I noticed there was not talk of a "allow DNS from client" rule. Any attempt to connect to a host name where the DNS was not allowed or not "proxied" (as in root zones in AD) would do that. But, we'll never know... t > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Thursday, June 26, 2008 6:53 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: A Strange Possibly ISA issue > > There might well have been, but as Amy said, all ISA history was lost > in the "support ignorance" flood. > > <challenge> > I think that to answer this problem, I challenge all members of the > isapros list to keep a copy of isabpa in their favorite diskonkey, use > it when the opportunity presents and include it when posting to > isapros. If there are NDA or security issues preveing your posting > this data to the list, you can post it to appropriate individuals > instead, but the point is; gather one when you have the chance to touch > an ailing ISA server. IMNSHO, familiarity with ISABPA tools is a > requirement of anyone calling themselves an ISA Pro... :-) > </challenge> > > This way, when you are forced to call CSS, you can determine some > measure of the engineer's ISA-awareness when you say "I have an ISABPA > Repro package for you". Their initial response will tell you all you > need to know about their ISA skill set. Every "real" ISA engineer's > training begins and continues with the proper and advanced use of > ISABPA. Anyone who tells you that it's not relevant to a SBS-based ISA > case is in need of "educational opportunities". > > Maybe we can start some threads on the various options and how they map > to certain scenarios..? > > Jim > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Thursday, June 26, 2008 6:14 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: A Strange Possibly ISA issue > > There's got to be something in the ISA firewall's log files that > explains this. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > Of Steve Moffat > > Sent: Thursday, June 26, 2008 5:50 AM > > To: ISAPros Mailing List > > Subject: RE: [isapros] Re: A Strange Possibly ISA issue > > > > Yeah, I agree with you there Jimbo....fubarred rule no doubt. > > > > > > S > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > Of Jim Harrison > > Sent: Wednesday, June 25, 2008 11:18 PM > > To: ISAPros Mailing List > > Subject: [isapros] Re: A Strange Possibly ISA issue > > > > I'm so sorry you had to experience that. > > Few things tweak me harder than the "nuke it!!" method of > troubleshooting. > > If you have the name of the "engineer" that made this suggestion, > then > I'll be happy to > > apply some educational assistance. > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > Of Amy Babinchak > > Sent: Wednesday, June 25, 2008 2:05 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: A Strange Possibly ISA issue > > > > POP email out. VPN out. For my tests I tried to Telnet to port 25 to > my > > server. Successful from the server. Not successful from the client PC > > and the SMTP rule allows for SMTP out from any internal. The client > > shows in Sessions as all 3 client types: SecureNat, Firewall and Web > > Proxy. > > > > The client PC doesn't ever get anything back. Just withers on the > vine > > and Telnet responds that connection timed out. ISA log says the same > > thing. > > > > Just got an update from the client. We brought PSS guy in and the > > suggestion was to remove ISA, configure RRAS and see if the problem > goes > > away. It did. Client PC's are getting email. So tonight ISA will be > > reinstalled and the custom rules re-created manually. As far as I can > > tell something, somewhere in the ISA must have been corrupt. > > > > Before you ask, no SRX number. It was a private help call. > > > > thanks, > > > > Amy Babinchak > > > > > > Harbor Computer Services |(248) 850-8616 > > > > Tech Blog http://securesmb.harborcomputerservices.net > > Client Blog http://smalltechnotes.blogspot.com > > Website http://www.harborcomputerservices.net > > > > Buy My House http://tinyurl.com/5gb5n8 > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: Wednesday, June 25, 2008 4:37 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: A Strange Possibly ISA issue > > > > I'm not clear; what other protocols are being tested and what is the > > client state for these? > > If it's not a web proxy request, you'll never see a "timeout packet" > > (response) from ISA, since non-HTTP protocols don't generally provide > > for such messaging. > > > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Amy Babinchak > > Sent: Wednesday, June 25, 2008 10:43 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] A Strange Possibly ISA issue > > > > I was on a call with a guy in Wyoming last night looking to see if > ISA > > could be the source of his problem. I concluded that it most likely > > wasn't but couldn't be 100% certain. > > > > Here's the situation: > > > > ISA 2004 SP3. SBS with Windows SP2 installed. Client computers are > all > > running XP SP3, the Firewall client and are all members of the > domain. > > Checked for the chimney off-loading stuff on the server and it is all > > set correctly. Ran the BPA and it comes back clean. > > > > Client computers are unable to access any service on the Internet > except > > http and https. The request for anything else results in a timeout > > packet on ISA from the Internet access rule. The server does not have > > this problem. The server can access any service on the Internet. > > > > Using NetMon I saw that the request from the client made it to the > > external NIC on the server. The name of the service resolved > correctly > > in DNS. And then no response...it times out. > > > > Has me completely stumped. But since I didn't see anything wrong with > > ISA, I decided it wasn't an ISA issue. What do you think? > > > > thanks, > > > > Amy Babinchak > > > > > > Harbor Computer Services |(248) 850-8616 > > > > Tech Blog http://securesmb.harborcomputerservices.net > > Client Blog http://smalltechnotes.blogspot.com > > Website http://www.harborcomputerservices.net > > > > Buy My House http://tinyurl.com/5gb5n8 > > > > > > > > > > > > > > > > > > > > > > > > > > > >