Once your problem is fixed, it is advisable that you manually back up your ISA config weekly to a network drive. This will save you on countless troubleshooting hours. ________________________________ From: "Ball, Dan" <DBall@xxxxxxxxxxx> To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx> Sent: Wed, December 2, 2009 2:35:34 PM Subject: [isalist] Re: Uploads to Facebook don't work anymore... Thanks, that clears it up a bit, now I know what to look for. Yes, we are using authentication on outbound traffic and I have a strong suspicion that Websense has something to do with this issue. We are becoming less enamored with it daily, and I have spent countless hours with their tech support in the last few weeks. From:isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, December 02, 2009 1:04 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... No; there is no rule allowing the request as specified. Don’t worry about rules that disallow specific commands or headers; you would see those rules quoted. The protocol quoted is in lowercase, which indicates a CERN proxy request. Are you forcing authentication on the outbound traffic? The request is not coming from the browser, but the “image uploader”, which may have authentication issues (cant’ tell from a single log entry). A Netmon capture could tell you… From:isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, December 01, 2009 11:52 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore... I can see that… There is no rule allowing http from localhost to localhost so it fails (somehow I don’t think such a rule would resolve the issue though). Subsequent Googling on those topics didn’t shed any light on it either. Is this a Facebook App error or something on my end? From:isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, December 01, 2009 1:16 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... The destination IP will be the ISA internal IP, because this is a CERN proxy request. Regardless, this request was denied because there is no firewall policy that would allow it (thus quoting the default rule). ________________________________ From:isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan [DBall@xxxxxxxxxxx] Sent: Tuesday, December 01, 2009 7:22 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore... Hmmmmmm….. I don’t see anything changed on the Internal Network configuration (same it has been for months), and that destination IP is the ISA server itself. From:isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, December 01, 2009 10:16 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... The request was denied by the default rule; indicating that you have no policy that allows this request. Interestingly enough, the request was identified as being destined for the “internal” network. This tells me that unless you deployed ISA in a single-net configuration you or someone you shouldn’t trust has been playing with the internal network definition. From:isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, December 01, 2009 6:50 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore... Oh, I agree, that is only the tip of that looming iceberg… But, like I said, my obvious answer to “do it from home” wasn’t acceptable, so I have to figure out how to get it working again… *sigh* From:isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR Sent: Tuesday, December 01, 2009 9:45 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... The fact that ISA or something else is not allowing the upload don’t worry me too much, what is incredible here is: Do the taxpayer on your school district knows that the school district is using money for somebody to be able to upload pictures to facebook? amazing Regards Diego R. Pietruszka MIS - Shift Manager From:isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, December 01, 2009 9:27 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Uploads to Facebook don't work anymore... In the last couple of weeks, something changed (no idea what), and now people inside our network can no longer upload pictures to Facebook. The upload application seems to be working, then crashes at the end. (Of course, the obvious solution of doing it from home is unacceptable… *grumble*) I looked on the ISA server (ISA 2006), and this is the error message where it dies: Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 0.0.0.0 Image Uploader Yes Proxy SERVERNAME http://www.facebook.com/editalbum.php?&aid=349361&add=1&created=1# ; 10.20.1.10 TCP - - - Req ID: 0e8e449f - - - 12/1/2009 2:12:02 PM 0 1 4310 639014 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 0x4 0xa80 Web Proxy Filter 12/1/2009 9:12:02 AM 10.20.1.1 8080 http Denied Connection Default rule 10.20.6.117 DOMAIN\username Internal Internal POST http://upload.facebook.com/photos_upload.php?created_album=1&aid=349361&id=504175590 The traffic is hitting the default rule for some reason (which is why it is dying), but the protocol is http, which “should” be able to make it through. -------------------------------------------------- Dan Ball Network and Systems Technician Marquette Area Public Schools 1103 West College Avenue Marquette, MI 49855 E-Mail: dball@xxxxxxxxxxx Phone: (906)225-5779 Fax: (906)225-5377 --------------------------------------------------