) which I use to do most of my serious ALLOW/DENY rules based on websites. Thanks for your help, as always, it is much appreciated. Cheers William R. PS. I know that in the States Bill is a shortform of William, but is John also "aliased" to William? Sorry, just trying to broaden my social engineering skills... :) -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 12 October 2003 15:47 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Possible problem with Jim's Client Article #1 http://www.ISAserver.org ..and here's the answer... John has MANY destination sets used to limit access to various inappropriate sites. This is a good thing, but it also brings one of ISA's "features" to the forefront of a deployment. When validating destination set data against user requests, ISA will attempt to resolve names to IPs and vice-versa. The idea here is to ensure that the user can't circumvent FQDN-based destination sets by using IP addresses. Unfortunately, it also means that ISA is dependent not only on how well YOU configure name resolution, but also how well other folks on the Internet maintain their own namespace. John's DNS and IP structures were just fine, but the blocked sites were causing his ISA to go into timeout waiting for the name queries to return (I didn't ask, but I'll bet there were BUNCHES of NetBIOS name queries in the IP logs). Many folks (yes, even in this list) are guilty of not maintaining a proper DNS structure for their domains and this causes a lot of H&D for those of us trying to double-check Internet names. The answer in his case was to keep the FW and Web Proxy DNs caches disabled, but to also add another registry entry as spelled out in http://support.microsoft.com/default.aspx?scid=819128. The overall effect is that ISA will apply the rules without the name resolving double-checking technique. This provides a much faster decision process for ISA requests, but it also means that you may need to apply IP addresses as well as names in your destination sets. HTH, Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Thu, 2 Oct 2003 07:56:30 -0700 "Jim Harrison" <jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org I'd be very interested in your ISAInfo. Changing those settings should actually improve ISA performance. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, October 02, 2003 05:30 Subject: [isalist] Possible problem with Jim's Client Article #1 http://www.ISAserver.org Hi Jim Forgive the subject heading as I don't mean to be accusatory, I simply meant to try and explain my problem. In another thread "How do IE & ISA use DNS.?" I raised the question of how to change ISA's method of using DNS, at which point you referred me to your article (http://www.isaserver.org/tutorials/ISA_Clients__Part_1__General_ISA_Server_ Configuration.html) which I duly followed with particular reference to the "Web Proxy and Firewall DNS cache" section. After disabling the WEB Proxy and Firewall DNS Cache (by setting the msFPCDnsCacheSize=0), I now had problems accessing websites (by IP Address) over a private WAN link. The problems were that I would get timeouts to the one site (which uses IIS Integrated authentication) and ***REALLY*** slow performance to another (not sure what auth is used on this one.) While testing workarounds etc I found that by creating an ANY-ANY Site&Content Rule (I already have a protocol rule allowing EVERYBODY access to the FTP, HTTP & HTTPS protocols), ***AS WELL AS*** disabling my DENY S&C Rule for the Real Media Player site (207.188.7.85), the problem would be resolved. Go figure!!! Anyway, if I tried to disable the ANY-ANY S&C rule, or enable the RealMedia rule, or any other combined form of enabled/disabled between these 2, the problem would reappear. As a last resort I reversed the registry changes as described in your article and Eureka!!! I then disabled my ANY-ANY S&C Rule, enabled my RealMedia DENY rule, and now everything is back to normal. I know it sounds confusing, deluded and probably a whole lot wacky, but do you believe you may be able to interpret some logic out of the above dilemma? Thanks for your time, Thanks William R. _____ William Robertson AST Mpumalanga Systems House / Consultant: Software Tel: 013-2472703 / 083 638 0354 Fax: 013-2462236 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*