That does appear to be the situation I am experiencing, so I requested the hotfix, installed it, modified the direct access list like recommended, but see no difference yet. I'll reboot the server tonight, and test it again. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Wednesday, August 23, 2006 7:50 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SurfControl/Direct Access... Cool! Thanks! I'll read this in a bit more detail later, the symptoms sound very familiar... Might just be the culprit! ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele Sent: Tuesday, August 22, 2006 3:49 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SurfControl/Direct Access... Hi Dan, check out http://blogs.isaserver.org/pouseele/2006/07/21/solving-the-directly-acce ss-these-servers-or-domains-issue-in-isa-server-2004-sp2/ in case you are running SP2. HTH, Stefaan ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: dinsdag 22 augustus 2006 21:39 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SurfControl/Direct Access... Okay, let's drop SurfControl from the list of possible suspects; it appears to be a moot point in this issue, and is just clouding the issue... So, the next questions is "why is local traffic passing through the ISA server?"... To double-check my direct access settings, I went through these two tutorials, and Tom's book... http://www.isaserver.org/articles/2004directaccessp1.html http://www.isaserver.org/articles/2004directaccessp2.html Reviewing those articles reaffirms that direct access requires very little setting changes, all of which have been present on my system all along. Going back through the thread that Gregory posted showed one other thing that I didn't do before (per Jim's recommendation), and that was to change the DHCP-based wpad settings to DNS-based settings. I got that up and running last night, and it appears to be working as expected, but the problem still exists. The ISA server is on 10.20.1.1, the webserver is on 10.20.1.4, any traffic coming from that same subnet destined for 10.20.1.4 passes through the ISA server instead of bypassing it. So, I guess my next step will be to go through the wpad and wspad files and verify they are sending the right settings, check out the FWC setting to see if there is anything in there that could be causing the problem (although, I tested it on a computer w/o FWC, only proxy and it still did it), and run through the rules again. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Tuesday, August 22, 2006 10:06 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SurfControl/Direct Access... Oh... As said by Dr. Shinder, direct access is purely a client manner not ISA nor SWF, you may verift if you do set (deploy) a correct setting for direct accesss at client side or not. The simplest way to verify if SWF monitors so called directed access is to manually set a WPC client by excluding address for direct access... ----- Original Message ----- From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Tuesday, August 22, 2006 7:11 PM Subject: [isalist] Re: SurfControl/Direct Access... Exactly, that is the way it is "supposed" to work, but the traffic still shows up on the ISA server when it isn't supposed to. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Tuesday, August 22, 2006 5:17 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SurfControl/Direct Access... > Hi Dan, > > 1) If your client access the unwanted monitor site through ISA > (ISA is a router between two subnet), you need to set unmonitored > site at SWF > 2) If your client can access the site by another route without need > to go thourgh ISA, then you shall deploy direct access for > client depending on client type (WPC or FWC). It has nothing to > do with SWF setting. > ----- Original Message ----- > From: "Ball, Dan" <DBall@xxxxxxxxxxx <mailto:DBall@xxxxxxxxxxx> > > To: <isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> > > Sent: Tuesday, August 22, 2006 10:44 AM > Subject: [isalist] Re: SurfControl/Direct Access... > > >> http://www.ISAserver.org <http://www.ISAserver.org> >> ------------------------------------------------------- >> >> Yes they are. >> >> -----Original Message----- >> From: isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx] >> On Behalf Of Thomas W Shinder >> Sent: Monday, August 21, 2006 10:31 PM >> To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >> Subject: [isalist] Re: SurfControl/Direct Access... >> >> http://www.ISAserver.org <http://www.ISAserver.org> >> ------------------------------------------------------- >> >> Are the Web proxy clients configured to use the autoconfiguration >> script? >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org <http://www.isaserver.org> >> Blog: http://blogs.isaserver.org/shinder/ <http://blogs.isaserver.org/shinder/> >> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >> MVP -- ISA Firewalls >> >> >> >>> -----Original Message----- >>> From: isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan >>> Sent: Monday, August 21, 2006 9:25 PM >>> To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >>> Subject: [isalist] Re: SurfControl/Direct Access... >>> >>> http://www.ISAserver.org <http://www.ISAserver.org> >>> ------------------------------------------------------- >>> >>> I've been digging through my archives for the last hour, and >>> cannot find >>> what I remember... Maybe it's just my old-age kicking in, and I'm >>> remembering things that didn't happen... >>> >>> Anyways, I've gone through the Direct Access settings over >>> and over, and >>> cannot find what might be wrong. Only thing I can think of is the >>> wpad/wspad settings... >>> >>> >>> -----Original Message----- >>> From: isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] >>> On Behalf Of Thomas W Shinder >>> Sent: Monday, August 21, 2006 10:00 PM >>> To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >>> Subject: [isalist] Re: SurfControl/Direct Access... >>> >>> http://www.ISAserver.org <http://www.ISAserver.org> >>> ------------------------------------------------------- >>> >>> Hi Dan, >>> >>> For internal connections, Direct Access is entirely a client function. >>> ISA is never in the picture. >>> >>> Tom >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org <http://www.isaserver.org> >>> Blog: http://blogs.isaserver.org/shinder/ <http://blogs.isaserver.org/shinder/> >>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >>> MVP -- ISA Firewalls >>> >>> >>> >>> > -----Original Message----- >>> > From: isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> >>> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan >>> > Sent: Monday, August 21, 2006 8:36 PM >>> > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >>> > Subject: [isalist] Re: SurfControl/Direct Access... >>> > >>> > http://www.ISAserver.org <http://www.ISAserver.org> >>> > ------------------------------------------------------- >>> > >>> > That is what we were talking about, it IS configured for >>> > direct access, >>> > but no matter what I do the traffic shows up as passing >>> > through the ISA >>> > server. I seem to recall discussing this with you before, >>> and it was >>> > determined that SurfControl had basically disabled the Direct >>> > Access. >>> > >>> > Geesh, now you got me wondering what was really said. I'll >>> > have to dig >>> > through my e-mail archives to find out what we talked about >>> > last time... >>> > >>> > -----Original Message----- >>> > From: isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> >>> > [mailto:isalist-bounce@xxxxxxxxxxxxx] >>> > On Behalf Of Thomas W Shinder >>> > Sent: Monday, August 21, 2006 8:12 PM >>> > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >>> > Subject: [isalist] Re: SurfControl/Direct Access... >>> > >>> > http://www.ISAserver.org <http://www.ISAserver.org> >>> > ------------------------------------------------------- >>> > >>> > Hi Dan, >>> > >>> > To solve that problem you need to enable Direct Access to >>> the internal >>> > sites. >>> > >>> > Tom >>> > >>> > Thomas W Shinder, M.D. >>> > Site: www.isaserver.org <http://www.isaserver.org> >>> > Blog: http://blogs.isaserver.org/shinder/ <http://blogs.isaserver.org/shinder/> >>> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >>> > MVP -- ISA Firewalls >>> > >>> > >>> > >>> > > -----Original Message----- >>> > > From: isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> >>> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan >>> > > Sent: Monday, August 21, 2006 6:56 PM >>> > > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >>> > > Subject: [isalist] Re: SurfControl/Direct Access... >>> > > >>> > > http://www.ISAserver.org <http://www.ISAserver.org> >>> > > ------------------------------------------------------- >>> > > >>> > > Yes, that was the problem we were running into. Surfcontrol was >>> > > "automatically" monitoring every user that browsed our published >>> > > webserver from the Internet, making the saved history >>> > > database useless. >>> > > I'd go in and deselect all the external hostnames, tell >>> > > SurfControl not >>> > > to monitor them, and the next day I'd have a couple hundred >>> > more to do >>> > > it all over again. It proved to be quite tedious since >>> I'd have to >>> > > browse through that narrow list box to select all the >>> > hostnames, stop >>> > > the database, save the changes, and start it again. >>> > > >>> > > I finally fixed that by stopping it from monitoring port >>> 80, now it >>> > > monitors only port 8080, the proxy port. That seems to be >>> > > working now, >>> > > the only ones "automatically" monitored are the users using >>> > the proxy, >>> > > which is who we want to monitor anyways. >>> > > >>> > > But, that doesn't solve the problem I have now, the >>> requests really >>> > > "shouldn't" be passing through the ISA server in the first >>> > > place if they >>> > > are going to the webserver on the same internal subnet. >>> > > >>> > > >>> > > -----Original Message----- >>> > > From: isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> >>> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] >>> > > On Behalf Of Crockett, Gregory >>> > > Sent: Monday, August 21, 2006 6:49 PM >>> > > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >>> > > Subject: [isalist] Re: SurfControl/Direct Access... >>> > > >>> > > http://www.ISAserver.org <http://www.ISAserver.org> >>> > > ------------------------------------------------------- >>> > > >>> > > Add the sites to "unmonitored sites" found under the monitor >>> > > application/monitored data tab. There, you should list all >>> > > sites and ip >>> > > addresses of all host that you do not want monitored. This >>> > > includes web >>> > > enabled devices (switches, etc.) that are accessed >>> through isa from >>> > > Internal to internal networks. If not, they (users either >>> > > authenticated >>> > > or unauthenticated) will eat at your license count. >>> > > >>> > > greg >>> > > >>> > > Sent from mobile Outlook. >>> > > >>> > > -----Original Message----- >>> > > From: "Ball, Dan" <DBall@xxxxxxxxxxx <mailto:DBall@xxxxxxxxxxx> > >>> > > To: "isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> " <isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> > >>> > > Sent: 8/21/06 2:19 PM >>> > > Subject: [isalist] SurfControl/Direct Access... >>> > > >>> > > Tom, what is the current status of Direct Access when used in >>> > > conjunction with SurfControl? I remember you saying >>> > > something about it >>> > > before, but I can't find my e-mails on it. I was working with >>> > > SurfControl quite a bit last week, trying to work out some of >>> > > the bugs, >>> > > and thought it would be really nice if I can get the local >>> > web traffic >>> > > to stop going through the ISA server also. >>> > > >>> > > >>> > > >>> > > I finally figured out a way to get it to stop monitoring >>> > > users from the >>> > > Internet, so that helps. SurfControl support seemed >>> > surprised that it >>> > > was doing that... >>> > > >>> > > >>> > > >>> > > ------------------------------------------------------ >>> > > List Archives: //www.freelists.org/archives/isalist/ <//www.freelists.org/archives/isalist/> >>> > > ISA Server Newsletter: >>> > http://www.isaserver.org/pages/newsletter.asp <http://www.isaserver.org/pages/newsletter.asp> >>> > > ISA Server Articles and Tutorials: >>> > > http://www.isaserver.org/articles_tutorials/ <http://www.isaserver.org/articles_tutorials/> >>> > > ISA Server Blogs: http://blogs.isaserver.org/ <http://blogs.isaserver.org/> >>> > > ------------------------------------------------------ >>> > > Visit TechGenix.com for more information about our other sites: >>> > > http://www.techgenix.com <http://www.techgenix.com> >>> > > ------------------------------------------------------ >>> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp <http://www.isaserver.org/pages/isalist.asp> >>> > > Report abuse to listadmin@xxxxxxxxxxxxx <mailto:listadmin@xxxxxxxxxxxxx> >>> > > >>> > > ------------------------------------------------------ >>> > > List Archives: //www.freelists.org/archives/isalist/ <//www.freelists.org/archives/isalist/> >>> > > ISA Server Newsletter: >>> > http://www.isaserver.org/pages/newsletter.asp <http://www.isaserver.org/pages/newsletter.asp> >>> > > ISA Server Articles and Tutorials: >>> > > http://www.isaserver.org/articles_tutorials/ <http://www.isaserver.org/articles_tutorials/> >>> > > ISA Server Blogs: http://blogs.isaserver.org/ <http://blogs.isaserver.org/> >>> > > ------------------------------------------------------ >>> > > Visit TechGenix.com for more information about our other sites: >>> > > http://www.techgenix.com <http://www.techgenix.com> >>> > > ------------------------------------------------------ >>> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp <http://www.isaserver.org/pages/isalist.asp> >>> > > Report abuse to listadmin@xxxxxxxxxxxxx <mailto:listadmin@xxxxxxxxxxxxx> >>> > > >>> > > >>> > > >>> > ------------------------------------------------------ >>> > List Archives: //www.freelists.org/archives/isalist/ <//www.freelists.org/archives/isalist/> >>> > ISA Server Newsletter: >>> http://www.isaserver.org/pages/newsletter.asp <http://www.isaserver.org/pages/newsletter.asp> >>> > ISA Server Articles and Tutorials: >>> > http://www.isaserver.org/articles_tutorials/ <http://www.isaserver.org/articles_tutorials/> >>> > ISA Server Blogs: http://blogs.isaserver.org/ <http://blogs.isaserver.org/> >>> > ------------------------------------------------------ >>> > Visit TechGenix.com for more information about our other sites: >>> > http://www.techgenix.com <http://www.techgenix.com> >>> > ------------------------------------------------------ >>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp <http://www.isaserver.org/pages/isalist.asp> >>> > Report abuse to listadmin@xxxxxxxxxxxxx <mailto:listadmin@xxxxxxxxxxxxx> >>> > >>> > ------------------------------------------------------ >>> > List Archives: //www.freelists.org/archives/isalist/ <//www.freelists.org/archives/isalist/> >>> > ISA Server Newsletter: >>> http://www.isaserver.org/pages/newsletter.asp <http://www.isaserver.org/pages/newsletter.asp> >>> > ISA Server Articles and Tutorials: >>> > http://www.isaserver.org/articles_tutorials/ <http://www.isaserver.org/articles_tutorials/> >>> > ISA Server Blogs: http://blogs.isaserver.org/ <http://blogs.isaserver.org/> >>> > ------------------------------------------------------ >>> > Visit TechGenix.com for more information about our other sites: >>> > http://www.techgenix.com <http://www.techgenix.com> >>> > ------------------------------------------------------ >>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp <http://www.isaserver.org/pages/isalist.asp> >>> > Report abuse to listadmin@xxxxxxxxxxxxx <mailto:listadmin@xxxxxxxxxxxxx> >>> > >>> > >>> > >>> ------------------------------------------------------ >>> List Archives: //www.freelists.org/archives/isalist/ <//www.freelists.org/archives/isalist/> >>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp <http://www.isaserver.org/pages/newsletter.asp> >>> ISA Server Articles and Tutorials: >>> http://www.isaserver.org/articles_tutorials/ <http://www.isaserver.org/articles_tutorials/> >>> ISA Server Blogs: http://blogs.isaserver.org/ <http://blogs.isaserver.org/> >>> ------------------------------------------------------ >>> Visit TechGenix.com for more information about our other sites: >>> http://www.techgenix.com <http://www.techgenix.com> >>> ------------------------------------------------------ >>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp <http://www.isaserver.org/pages/isalist.asp> >>> Report abuse to listadmin@xxxxxxxxxxxxx <mailto:listadmin@xxxxxxxxxxxxx> >>> >>> ------------------------------------------------------ >>> List Archives: //www.freelists.org/archives/isalist/ <//www.freelists.org/archives/isalist/> >>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp <http://www.isaserver.org/pages/newsletter.asp> >>> ISA Server Articles and Tutorials: >>> http://www.isaserver.org/articles_tutorials/ <http://www.isaserver.org/articles_tutorials/> >>> ISA Server Blogs: http://blogs.isaserver.org/ <http://blogs.isaserver.org/> >>> ------------------------------------------------------ >>> Visit TechGenix.com for more information about our other sites: >>> http://www.techgenix.com <http://www.techgenix.com> >>> ------------------------------------------------------ >>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp <http://www.isaserver.org/pages/isalist.asp> >>> Report abuse to listadmin@xxxxxxxxxxxxx <mailto:listadmin@xxxxxxxxxxxxx> >>> >>> >>> >> ------------------------------------------------------ >> List Archives: //www.freelists.org/archives/isalist/ <//www.freelists.org/archives/isalist/> >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp <http://www.isaserver.org/pages/newsletter.asp> >> ISA Server Articles and Tutorials: >> http://www.isaserver.org/articles_tutorials/ <http://www.isaserver.org/articles_tutorials/> >> ISA Server Blogs: http://blogs.isaserver.org/ <http://blogs.isaserver.org/> >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com <http://www.techgenix.com> >> ------------------------------------------------------ >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp <http://www.isaserver.org/pages/isalist.asp> >> Report abuse to listadmin@xxxxxxxxxxxxx <mailto:listadmin@xxxxxxxxxxxxx> >> >> ------------------------------------------------------ >> List Archives: //www.freelists.org/archives/isalist/ <//www.freelists.org/archives/isalist/> >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp <http://www.isaserver.org/pages/newsletter.asp> >> ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ <http://www.isaserver.org/articles_tutorials/> >> ISA Server Blogs: http://blogs.isaserver.org/ <http://blogs.isaserver.org/> >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com <http://www.techgenix.com> >> ------------------------------------------------------ >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp <http://www.isaserver.org/pages/isalist.asp> >> Report abuse to listadmin@xxxxxxxxxxxxx <mailto:listadmin@xxxxxxxxxxxxx> >> >>