[isapros] Re: A Strange Possibly ISA issue

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Thu, 26 Jun 2008 09:43:11 -0700

I noticed there was not talk of a "allow DNS from client" rule.  Any
attempt to connect to a host name where the DNS was not allowed or not
"proxied" (as in root zones in AD) would do that.

But, we'll never know...
t

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Thursday, June 26, 2008 6:53 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: A Strange Possibly ISA issue
> 
> There might well have been, but as Amy said, all ISA history was lost
> in the "support ignorance" flood.
> 
> <challenge>
> I think that to answer this problem, I challenge all members of the
> isapros list to keep a copy of isabpa in their favorite diskonkey, use
> it when the opportunity presents and include it when posting to
> isapros.  If there are NDA or security issues preveing your posting
> this data to the list, you can post it to appropriate individuals
> instead, but the point is; gather one when you have the chance to
touch
> an ailing ISA server.  IMNSHO, familiarity with ISABPA tools is a
> requirement of anyone calling themselves an ISA Pro... :-)
> </challenge>
> 
> This way, when you are forced to call CSS, you can determine some
> measure of the engineer's ISA-awareness when you say "I have an ISABPA
> Repro package for you".  Their initial response will tell you all you
> need to know about their ISA skill set.  Every "real" ISA engineer's
> training begins and continues with the proper and advanced use of
> ISABPA.  Anyone who tells you that it's not relevant to a SBS-based
ISA
> case is in need of "educational opportunities".
> 
> Maybe we can start some threads on the various options and how they
map
> to certain scenarios..?
> 
> Jim
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Thursday, June 26, 2008 6:14 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: A Strange Possibly ISA issue
> 
> There's got to be something in the ISA firewall's log files that
> explains this.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Steve Moffat
> > Sent: Thursday, June 26, 2008 5:50 AM
> > To: ISAPros Mailing List
> > Subject: RE: [isapros] Re: A Strange Possibly ISA issue
> >
> > Yeah, I agree with you there Jimbo....fubarred rule no doubt.
> >
> >
> > S
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Jim Harrison
> > Sent: Wednesday, June 25, 2008 11:18 PM
> > To: ISAPros Mailing List
> > Subject: [isapros] Re: A Strange Possibly ISA issue
> >
> > I'm so sorry you had to experience that.
> > Few things tweak me harder than the "nuke it!!" method of
> troubleshooting.
> > If you have the name of the "engineer" that made this suggestion,
> then
> I'll be happy to
> > apply some educational assistance.
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Amy Babinchak
> > Sent: Wednesday, June 25, 2008 2:05 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: A Strange Possibly ISA issue
> >
> > POP email out. VPN out. For my tests I tried to Telnet to port 25 to
> my
> > server. Successful from the server. Not successful from the client
PC
> > and the SMTP rule allows for SMTP out from any internal. The client
> > shows in Sessions as all 3 client types: SecureNat, Firewall and Web
> > Proxy.
> >
> > The client PC doesn't ever get anything back. Just withers on the
> vine
> > and Telnet responds that connection timed out. ISA log says the same
> > thing.
> >
> > Just got an update from the client. We brought PSS guy in and the
> > suggestion was to remove ISA, configure RRAS and see if the problem
> goes
> > away. It did. Client PC's are getting email. So tonight ISA will be
> > reinstalled and the custom rules re-created manually. As far as I
can
> > tell something, somewhere in the ISA must have been corrupt.
> >
> > Before you ask, no SRX number. It was a private help call.
> >
> > thanks,
> >
> > Amy Babinchak
> >
> >
> > Harbor Computer Services |(248) 850-8616
> >
> > Tech Blog http://securesmb.harborcomputerservices.net
> > Client Blog http://smalltechnotes.blogspot.com
> > Website http://www.harborcomputerservices.net
> >
> > Buy My House http://tinyurl.com/5gb5n8
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Wednesday, June 25, 2008 4:37 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: A Strange Possibly ISA issue
> >
> > I'm not clear; what other protocols are being tested and what is the
> > client state for these?
> > If it's not a web proxy request, you'll never see a "timeout packet"
> > (response) from ISA, since non-HTTP protocols don't generally
provide
> > for such messaging.
> >
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Amy Babinchak
> > Sent: Wednesday, June 25, 2008 10:43 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] A Strange Possibly ISA issue
> >
> > I was on a call with a guy in Wyoming last night looking to see if
> ISA
> > could be the source of his problem. I concluded that it most likely
> > wasn't but couldn't be 100% certain.
> >
> > Here's the situation:
> >
> > ISA 2004 SP3. SBS with Windows SP2 installed. Client computers are
> all
> > running XP SP3, the Firewall client and are all members of the
> domain.
> > Checked for the chimney off-loading stuff on the server and it is
all
> > set correctly. Ran the BPA and it comes back clean.
> >
> > Client computers are unable to access any service on the Internet
> except
> > http and https. The request for anything else results in a timeout
> > packet on ISA from the Internet access rule. The server does not
have
> > this problem. The server can access any service on the Internet.
> >
> > Using NetMon I saw that the request from the client made it to the
> > external NIC on the server. The name of the service resolved
> correctly
> > in DNS. And then no response...it times out.
> >
> > Has me completely stumped. But since I didn't see anything wrong
with
> > ISA, I decided it wasn't an ISA issue. What do you think?
> >
> > thanks,
> >
> > Amy Babinchak
> >
> >
> > Harbor Computer Services |(248) 850-8616
> >
> > Tech Blog http://securesmb.harborcomputerservices.net
> > Client Blog http://smalltechnotes.blogspot.com
> > Website http://www.harborcomputerservices.net
> >
> > Buy My House http://tinyurl.com/5gb5n8
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> 
> 
> 
> 


Other related posts: