Re: Possible problem with Jim's Client Article #1

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 13 Oct 2003 06:18:57 -0700

Sorry; i don't know where "John" came from...
This is what happens when I try to think and type at the same time...

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Mon, 13 Oct 2003 07:50:28 +0200
 "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org


Thanks for the feedback Jim. Although the downside to this config change is
as you say: I need to define rules based on IP as well as FQDN, bit in my
case that's not a huge trainsmash as I have a WEB Filter (SurfControl) which
I use to do most of my serious ALLOW/DENY rules based on websites.

Thanks for your help, as always, it is much appreciated.

Cheers
William R.

PS. I know that in the States Bill is a shortform of William, but is John
also "aliased" to William? Sorry, just trying to broaden my social
engineering skills... :)

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: 12 October 2003 15:47 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Possible problem with Jim's Client Article #1

http://www.ISAserver.org


..and here's the answer...

John has MANY destination sets used to limit access to various inappropriate
sites.  This is a good thing, but it also brings one of ISA's "features" to
the forefront of a deployment.

When validating destination set data against user requests, ISA will attempt
to resolve names to IPs and vice-versa.  The idea here is to ensure that the
user can't circumvent FQDN-based destination sets by using IP addresses.
Unfortunately, it also means that ISA is dependent not only on how well YOU
configure name resolution, but also how well other folks on the Internet
maintain their own namespace.

John's DNS and IP structures were just fine, but the blocked sites were
causing his ISA to go into timeout waiting for the name queries to return (I
didn't ask, but I'll bet there were BUNCHES of NetBIOS name queries in the
IP logs).  

Many folks (yes, even in this list) are guilty of not maintaining a proper
DNS structure for their domains and this causes a lot of H&D for those of us
trying to double-check Internet names.

The answer in his case was to keep the FW and Web Proxy DNs caches disabled,
but to also add another registry entry as spelled out in
http://support.microsoft.com/default.aspx?scid=819128.

The overall effect is that ISA will apply the rules without the name
resolving double-checking technique.  This provides a much faster decision
process for ISA requests, but it also means that you may need to apply IP
addresses as well as names in your destination sets.

HTH,

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Thu, 2 Oct 2003 07:56:30 -0700
 "Jim Harrison" <jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org


I'd be very interested in your ISAInfo.
Changing those settings should actually improve ISA performance.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, October 02, 2003 05:30
Subject: [isalist] Possible problem with Jim's Client Article #1


http://www.ISAserver.org


Hi Jim



Forgive the subject heading as I don't mean to be accusatory, I simply meant
to try and explain my problem.



In another thread "How do IE & ISA use DNS.?" I raised the question of how
to change ISA's method of using DNS, at which point you referred me to your
article
(http://www.isaserver.org/tutorials/ISA_Clients__Part_1__General_ISA_Server_
Configuration.html) which I duly followed with particular reference to the
"Web Proxy and Firewall DNS cache" section.



After disabling the WEB Proxy and Firewall DNS Cache (by setting the
msFPCDnsCacheSize=0), I now had problems accessing websites (by IP Address)
over a private WAN link. The problems were that I would get timeouts to the
one site (which uses IIS Integrated authentication) and ***REALLY*** slow
performance to another (not sure what auth is used on this one.) While
testing workarounds etc I found that by creating an ANY-ANY Site&Content
Rule (I already have a protocol rule allowing EVERYBODY access to the FTP,
HTTP & HTTPS protocols), ***AS WELL AS*** disabling my DENY S&C Rule for the
Real Media Player site (207.188.7.85), the problem would be resolved. Go
figure!!!



Anyway, if I tried to disable the ANY-ANY S&C rule, or enable the RealMedia
rule, or any other combined form of enabled/disabled between these 2, the
problem would reappear.



As a last resort I reversed the registry changes as described in your
article and Eureka!!! I then disabled my ANY-ANY S&C Rule, enabled my
RealMedia DENY rule, and now everything is back to normal.



I know it sounds confusing, deluded and probably a whole lot wacky, but do
you believe you may be able to interpret some logic out of the above
dilemma?



Thanks for your time,

Thanks

William R.



  _____


William Robertson

AST Mpumalanga


Systems House / Consultant: Software


Tel: 013-2472703 / 083 638 0354

   Fax: 013-2462236





------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

Other related posts:

• » Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1
• » Re: Possible problem with Jim's Client Article #1

1. Home
2. isalist
3. Archive
4. 10-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---