[isalist] Re: proxy configuration
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 31 Oct 2006 16:23:27 -0800
http://www.ISAserver.org
-------------------------------------------------------
No capture?
I said we'd need "simultaneous capture and ISA log".
The ISA logging shows connection closures from either the remote server or
local client (status = 995; "The I/O operation has been aborted because of
either a thread exit or an application request"). Without the capture, it's
impossible to say why the connection was terminated or who terminated it.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ara Avvali
Sent: Tuesday, October 31, 2006 15:01
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
Hi Jim,
I managed to get a log posted on site in excel format. Take a look at it when
you have a chance please. Any other comments are welcome. Thank you
http://bossaudio.com/ara/adplog.xls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 2:39 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
Get a simultaneous capture and ISA log.
Between the two of them, we may be able to sort it out.
You have to remember that you're 2nd in line behind John's cap analysis,
though...
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ara Avvali
Sent: Friday, October 27, 2006 12:21 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
Status code I have to check on next time. I didn't pay attention to it.
Because this is the only https site which again I might be totally wrong
User logs in, icons come up. Then clicking on any icon to go next step takes
forever and eventually fails
There is no other application installed. We are using IE6 to go to the site
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 11:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
"failed connection" - with what status code?
Why do you think it has anything at all to do with the user cert?
What is the behavior right up to the failure?
Does the application use the browser or just the browser settings?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ara Avvali
Sent: Friday, October 27, 2006 11:37 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
Hi Jim,
This is the only site that we have problem with. By slow I mean "page time
outs". I removed the direct access setting as you said it was no good anyway.
Checking on logs I can see "failed connection" to njpod18.adp.com. Since this
is the only https site that is facing this, I think maybe it got something to
do with SSL certificate assigned to client.
Anyway I just don't know where else to look. Maybe Dan and Tom can send me to a
good reference.
Thanks again
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, October 27, 2006 11:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
First of all, you need to quantify "slow access".
At which point in the process is the connection determined to be "slow"?
What do you find in the ISA logs for this process?
The fact that your application can reach the site without the direct access
rules means that you are on the wrong track with that attempt.
Remove those from your settings unless you *really* want to screw things up..
If you followed Amy's blog steps, then you've done what you can to allow access
to the site.
Maybe Tom can dig up the "slow ISA" blog he posted some months ago...
He outlined some really good troubleshooting steps in there.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ara Avvali
Sent: Friday, October 27, 2006 8:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
Hi Jim,
Thanks for your response. The problem I have we are using a web based ADP
payroll by going to https://payex.adp.com. As you notice it requires an
assigned certificate to go to site. Client is a xp sp2 with pop up blocker
disabled and there is an allow rule on top going from internal to *.adp.com
which allows all users access.
Problem is behind ISA pages load slowly (2-3 times slower) and sometimes they
even time out. Checking on live monitoring I found that connections are going
to njpod18.adp.com which I think *.adp.com should cover it. If I connect the
client directly to the router in front of ISA then everything works as fast as
expected. Yesterday there was a threat about speed and Tom mentioned increasing
connections should help. Even that gave me no luck.
I have convinced the accounting that we should migrate to installed version of
payroll program instead of web based. But that could be done after January. For
now on I just connect one of machines directly to internet and let them do the
payroll but that is not the practical solution. Man what a mess it would be if
I deploy IE7 and the certificate check it has.
I was wondering if anyone has any experience with this problem. ADP support as
soon as they see a proxy server set in IE, then it is my side to figure out the
problem. They have no documents about it. I found some instructions but that
was no help either. That was why I tried the direct access solution.
http://isainsbs.blogspot.com/2006/01/allowing-adp-through-isa-2004.html
http://forums.isaserver.org/m_2002000597/mpage_1/key_/tm.htm#2002029215
Appreciated
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Thursday, October 26, 2006 6:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: proxy configuration
You're shotgunning, Ara.
Creating an "allow all" rule has nothing to do with "speed".
Unless *.adp is part of the network structure that it "local" to the browser
client, adding it to the web browser and domains data is inappropritate.
Proxycfg has nothing to do with IE settings or IE behavior.
Can you explain what you mean by "speed problems"?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ara Avvali
Sent: Thursday, October 26, 2006 4:32 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] proxy configuration
Hello everyone.
I added *.adp.com for direct access to adp site. Created a rule to allow all
outbound traffic from internal to *.adp.com but I still have speed issues. So I
ran the proxycfg on the client which is xp sp2 with firewall client installed
and it is telling me nothing is set for direct access. Any idea why?
Appreciated
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
