RE: Unable to Access some web site over ISA proxy
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 2 Feb 2006 21:21:49 -0800
How many servers in the array?
Oh, these people are freakin' clueless.
"First, HTTP traffic is usually stateless:" is a truly TSu 1d10t
statement.
This statement, "the client will first attempt to create a TCP/IP
connection on port 15000" is important.
It appears that their client wants to use a custom protocol (TCP:15000)
and HTTP is the fallback mechanism.
Create a custom protocol as "idiotbankerswithservers" using a primary
connection of TCP:15000 outbound and no secondary connections.
Create a new access rule that allows this protocol *only* from those
machines where the users operate.
--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Thursday, February 02, 2006 8:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Unable to Access some web site over ISA proxy
http://www.ISAserver.org
Jim,
The ISA is 2004 Ent.
Here a part of the doc:
Scenario 4: Proxy Server, Gateway, and Firewall
In this scenario, direct communication to the Internet from client
workstations is not allowed. In order to access the Internet, all
communications are routed through a proxy server. A proxy server is a
specialized server inside the corporate network that receives
connections
from internal clients and has special permission to communicate with the
Internet through the firewall. This allows a centralized tracking,
access,
and caching mechanism to be configured for the entire corporate network.
Typically, proxy servers are configured in the web browser. No gateway
configuration is then necessary.
However, as noted in scenario 2, non-transparent proxy services will not
work with ONLINE BANKER services clients since you cannot specify the
server
address and port numbers to match the proxy server. Fortunately, ONLINE
BANKER services provides another method of communications that is
proxy-server compatible: IIOP HTTP Tunneling (HIOP). This does two
things:
first, it determines the HTTP proxy settings from the current browser.
Then,
it wraps all of the IIOP traffic into an HTTP "wrapper" and attempts
communication with the ONLINE BANKER services server using the HTTP
protocol
over port 8088.
Note that the HIOP protocol still encrypts the data sent through the
connection before it is "wrapped" in the HTTP headers, so the protocol
is
just as secure as the IIOP connection, even though it is transmitted
using
standard HTTP format (instead of HTTPS).[PARA]
The benefit is that the client can then be used with machines that do
not
have a direct Internet connection, but can access web sites (HTTP
traffic)
via a configured proxy server in the web browser.
However, there are drawbacks to this.
* First, HTTP traffic is usually stateless: the connection is made and
then
broken again for each request. This requires extra time to initiate this
connection on every request to the server. Since IIOP is
connection-based,
there is no overhead.
* Second, encoding the IIOP packets and wrapping them in HTTP-like
wrappers
takes processor and bandwidth overhead. So, application response times
are
impacted.
* Finally, some older proxy servers may have difficulty with some of the
HTTP POST sizes that ONLINE BANKER services transmits, while others may
have
difficulty with the HTTP 1.1 "Keep-Alive" and caching settings used by
the
HIOP communications protocol.
Note that fallback to HIOP tunneling is automatic: the client will first
attempt to create a TCP/IP connection on port 15000 to the
onlinebanker.usbank.com site. If that connection fails, the client will
automatically fall back to HTTP tunneling. The client reads the
browser's
proxy settings, and then attempts communication with the proxy server at
the
IP address and port number specified in the browsers settings. The proxy
server must then forward the HIOP requests to port 8088 on the
onlinebanker.usbank.com site. The ONLINE BANKER services server then
processes these requests normally and responds via the same port 8088
connection. At no time is a gateway or port 15000 access required in
this
method.
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, February 02, 2006 6:55 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Unable to Access some web site over ISA
proxy
http://www.ISAserver.org
Why don't you just summarize the document's claims?
ISA 2000 or 2004?
Std or Ent edition?
"Error Code 10061: Connection refused" is exactly that; the *actual*
server
you spoke to isn't accepting connections on that IP/transport/Port.
99 times out of 10, this is a DNS resolution issue - IOW, you're not
talking
to the server you think you are.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Thursday, February 02, 2006 15:00
To: [ISAserver.org Discussion List]
Subject: [isalist] Unable to Access some web site over ISA proxy
http://www.ISAserver.org
Hi all
There is a bank web site that the accounting department accesses, and
today
after I after I enabled the proxy GPO for that dept they started having
a
problem accessing a bank web site.
Well they can see the web site and after they logon it's taking them to
a
page from ISA
========================================================================
===
Proxy that says:
Error Code 10061: Connection refused
Background: The server you are attempting to access has refused the
connection with the gateway. This usually results from trying to connect
to
a service that is inactive on the server.
Date: 2/2/2006 4:09:36 PM
Server: ISAServer.DomainName.com
Source: Remote server
========================================================================
===
When I look at the logging I see that there is a denied result, but the
rule
that denied it is "-" which I am not sure what it means, this is only a
dash
or underscore either one.
I contacted the web the bank and they told me that it's a known issue
and
emailed me a document that's talking about so many things that in most
part
I don't know.
If somebody would like to help me, I will email you the document and you
may
see more than what I am seeing.
Please help me out; I am so tired of this problem.
Thanks in advance
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
