Some service or application is binding the external sockets for 80/443 What is binding to "localhost" on those sockets? Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Wednesday, November 29, 2006 8:00 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Binding Issue You lost me. Where do I go from here? Here being nothing is shown as listening on port 80 or 443 on the external NIC. Localhost and Internal NIC yes, but not on the external NIC. Amy From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, November 28, 2006 9:01 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Binding Issue UbetchaUbet! From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, November 28, 2006 5:59 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Binding Issue Wait a minute. OK, no conflict, but the local service won't work :) Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, November 28, 2006 7:55 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Binding Issue ACK! You're right :) Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, November 28, 2006 4:31 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Binding Issue True, but in route relationships, there is no conflict created (port-stealing, y'see). From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, November 28, 2006 12:23 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Binding Issue Actually, it doesn't have to be NAT based, since you can have Server Publishing Rules in a Route relationship ;P Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, November 28, 2006 2:18 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Binding Issue Common ISA resource conflict combinations: - NAT-based Server publishing rules & web listeners operating on the same IP/port combination - Any publishing listener and a non-ISA application (IIS, for instance) configured for the same IP/port combination - Web proxy and auto-discovery listeners configured for the port From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, November 28, 2006 10:09 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Binding Issue Hi Amy, I'd check the IIS configuration first and check the bindings for the sites for 80 and 443. I assume that they should only be bound to the Internal interface, is that right? Otherwise, you can't have any Web listeners if you only have a single IP address. Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, November 28, 2006 11:58 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Binding Issue I've just had an SBS ISA install freak out. It's unable to bind 80 and 443 to the external NIC. Now, they've got a vendor in there for a LOB app and he's been known to "do stuff" like delete the sbsflt asapi filter because he didn't need it. It was he that called and said "none of the website are working over there". Great, that the same message he left me last time when he deleted files on me. Sorry, ranting... The point is that I'm getting a binding error on the external NIC. Internally websites are working for the most part. The sharepoint site is not working this may be related but generates a simple site not ready try again later error message. All other sites are working if you access them from the inside. OWA and RWW can't be accessed from the outside. I've not had to troubleshoot binding problems before. How should I go about this? Here's what I've got for log and events as a starting point. ISA log, when I attempt to view a website from outside the network. Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code Cache Information Log Record Type Destination IP Destination Port Protocol Action Rule Client IP Destination Network Client Username Source Network HTTP Status Code Error Information HTTP Method URL Log Time 68.41.152.252 SBS2003 - TCP - No - 4274 0 0 0 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 Firewall 70.90.38.29 80 HTTP Denied Connection Default rule 68.41.152.252 Local Host External 0x0 - - 11/28/2006 12:40:41 PM Alerts Alert Information Description: The Web Proxy filter failed to bind its socket to 70.90.38.29 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure. The failure is due to error: 0x8007271d <br>The Web Proxy filter failed to bind its socket to 70.90.38.29 port 443. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure. The failure is due to error: 0x8007271d Event Viewer 14148 Source: Microsoft ISA Server Web Proxy Amy Babinchak All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.