[isalist] Re: proxy configuration
- From: "Ara Avvali" <Ara.Avvali@xxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 30 Oct 2006 21:48:01 -0800
Hi Glenn
No there is nothing else installed beside trend micro ofiice scan client
edition (no pop up blocker) and firewall client . I also chekd the log
and it is making attamepts through regular tcp 443 for SSL. Increased
the maximum TCP connection to 320 instead of standard default 160 and no
luck. Created a rule that allows all outbound traffic from internal to
*.adp.com for all user with no authentication required. Tried to set it
up for direct access which I am not sure if I done it right or not
because when I run proxycfg in command line it sets no site is set for
direct access.
Last thing I do is I am asking her to spend some time with me trying so
I can get the log and copy to excel and find the error code of failed
attemps as Jim instructed. That might light up some lead.
Thanks for the advise.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Glenn P. JOHNSTON
Sent: Monday, October 30, 2006 9:15 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: proxy configuration
Hi Ara,
Sounds like a typical vendor help desk,
"We'll give you all the support you need, provided you run the
application on whitebox clones, direct internet connection, and only if
you call us on the 3rd sunday after your Grandmothers 50th
birthday.........."
Is there anything else that could be coming in to play here ?
e.g. Internet Security from Symantec acting as either a firewall /or pop
up blocker or both, is there a third party free or commercial pop up
blocker installed, Is there one of the free firewall walls like zone
alarms installed on the PC, Is windows defender or a similar Spyware
blocker installed,
Have you carefully viewed the logs on the ISA to make sure that the
applicatrion is not trying to open a connection on a non standard port.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ara Avvali
Sent: Tue 31/Oct/2006 16:03
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
Hi Mohamed,
Yes it is pretty much the same situation. The problem is their tech
support doesn't help anything at all as soon as they see the proxy
address in internet explorer. All they say is disable the IE pop up
blocker and increase the cache size to 2 GB in IE. Anyway we are moving
to stand alone version of payroll by January so that would be the end of
it.
Thanks anyway
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of mohamed saleh
Sent: Monday, October 30, 2006 8:23 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
Ara,
Let we think slowly,
you said that the client can connect to the site successfully and login
correctly till he see the icons of the payroll program, and it takes
long time if he press any button further, right...
Allright, it's some how like Connecting to hotmail....
you connect to hotmail site and login correctly and then you can do
anything in ur hotmail acount and press any button you want,
so I think that site is using a some kind of scripting or programing
language or authentication method, which you should enable it to pass
through ISA....
The hotmail, for example, check for the authentication and authorization
to every page to ensure that this user account is the same user account
and is not man in the middle,...
So, I think you have to check with them how they make thier online
authentication and authorization, and I think this might be help
----- Original Message -----
From: Ara Avvali <mailto:Ara.Avvali@xxxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Friday, October 27, 2006 7:15 PM
Subject: [isalist] Re: proxy configuration
Hi Dan,
Would you mind keeping me posted if you find the help reference?
Thank you
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Friday, October 27, 2006 10:11 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
If you recall, a month or so ago I had problems with similar
symptoms. I'll have to go back through my messages and see what the
final result was, as I think it was a combination of things like DNS
resolution, wpad retrieval, auto-configuration, etc...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ara Avvali
Sent: Friday, October 27, 2006 11:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
Hi Jim,
Thanks for your response. The problem I have we are using a web
based ADP payroll by going to https://payex.adp.com. As you notice it
requires an assigned certificate to go to site. Client is a xp sp2 with
pop up blocker disabled and there is an allow rule on top going from
internal to *.adp.com which allows all users access.
Problem is behind ISA pages load slowly (2-3 times slower) and
sometimes they even time out. Checking on live monitoring I found that
connections are going to njpod18.adp.com which I think *.adp.com should
cover it. If I connect the client directly to the router in front of ISA
then everything works as fast as expected. Yesterday there was a threat
about speed and Tom mentioned increasing connections should help. Even
that gave me no luck.
I have convinced the accounting that we should migrate to
installed version of payroll program instead of web based. But that
could be done after January. For now on I just connect one of machines
directly to internet and let them do the payroll but that is not the
practical solution. Man what a mess it would be if I deploy IE7 and the
certificate check it has.
I was wondering if anyone has any experience with this problem.
ADP support as soon as they see a proxy server set in IE, then it is my
side to figure out the problem. They have no documents about it. I found
some instructions but that was no help either. That was why I tried the
direct access solution.
http://isainsbs.blogspot.com/2006/01/allowing-adp-through-isa-2004.html
http://forums.isaserver.org/m_2002000597/mpage_1/key_/tm.htm#2002029215
Appreciated
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Thursday, October 26, 2006 6:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
You're shotgunning, Ara.
Creating an "allow all" rule has nothing to do with "speed".
Unless *.adp is part of the network structure that it "local" to
the browser client, adding it to the web browser and domains data is
inappropritate.
Proxycfg has nothing to do with IE settings or IE behavior.
Can you explain what you mean by "speed problems"?
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ara Avvali
Sent: Thursday, October 26, 2006 4:32 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] proxy configuration
Hello everyone.
I added *.adp.com for direct access to adp site. Created a rule
to allow all outbound traffic from internal to *.adp.com but I still
have speed issues. So I ran the proxycfg on the client which is xp sp2
with firewall client installed and it is telling me nothing is set for
direct access. Any idea why? Appreciated
All mail to and from this domain is GFI-scanned.
Other related posts:
