Strange behaviour on our new ISA server
- Hi There,
We are experiencing issues with our new ISA2k6/Websense 7.1 set-up. This is a single server, with one NIC, that we want to use to provide Web Proxy/Filtering.
As part of the normal day-to-day operations of my company, 2 groups of users (controlled by Websense) need to be able to watch and upload videos to YouTube and Upload pictures to Facebook.
Our old system, which was hosted on a similar system (ISA2k and Websense 6.x) used to handle both Youtube and Facebook with no problems.
Since we have switched to the new server, even though the access rules in Websense are effectively the same, we can no longer do either.
Facebook eventually times out with an ISA generated error page, and Youtube just seems to hang at a "loading" state - the main pages are fine, this happens when you try and watch a video.
One strange thing though; If you go to video.google.com and try and watch the same video you were trying to play on YouTube - it plays, no problems. So obviously it's not the protocol being "blocked". In fact it looks like it's the page timing out in some way, as we get no block page from Websense as we would expect (blocked pages from other categories) do display the block page as expected.
One last problem is that the Proxy aslo seems to be giving out "personalised" pages to anyone. For example, My iGoogle page can be seen by others if they go there after me, until they refresh. Is there any way to stop this bahaviour in ISA2k6?
Regards,
Paul Fletcher
Answers
Hi,
Thank you for your update.
Before going any further, I think you may upgrade the NIC drivers from the vendor’s site. And then please perform the following changes on the ISA Server.
1.Please refer KB 927695 you cannot host TCP connections when Receive Side Scaling is enabled in Windows Server 2003 with Service Pack 2
http://support.microsoft.com/default.aspx?scid=kb;EN-US;9276952.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableRSS= 0.
3.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA=0.
4.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameers\EnableTCPChimney=0.
5.Disable TCP/Checksum Offloading and RSS in both the network adaptors (advanced)properties.Regards,
Nick Gu - MSFT- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorThursday, July 30, 2009 5:00 AM
- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, July 31, 2009 8:52 AM
All Replies
- Regarding the Websense behavior, you'll need to engage their support process; not much we can offer here for that product.
Regarding the page delivery problem, you may want to check your cache rules.
If you've configured ISA to "cache the Internet", it will try to do exactly that.
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Thursday, July 23, 2009 3:58 PM
- I have engaged Websense, and they have fixed the YouTube problem a simple line of config fixed that.
However, both the problem I have with Facebook timing out and caching issue are still effecting us. The engineer from websense and I went through all of the troubleshooting and came to the conclusion that it was ISA causing the issue.
Which cache settings should I be looking at?
Regards,
Paul Hi,
Thank you for posting.
According to your description, I understand the problem you are experiencing is slow web page response through ISA Server. If anything misunderstand, please let me know.
As far as I know, you may change the cache size in memory to resolve this issue.
In the ISA MMC, go to Cache Configuration-->Right click on it and go to properties-->advanced tab and set the " Maximum size of URL cached in memory (bytes). (the default is 12800)
There is not an ideal setting for this so we recommend an initial setting of 20000 and increase it by 5000 till the desired level of performance is reached.For more information, you may also refer to the following article:
http://www.isaserver.org/tutorials/ISA-2006-Web-Caching.html
Regards,
Nick Gu - MSFT- Nick,
Yes the problem seems to be slow response - BUT only seems to effect uploading to Facebook.com, Flickr.com and from what I can see other sites as well. Any attempt to upload seems to cause a timeout and the ISA error message being displayed.
Normal browsing performance seems fine - i.e. what I expect from our internet pipe.
A look at the Websense logs show that access to the pages is being allowed - so I am ruling that out as being the problem (at present).
By placing a PC between the Proxy and the main FW (thus eliminating any Websense or ISA intervention), I can upload to facebook without issue. Thus, I am also ruling out the company Internet connection and the main Firewall as being the cause of the issue.
Once again, any help, configuration tips or advice is greatfully recieved.
Regards,
Fletch Hi,
Thank you for your update.
Before going any further, I think you may upgrade the NIC drivers from the vendor’s site. And then please perform the following changes on the ISA Server.
1.Please refer KB 927695 you cannot host TCP connections when Receive Side Scaling is enabled in Windows Server 2003 with Service Pack 2
http://support.microsoft.com/default.aspx?scid=kb;EN-US;9276952.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableRSS= 0.
3.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA=0.
4.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameers\EnableTCPChimney=0.
5.Disable TCP/Checksum Offloading and RSS in both the network adaptors (advanced)properties.Regards,
Nick Gu - MSFT- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorThursday, July 30, 2009 5:00 AM
- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, July 31, 2009 8:52 AM
- Hi, I was wondering if you were able to resolve this issue you were facing. We have the same problem here, where everything works perfectly fine, except for youtube. The page loads, but it's VERY slow. And the video is just unbelievably slow, almost never loads at all. I tried everything on the ISA2K6 but still the problem is persistent.
Kindly let me know if you've resolved it. I'd appreciate it!
T.A. - We are also seeing the issue with personalised igoogle pages being served to other users. If you hit refresh, you get a normal google search pages again.
We are using ISA 2006, Windows XP clients with IE8. Note we do not use Websense, and we force all traffic through the proxy server.
Has anyone else seen this issue or have a solution?
Andrew
