RE: Web Client Requests
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 29 Jan 2006 18:17:17 -0800
Awwwww...
<blushes>
--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Sunday, January 29, 2006 6:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web Client Requests
http://www.ISAserver.org
*UPHAND*
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
> Sent: Sunday, January 29, 2006 7:45 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Web Client Requests
>
> http://www.ISAserver.org
>
>
> Hand up if you love Jim's work!
>
> *hand*
>
> Greg Mulholland
> 200gb should be enough for anyone!
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Monday, January 30, 2006 11:28 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Web Client Requests
>
> http://www.ISAserver.org
>
> Part II - IE, 127/8 and Java apps...
>
> Let's break these down into their component parts.
>
> ** IE and the 127/8 problem:
> IPv4 address notation is referred to as "dotted-decimal"
> because of the
> periods separating the IP octet values. Another form of "dotted"
> address notation is "fully-qualified domain name", or FQDN, which also
> uses periods to separate the heirachical entites
> (host.subdomain.domain.tld).
> In the absence of specific instructions, IE will drop into "Rainman
> mode" and treat an IP address as a "FQDN" due to the the presence of a
> "." in the address. Note the caveat "in the absence of".
> This is where
> Stefaan and I were bouncing the ball around this morning. If
> your next
> question is "what the hell do you mean by 'specific instructions'?",
> then one example might be "go take a long walk on a short pier.", but
> what you're probably looking for is something more along the lines of:
> 1. configure the IE host machine with a proper domain suffix ..and 2.
> configure IE to use wpad (or config URL) and populate the web proxy
> local IPs list ..or 3. configure IE to "use a proxy" and populate the
> "bypass" list .. IE will be able to determine that 127/8 is
> indeed local
> and behave properly.
>
> All of the above will help IE sort out the difference between "remote"
> and "local" and form its connection properly. As Stefaan pointed out,
> IE needs to be instructed on the environment where it operates and the
> above options work toward this goal.
>
>
> ** Java apps:
> Of all things causing ISA admins to accelerate the depletion of their
> mind-altering substance stores, it has to be Java apps written by
> developers who either don't understand how to use the features of the
> host environment or just don't care to try. In nearly all cases, it
> boils down to three problems:
> - the app doesn't understand how to use a CERN proxy
> - the app doesn't understand how to authenticate to a CERN proxy
> - the app doesn't support the chosen auth methods of the CERN proxy
> admin
>
> This is where the fun begins, because the IE configuration absolutely
> affects how the "child apps" within it operate. If IE is not handling
> the applet request properly, all hell breaks loose. By the
> same token,
> if the Java applet can't authenticate using the auth set
> offered by the
> proxy, the ice cream melts away here, too.
>
> In general, the answer to the Java app failing to auth using anything
> but basic can be solved by applying the latest Sun JRE from
> http://java.sun.com/j2se/1.5.0/download.jsp.
>
> If this doesn't help, the app is effectively broken and needs
> a rewrite.
> In the interim, you *must either allow Basic auth or anonymous access
> for this app. Tom and others have handled both of these admirably
> (generally?) on isaserver.org articles...
>
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
>
> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Sunday, January 29, 2006 1:54 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Web Client Requests
>
> http://www.ISAserver.org
> However, for the browser that is *not* the case and MS should
> be shamed
> about this!
>
> If you request the 'wpad.dat' file from the ISA server, you will see
> that:
> 1. the function MakeNames() contains what is defined in the network
> properties > Domains tab on ISA,
> + contains whatever domains or computers (FQDN's) you
> defined in the
> network properties > Web Browser tab on ISA.
> 2. the function MakeIPs() do NOT contains what is defined in
> the network
> properties > Addresses tab on ISA,
> + do NOT contains the localhost address range 127.0.0.0 -
> 127.255.255.255,
> + do contains whatever IP ranges you defined in the network
> properties > Web Browser tab on ISA.
>
> Why is the network properties > Addresses tab on ISA *and*
> the localhost
> address range 127.0.0.0 - 127.255.255.255 not included by
> default in the
> wpad.dat? That's not consistent with what we could expect! Grrrr.....
>
> In other words, you'll have to work around that issue yourself by
> defining some extra entries in the network properties > Web
> Browser tab
> on ISA
> ;-)
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
