[isalist] Re: Serious Problems Now

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 10 Apr 2006 10:04:35 -0700

http://www.ISAserver.org
-------------------------------------------------------

Reseding part of a previous response:

The ISA 2000 "Destination set" has been expanded to allow you more granular 
control via "URL sets" and "Domain Sets".
Which you choose to use is your choice, but there are some concepts to bear in 
mind:
- both URL Sets & Domain Sets apply *only* to traffic handled by the web proxy
- URL sets can be applied to *only* HTTP (*not* HTTPS) or FTP traffic
- Domain sets can be applied to HTTP, FTP, or HTTPS traffic

"Add Site" allows you to choose which technique applies best to your scenario. 


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ray Dzek
Sent: Monday, April 10, 2006 09:52
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Serious Problems Now

http://www.ISAserver.org
-------------------------------------------------------
  
For those of you keeping score at home...

The issue that caused my "Andrew" day was actually a bad supervisor card on a 
T3 on our ISP's, ISP.  Why that would cause http redirects to fail, I have no 
idea.  So other than the HTTPS failure, and the hiccup with the iTunes web site 
compression, the rest of the week with ISA was a wild goose chase.

But regarding the iTunes compression solution.  I don't think I got an answer 
regarding the use of a Network or Computer set for the "Add Site"
reference to getting iTunes to work with ISA 2004 vs using a Destination set.  
Why would MS require the use of a static object defined by IP for something 
that is potentially very dynamic, as in this case the delivery of multimedia 
content.  So now I have to wait for a helpdesk ticket from a user complaining 
that iTunes is broken again and then manually update the IP addresses.

Can anybody clarify this for me?


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Saturday, April 08, 2006 7:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Serious Problems Now

http://www.ISAserver.org
-------------------------------------------------------
  
That's "web proxy filter". 
I agree that ISA is a favorite target; it's the nature of the "MS==broken" 
mentality that we still have to fight...

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ray Dzek
Sent: Saturday, April 08, 2006 13:31
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: Serious Problems Now

Sorry .. Win Proxy Filter.  Under Protocols, HTTP/HTTPS, Properties, 
Parameters, Application Filters.
 
The HTTPS problem is what kicked off the whole chain of events, which is why 
ISA was suspect.
 
You are correct though in the that I rarely start tearing into ISA just because 
somebody starts pointing fingers at the firewall for something they can't do on 
the internet.  ISA has been very stable in our environment.  Even after 
replacing/upgrading the Cisco firewalls for the e-commerce sites, I insisted on 
keeping ISA for our back office traffic and to support VPN and our OWA site.  
This was just one of those "perfect storm" type scenarios where all finger were 
pointing at ISA.

________________________________

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
Sent: Sat 4/8/2006 12:01 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Serious Problems Now


Hi Ray,
 
You need to remember that 99.987587% of the time, its not an ISA firewall 
problem, its something else. While its common to make the ISA firewall the 'sin 
eater' for everyone elses' problems, it just ain't the case.
 
That's way you need to do some troubleshooting to figure out what's going on. I 
have the same problems with network connectivity from time to time, but I don't 
start with the ISA firewall, I start with the problem. Then I use tools like:
 
* nslookup (in interactive mode)
* ping
* pathping
* tracert with and without -d switch
* ISA firewall logs
* Network Monitor (or any other packet tracer)
* ISA Alerts
* Event Viewer
* ISA firewall BPA
* Telnet
 
First step is to try to replicate the problem. Then check the ISA firewall logs 
to see what they report regarding the problem. Make sure you're logging for all 
fields in the Web proxy and Firewall logs
 
If the ISA firewall logs show that the ISA firewall isn't blocking the 
connection, then you need to figure out where in the request/response path the 
connections are being blocked. 
 
Is it a name resolution problem?
Is it a black hole router?
Is is a router loop somewhere in the path?
Is it a link failure at the ISP?
Is it a link failure of your CPE?
Is a bad switch or switch port?
Is it a bad internal router?
Is it a hardware problem on the ISA firewall device?
Is it a bad cable to a network switch, router or ISA firewall?
Is it network at 100% network utilization problem? (and if so, why?
Worms? Warez?) Is it a problem with the ISP's Web proxy (if they're using one) 
Is it a link failure for a major provider (akamai, etc)?
Is it client problem?
Is it an authentication problem?
Is it a Group Policy problem?
 
That's just a short list of things to consider before considering a problem 
with the ISA firewall software/configuration. Its one thing if something never 
worked, but when things have worked fine before, and then they stop working, 
 
BTW -- what's "winproxy" is it this? http://www.winproxy.com/
 
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls

 


________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ray Dzek
        Sent: Saturday, April 08, 2006 12:50 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: RE: [isalist] Re: Serious Problems Now
        
        
        I may be a little "Andrew-ish" at this point.  Last week I had a 
perfectly functional ISA server.  This week, I don't know what I have.
First, we lost HTTPS connections.  We still have no idea why.  We previously 
did not have winproxy applied to https.  The fix was to apply winproxy, restart 
the services, and then un-apply it again and restart services.  The failure was 
such that secure NAT would not accept HTTPS at all.  You would simply get a 
time out.  No error was being generated in the logs, other than a "failure".  
No error codes, no nothing.  This wasted 2 days of my time.
         
        So since we were tearing into ISA anyway, it seemed like a good time to 
catch up on service packs for the OS and ISA.  I had not seen anything on the 
list to make me think this would be a bad thing.  And in most cases it makes 
little problems go away.  I was wrong.
         
        As explained earlier, Marketing was launching a new series of podcasts. 
 When we applied SP2, that broke iTunes which generated another post to the 
list.
         
        Next on the list was a series of stupid user tricks for which ISA was 
blamed because after the first and second problem nobody trusted ISA to be 
working properly any longer.  This wasted another 2 days.  
         
        So that brings me to my "Andrew" day.  I claimed 1/2 the internet was 
not working.  I was actually pretty close.  The issue was, and still is for 
some sites that You can go to site www.some.site with no problems.  But if you 
click on a link on that site, it breaks and goes nowhere.  So my.yahoo.com with 
all the news feeds, for instance.
The page would load fine, but if you clicked on one of the new items, it would 
just time out.  You can't log into Yahoo mail, msn mail etc.  The links from my 
RSS feeds would not work.  All other protocols seem to work fine.  Skype, IM, 
streaming radio, email, etc.  It appears to be directly related to http 
redirects, but I am not sure.
         
        I have a pretty good relationship with our upstream ISP's.  I use IM 
with the NOC on a regular basis with some of the techs there.  As it turns out, 
one of the ISP's had started getting customer complaints about the same issue. 
So the issue on my "Andrew" day is probably not ISA related.  But after the 
week I have already had, ISA was about to be replaced with a Linux iptables 
script.  I am working with both ISP's right now to see if we can isolate the 
trouble.  One of the ISP's is reporting errors on one of the T3's, but I can't 
see how a T3 transmission error could only block http redirects.  But who 
knows...
         
        BTW... did you hear the joke about the user that wrote to a firewall 
support list and asked how to open a port?
         
        I hope you all are enjoying your Saturday.

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
        Sent: Fri 4/7/2006 5:12 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Serious Problems Now
        
        

        http://www.ISAserver.org
        -------------------------------------------------------
         
        C'mon, Ray - you're starting to sound like Andrew now.
        "Half the Internet"?
        
        -----Original Message-----
        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
        On Behalf Of Ray Dzek
        Sent: Friday, April 07, 2006 5:07 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Serious Problems Now
        
        So .. SP2.. What the hell am I supposed to do now?
        
        Half the internet does not work.
        
        I can go to www.yahoo.com, but if you try to open yahoo mail from your
        my yahoo page, it just hangs.
        
        In the logs I see Initiated Connection then Closed Connection over and
        over.  The traffic is not being denied.  Error is  0x0
        
        I can't get to slashdot rss feeds, etc
        
        I can seem to get to a standard www page, but anything with extended
        cookies or redirects or whatever seems to die. 
        
        Any suggestions besides spend the weekend rebuilding this thing?
I
        noticed that SP2 has no uninstall.  How nice.
        
        
        
        
        Ray Dzek
        Net Ops / Helpdesk Supervisor
        Specialized Bicycle Components
        
        
        
        All mail to and from this domain is GFI-scanned.
        
        ------------------------------------------------------
        List Archives: //www.freelists.org/archives/isalist/ 
        ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
        ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
        ISA Server Blogs: http://blogs.isaserver.org/
        ------------------------------------------------------
        Visit TechGenix.com for more information about our other sites:
        http://www.techgenix.com
        ------------------------------------------------------
        To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
        Report abuse to listadmin@xxxxxxxxxxxxx
        
        


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: