*UPHAND* Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] > Sent: Sunday, January 29, 2006 7:45 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > > Hand up if you love Jim's work! > > *hand* > > Greg Mulholland > 200gb should be enough for anyone! > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Monday, January 30, 2006 11:28 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > Part II - IE, 127/8 and Java apps... > > Let's break these down into their component parts. > > ** IE and the 127/8 problem: > IPv4 address notation is referred to as "dotted-decimal" > because of the > periods separating the IP octet values. Another form of "dotted" > address notation is "fully-qualified domain name", or FQDN, which also > uses periods to separate the heirachical entites > (host.subdomain.domain.tld). > In the absence of specific instructions, IE will drop into "Rainman > mode" and treat an IP address as a "FQDN" due to the the presence of a > "." in the address. Note the caveat "in the absence of". > This is where > Stefaan and I were bouncing the ball around this morning. If > your next > question is "what the hell do you mean by 'specific instructions'?", > then one example might be "go take a long walk on a short pier.", but > what you're probably looking for is something more along the lines of: > 1. configure the IE host machine with a proper domain suffix ..and 2. > configure IE to use wpad (or config URL) and populate the web proxy > local IPs list ..or 3. configure IE to "use a proxy" and populate the > "bypass" list .. IE will be able to determine that 127/8 is > indeed local > and behave properly. > > All of the above will help IE sort out the difference between "remote" > and "local" and form its connection properly. As Stefaan pointed out, > IE needs to be instructed on the environment where it operates and the > above options work toward this goal. > > > ** Java apps: > Of all things causing ISA admins to accelerate the depletion of their > mind-altering substance stores, it has to be Java apps written by > developers who either don't understand how to use the features of the > host environment or just don't care to try. In nearly all cases, it > boils down to three problems: > - the app doesn't understand how to use a CERN proxy > - the app doesn't understand how to authenticate to a CERN proxy > - the app doesn't support the chosen auth methods of the CERN proxy > admin > > This is where the fun begins, because the IE configuration absolutely > affects how the "child apps" within it operate. If IE is not handling > the applet request properly, all hell breaks loose. By the > same token, > if the Java applet can't authenticate using the auth set > offered by the > proxy, the ice cream melts away here, too. > > In general, the answer to the Java app failing to auth using anything > but basic can be solved by applying the latest Sun JRE from > http://java.sun.com/j2se/1.5.0/download.jsp. > > If this doesn't help, the app is effectively broken and needs > a rewrite. > In the interim, you *must either allow Basic auth or anonymous access > for this app. Tom and others have handled both of these admirably > (generally?) on isaserver.org articles... > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Sunday, January 29, 2006 1:54 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > However, for the browser that is *not* the case and MS should > be shamed > about this! > > If you request the 'wpad.dat' file from the ISA server, you will see > that: > 1. the function MakeNames() contains what is defined in the network > properties > Domains tab on ISA, > + contains whatever domains or computers (FQDN's) you > defined in the > network properties > Web Browser tab on ISA. > 2. the function MakeIPs() do NOT contains what is defined in > the network > properties > Addresses tab on ISA, > + do NOT contains the localhost address range 127.0.0.0 - > 127.255.255.255, > + do contains whatever IP ranges you defined in the network > properties > Web Browser tab on ISA. > > Why is the network properties > Addresses tab on ISA *and* > the localhost > address range 127.0.0.0 - 127.255.255.255 not included by > default in the > wpad.dat? That's not consistent with what we could expect! Grrrr..... > > In other words, you'll have to work around that issue yourself by > defining some extra entries in the network properties > Web > Browser tab > on ISA > ;-) > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >