Forefront Edge Security - Internet Access Forum

[ISA 2006] Authentication required to upload some files

Mon, 23 Nov 2009 20:37:12 Z

Best,
in our school we use an ISA server in a domain to specify who can access the Internet, etc.
We also use the service 'Smart School' which allows us to do a part of the school administrationonline.

The ISA server is configured so that we always have access to smartschool, with the http and https protocols.
Other Internet sites and protocols are not allowed.

But we have a problem with uploading some files. If we want to upload files to smart school the AD users are being asked for their username and password for the domain, but if we fill them in running Internet Explorer, the browser crashed. And if we click the cancel button we get error 407.
I had discovered that somewhere you should check the release of "Require all users to authenticate" but that was already out. what could be wrong here, and what should we set so that we are not more asked to authorize us?

regards

P.S.: sorry for my bad english

A screenshot with the authorisation window:

http://www.familievileyn.be/upload/tweakers/foutmelding_ISA2.JPG-for-web-LARGE.jpg

A screenshot when i click on cancel:

http://www.familievileyn.be/upload/tweakers/fout22.JPG-for-web-LARGE.jpg

URL Request

Wed, 25 Nov 2009 15:48:16 Z

Somebody configured a ISA 2006 server.
There are Internal network and VPN Client.
The ISA itself is working fine, but yesterday I put a Squid to filter th web content, but the Squid is is only filtering the Internel Network, the VPN client pass through the Squid. Looking in ISA Logging I noticed that the traffic from VPN clients the ISA is forwarding to squid, but changing the URL to the IP destiny. Thats why the Squid is not filtering. Looking the traffic from Internal Network is working normally, the URL is the DNS name of the site.
I need to know why the ISA is changing the URL request to the IP, and how I can fix this problem?
thanks

404 errors and pages won't load correctly using upstream server using ISA 2006

Wed, 18 Nov 2009 00:12:52 Z

Hi,

We've got a single network adapter scenario.

I configured ISA 2006 to work as the default router/firewall for the network.

It works good, with no problems, but when I create a webchaining rule which redirects to an upstream server (a proxy server), it won't work properly. Many pages comes with error, like 404 error, some pages won't load. But the weird thing is that many pages will work right too.

The problem isn't on the external proxy server, because I can use it normally on proxy settings on IE, for example.

Both SSL and HTTP ports are 8080.

I tried a hotfix for ISA http://support.microsoft.com/?kbid=941297, but it didn't work.

When I run best practices analyzer, it comes with some issues:

The secure channel to the domain controller cannot be verified. > I don't believe it's relevant, but says its critical.

Strict RPC compliance is enforced in the access rule web, which allows traffic to or from the Local Host network. This message can be safely ignored if this is your intention. To allow non-strict RPC traffic, expand the Firewall Policy node, right-click the rule web, click Configure RPC protocol, and clear the Enforce strict RPC compliance check box. > Not sure about this one.

This computer has only one connected network adapter. Note that several ISA Server features, for example, application filters, cannot be used with only one network adapter. Traffic requiring an application filter (for example, FTP traffic) will not pass through an ISA Server computer operating in a single network adapter scenario. Not sure about this one, but shouldn't be a problem, it works ok when web chaining upstream is disabled.

Another thing is that I'm using NAT instead Route relationship. Could it be relevant?

Well, thanks fro any help

MK2

TMG RC1 - Multiple External Networks - spoofed packet error

Mon, 02 Nov 2009 01:05:39 Z

I have TMG RC1 running. I have 3 NICS. 1 Internal, 1 the default external, 1 an additional External (second ISP). I am set up with ISP redundancy and this is working.

I want to take advantage of the second ISP additional inbound IP access to web sites and MX data.

If I ping an IP address on the second external NIC I see the packet on TMG and get the following error: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. I allow PING inbound on that network.

I also have a Policy rule to allow an address on the second external NIC for OWA access. If I telnet port 443 I get the same spoofing error.

What am I missing? Maybe I am assuming the concept will work and it won't?

Any help is appreciated. Is this the correct Forum?

Thanks.

Doug

failure to parse response header

Tue, 10 Nov 2009 13:03:56 Z

We have recently configured an ISA caching server behind a SPAM appliance. Browsing to most sites are fine, but we have noticed that when accessing microsoft related sites (such as hotmail and technet, to name a few), the users are getting "Forbidden 403 - Failure to parse response header". To bypass this, we have to disable the ISA caching.

Any thoughts on this?

ISA Server 2006 configuration

Tue, 10 Nov 2009 07:51:10 Z

Hi,

I am testing the installation of ISA server 2006 and I'm having a few issues.

1. Local urls that do not have FQDN does not get resolved. e.g. from the browser typing "servername:2301" will be completely blocked but "servername.n.e.local:2301" works.

2. using the eg above i.e. "servername.n.e.local:2301", it redirects to https and fails. when I attempt to configure the firewall to redirect ssl requests, it requests for certificate and I am unable to find nor create any certificate.

Can you please assist.

Thanks a lot,

Emem

Internet access through a Forefront TMG server virtual machine

Fri, 30 Oct 2009 16:00:04 Z

Anyone running a Windows 2008 Forefront TMG Security Server as a virtual machine?
I have a ESXi 4 host running Windows Essential Business Server 2008 - Management, Security, and Messaging Servers. The host is a new Dell T105, 2.3GHz dual core, 8GB, Dual NICS, with SATA 7.2K drives - very modest but the performance metrics of ESXi doesn't reveal any real bottlenecks in this very light duty evaluation environment. Internet access is very fast and responsive when connecting directly to the Internet with physical or virtual machies with my router as the gateway but when using this Forefront Security Server as the gateway I am experiencing very slow webpage loading. If I run a Internet bandwidth test, the results are very similar to using my router or Forefront server as the gateway.
I have very little experience with this software firewall on a physical or virtualized server and don't know if I am asking too much running in a virtual environment.

With this kind browsing responsiveness, I will be forced to avoid Forefront as my firewall/gateway. Anyone have suggestions/comments?

EBS security server not allowing any acces to the internet

Tue, 18 Aug 2009 15:46:13 Z

New setup of EBS 2008 everything seems to be ok but the security server which is set as the edge firewall will not allow any internet access.

We are running it on a virtual environment with ESXI4 as the host OS the nics connect to a virtual switch which has the physical nic attached to as well

The forefront threat managment seems to be blocking the traffic out

Any help would be appreciated.
Thanks

ISA 2004 - js error on webpage

Tue, 10 Nov 2009 22:54:39 Z

Hi,
I am currently running ISA 2004 SP3 on our network however i have noticed recently that on a couple of sites certain .js files are not downloaded correctly.

for example:
http://media.Theage.com.au - does not download the europa.packed.js therefore causing the media player not to load (http://resources.theage.com.au/core/2007-11/js/europa.packed.js)

https://na.blackberry.com/eng/services - does not correctly download mootools.js therefore making the site unuseable. (http://na.blackberry.com/eng/mootools.js)

both instance only download half or less of the actual js file.

when i am not behind the ISA it works fine so it is not firewall related.

Hoping someone can help

James

Howto tunnel Zyxel ZyWall client through ISA 2006?

Mon, 14 Sep 2009 07:52:09 Z

Hi,
I have a challenge in tunnelling a ZyWall clint throuig the ISA server!
I have done this before with a Cisco VPN client, which was "piece of cake", but this is driving me crazy.

On the inside network we have a computer installed with ZyWall IPSec VPN client version 2.4, that should connect to a customer site - they have a Zyxel "something" router.
Connecting from home is OK, the client connects as supposed, so config should be fine.

I have created a rule on the ISA Server which allows "IKE Client" and "IPSec NAT-T Client".
When initiating a connection from inside network, I see the connection is initated on port 500 UDP and the "IKE Client" rule is used to allow traffic.
A little later the remote site resonds to a high number port like 30158 but the response is rejected as "Unidentified IP traffic", which end the session.

Hope some of you clever people have a suggestion, I am stuck on this.

SW: Isa 2006 SP1 on Windows 2003 - all updates applied
BR Torben

Direct users to a "do you agree to company policy" page before surfing

Mon, 26 Oct 2009 23:11:28 Z

My HR dept wants all allowed users when they first open a web browser to be directed to a page that the staff member needs to click that they accept all company policies on internet access before allowing them to the wild.

I had a SonicWall PRO100 firewall ages ago that this was a built in feature of the device, but can this be done on a ISA box.

I have ISA 2004 but can upgrade to 2006 as its in SA at the moment.

Thanks in advance

Liam

Different proxy settings for different web sites...

Thu, 22 Oct 2009 11:00:45 Z

Hi all;

I have two ISA Server 2006 that are connected to two different ISPs. Can I configured proxy settings in clients that connect to Internet via the first ISA server and connect to a different site through the second ISA Server?

Thanks

Accessing Facebook through TMG RC

Wed, 14 Oct 2009 20:03:18 Z

We have sporadic issues accessing facebook through TMG, the error in the logs shows Status 13 The data is invalid

Sometime I get get people to log on, but any messages in the inbox do not show up and the TMG server logs the above failure.

Any ideas on a fix?

Thx!

Hostname replacement for outgoing requests

Thu, 08 Oct 2009 16:08:29 Z

We send messages from an internal app to an external app/webserver (via ISA 2006) where the internal app uses a specific hostname in its http request (we use a Webchaining rule to bridge the http to SSL and we also have an access rule to allow the trafic through to the destination server). This works happilly but we now require the hostname on the request to be changed to a different value (for various reasons I won't go into we can't have our app do this).

I.e. we send a request to URL http://testserver.bob.job.co.uk/blah and the destination requires the request to be https://newserver.bob.job.co.uk/blah. What I suppose I'm looking for is a similar thing to the web publishing rule which allows you to modify the host value sent onto requests for incoming web server requests?

Any help greatly appreciated.

ISA 2006 Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administr

Thu, 13 Dec 2007 21:57:08 Z

I installed and configured ISA 2006 to allow HTTP traffic. I am unable to access any website other than Microsoft.com. The following error occurs whenever I try to access a non-Microsoft website. (I can ping any website from the command prompt on the ISA server.)

The page cannot be displayed

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

I am not seeing any relevant documentation on Microsoft website. I saw a hot fix that Microsoft sent. I tried it but it did not work.

I am allowing HTTP traffic, and I am not blocking the websites we want to access. What do I have to do differently on ISA 2006 from what I did on our ISA 2004? I configured ISA 2006 the same way I did for our working copy of ISA 2004.

ISA 2006, 500 Internal Server Error. The request is not supported. (50) staples.com not available!

Thu, 13 Aug 2009 21:12:35 Z

We recently upgraded to ISA 2006 from ISA 2004. Now, many web sites give an error (see below). Help!

ISA 2006, on Win2k3, all current on patches and SP's. Single edge Firewall / router configuration.

Steps to reproduce:
1) Go to www.staples.com
2) Add any product to the cart

The following web page comes up immediatly:

Technical Information (for support personnel)

Error Code: 500 Internal Server Error. The request is not supported. (50)
IP Address: 72.246.110.125
Date: 8/13/2009 8:33:21 PM [GMT]
Server: Server-FWall-2.example.local
Source: proxy

I've already disabled the compresesion filter (fixed the problem in ISA 2004), DiffServe filter, HTTP Filter, and Caching Compressed Content Filter. Caching is turned off. In General prefferences, HTTP Compression is enabled, but no sites are configured. (all web filters had been turned on initially, except for Authentication Delegation Filter, which I disabled to allow some web sites to be published).

Under Firewall Policy, the outbound rule has max headers at 32k, any payload length, and max URL at 16k, no verify normalization and block high bit off. No blocking of responses containing Windows executables, all methods, all extensions, send original header, and send default header.

As near as I can tell it's 'wide open' but still not working.

I checked the logging tab and there are no firewall rules that are denying the request, I get pretty much the same info as above.

I find it very hard to believe that pretty much 'out of the box' ISA 2006 doesn't allow you to book hotel rooms at Marriot or order products from Staples. This was a problem in 2004, and it's obviously still a problem in 2006 :(

I've checked ISA Server.org but no answers there either.

Any ideas?

== John ==

P.S. Response from the Firewall logs:

Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Yes Proxy 72.246.110.125 TCP GET Internet - - - Req ID: 0cdeeb8f - - - 8/13/2009 8:59:04 PM 0 5359 4258 1957 0x3040000 0xd00 8/13/2009 1:59:04 PM 192.168.253.8 72.246.110.125 80 http Failed Connection Attempt Outbound

Access 50 The request is not supported. anonymous Internal External http://72.246.110.125/office/supplies/StaplesAddToCart?ST_viewFrom=sku&langId=-1&storeId=10001&productId=221478&errorUrl=sku&URL=yourorder&catalogId=10051&quantity_1=1&partNumber_1=733726&cmArea_1=FEATURED:SC3:CG75&ST_minLeadTime_1=1&ST_maxLeadTime_1=1 SERVER-FWALL-2 Web Proxy Filter

== John ==

OWA issue

Wed, 07 Oct 2009 08:26:55 Z

Hi,

I am having a little problem solving this issue.

Background: I have two exchange 2003 FE servers (NLB) and ISA 2006 server.

Plan: I want to configure ISA to accept only https (443) request from external sources and use http (80) to communicate with internal FE servers (in other words, no certificates to be installed on the exchange FE servers).

Configuration: I have an internal CA server which I had requested a certificate for the web address, exported it to a pfx file. Imported it to the personal\certficates folder on ISA, removed the certificate from the exchange FE server and published the web address.

Tests: When I request http://"NLB IP"/exchange from internal system, it works. When I request http://"IP address of ISA internal LAN"/exchange, not working. When I request https://webmail.xxx.xom/exchange from external source, not working.

Question: Any ideas from anyone on this scenerio?

Thanks
Isaac

Isaac2k2

Internet CONTENT filtering for ISA 2006

Thu, 01 Oct 2009 12:28:44 Z

We've recently installed an ISA server as our firewall / internet gateway to replace a legacy linux system that no-one knows how to use. We wanted to move everything to a windows based system.

We're a school, so internet filtering is very important. Content filtering is the key, and this job was done very well with weighted phrases and banned words by DansGuardian on Linux, previously.

Is there a way to filter web CONTENT - text, meta tags, etc using ISA 2006 (we were told there was, hence we installed it). I can't find anything suitable. I don't want to monitor - I want to filter. Please let me know if you currently use somthing like this in your organisation.

Currently we're banning over a million domains and URLs using ISA firewall rules, but if you type the 'f' word into google image search, guess what you get? Not good.

Thanks

unable to specify the web access permission to domain users (ISA)

Mon, 05 Oct 2009 07:12:50 Z

Dear Friend,

i create a new setup with three server 2003in my domain as follows
1. primary domain controller
2. as exchanger server
3. as ISA server

every thing is working fine except ISA server
when i allow "all users" to internet everybody can access the internet and it is working
i am facing the problem to permit some user to internet,
then nighter permited user can access the internet nor othes

please help me

with rerards

Mohd Zuebr

NAT regarding to ActiveDirectory Groups

Mon, 05 Oct 2009 07:20:07 Z

Hello,
I want to know ; is it (or how) possible to NAT regarding to user accounts/groups?
For example;
if user1 is a member of Group1 will take the IP (192.168.1.1) while user2 is a member of Group2 will take the IP (192.168.1.2).

I want to know all possibilities. (adding another NIC , or installing a software etc. Hardware and/or Software solutions).

Best Regards,

Our Time is Running Out

SecureNat client not accessing cache

Thu, 27 Aug 2009 17:25:16 Z

I have a problem with securenat clients accesing caching objects in ISA 2006. I made a test with a Service Pack of 107MB. When i set IE to use the ISA proxy , it downloads the 107MB in 1 second. If i uncheck to use the proxy, the PC begin to download the 107MB from internet. Is this normal ?

TeKi

By passing AD authentication in ISA 2006

Mon, 28 Sep 2009 22:51:06 Z

Hello,

I have a domain webserver running IIS6 on a Windows 2003 Std server. Curerntly, I have published my website via a rule set up on my ISA 2006 server. Outside of my LAN, when users try to connect to: https://xyz123.com, they are greeted with an authentication dialog box, asking users to enter their domain credentails. Once this is done, all works like a charm. On the LAN side, you do not get the dialog box for authentication.

I am having a tough time trying to figure out if there is a way to bypass authenticating through Active Directory, just to get to the webserver externally? Is my only option to put my webserver in a DMZ? Any tips and advice is greatly appreciated!

Thanks in advance!

ISA 2006 - Webproxy Bypass

Thu, 10 Sep 2009 15:29:19 Z

Hi All,
Can somebody please advise? I have discovered a major problem with our proxy server. Users have discovered the easy way to surf anonymously.

Setup:
ISA 2006, Unihomed, Only providing the Webproxy service.
Browsers configured to "automatically detect settings" (I've confgured the dhcp option), and also checked the box "to use automatic configuration script"
Polcies in ISA server use Active Directory groups.
We have two AD groups, "unrestricted" and "restricted" users. This works without problem and all internet traffic gets proxied via ISA server.

Problem:
I added a http website to the allowed list for restricted users. What I noticed then was very strange, the website in question was http://login.live.com
(in fact it can be any website where eventually the address bar goes green and changes to https/secure)

The users have worked out that if they go to a https site that is allowed for them to access all they have to do is
enter any username/password, the authentication will fail, but that does not matter as long as the address bar changes
to a secure https connection.
What they then do, without closing the browser, they overtype the address bar with any website they want to go to and IE takes
them there.

for example:

I enter the following url, into ie:

https://www.hsbc.co.uk
wait for the address bar to turn green/https.
then overtype the https://...., with any url you want.

Internet explorer will take you straight there....

Now when I enabled monitoring on proxy server, I could see all the web traffic up to the point where the user breaks the policy.
This means that the the client browser goes directly to the website. No record is logged in ISA, in the example above the last
log entry will show https://www.hsbc.co.uk, but no webistes after that.

Wireshark has confirmed that the client goes direct to the website, bypassing the proxy server.

Now the webproxy service can be bypassed whenever the "automatically detect settings" and/or "use automatic configuration script"
check boxes are enabled.

The only way I worked out how to prevent this happening is to fill in the proxy server settings ip/name, under the proxy section
by ticking the check box "use a proxy server for your LAN". In which case the browser/ISA server will think about the website you
are tying to get to then eventually send the browser the "deny" page I've setup.

But I don't want to put in the proxy server ip's into the browser as it affect laptops users.... when they try to connect
to the internet from home.

Conclusion:
It appears that when you use any of the two "automatic configuration" check boxes you can easily bypass the proxy, it looks like the browser waits for a reply to
the url request from the client, it doesn't get one quickly enough, so the client browser says the proxy is not avialable
and decides to go directly to the website.

If you open up another IE session on the same terminal and try to go to a "not" allowed website you get our deny page.
But within the IE window that is now directy accessing the internet you can go to any website you want to.

I thought the simple fix to this was to disable direct access. By unchecking the box, on the internal network properties, Web Browser tab:

"If ISA server is unavailable, use this backup route to connect to the Internet - Direct Access"

But this does not make any difference, even after unchecking the ie network options, auto detect..., then reneabling them. apparently you have to do this
to get the client to fetch the new wpad.dat

Is there any way to force webproxy clients to not access the internet directly if the ISA server is not available/does not reply quickly enough?

please find below my wpad.dat

//Copyright (c) 1997-2006 Microsoft Corporation
BackupRoute="DIRECT";
UseDirectForLocal=true;
function MakeIPs(){
}
DirectIPs=new MakeIPs();
cDirectIPs=0;
function MakeCARPExceptions(){
}
CARPExceptions=new MakeCARPExceptions();
cCARPExceptions=0;
function MakeNames(){
}
DirectNames=new MakeNames();
cDirectNames=0;
HttpPort="8080";
cNodes=1;
function MakeProxies(){
this[0]=new Node("mypxy01.domain.local",0,1.000000);
}
Proxies = new MakeProxies();
function Node(name, hash, load){
this.name = name;
this.hash = hash;
this.load = load;
this.score = 0;
return this;
}
function FindProxyForURL(url, host){
var hash=0, urllower, i, fIp=false, ip, nocarp=false, skiphost=false;
var list="", pl, j, score, ibest, bestscore;
urllower = url.toLowerCase();
if((urllower.substring(0,5)=="rtsp:") ||
(urllower.substring(0,6)=="rtspt:") ||
(urllower.substring(0,6)=="rtspu:") ||
(urllower.substring(0,4)=="mms:") ||
(urllower.substring(0,5)=="mmst:") ||
(urllower.substring(0,5)=="mmsu:"))
return "DIRECT";
if(UseDirectForLocal){
if(isPlainHostName(host))
fIp = true;}
for(i=0; i<cDirectNames; i++){
if(shExpMatch(host, DirectNames)){
fIp = true;
break;}
if(shExpMatch(url, DirectNames))
return "DIRECT";
}
if(cDirectIPs == 0){
if(fIp)
return "DIRECT";}
else{
ip = host;
if(fIp)
ip = dnsResolve(host);
var isIpAddr = /^(\d+.){3}\d+$/;
if(isIpAddr.test(ip)){
for(i=0; i<cDirectIPs; i += 2){
if(isInNet(ip, DirectIPs, DirectIPs[i+1]))
return "DIRECT";}}
else if(isPlainHostName(host))
return "DIRECT";
}
if(cCARPExceptions > 0){
for(i = 0; i < cCARPExceptions; i++){
if(shExpMatch(host, CARPExceptions)){
nocarp = true;}
if(shExpMatch(url, CARPExceptions)){
nocarp = true;
skiphost = true;
break;
}}}
if(!skiphost)
hash = HashString(host,hash);
if(nocarp)
hash = HashString(myIpAddress(), hash);
pl = new Array();
for(i = 0; i<cNodes; i++){
Proxies.score = Proxies.load * Scramble(hash ^ Proxies.hash);
pl = i;
}
for(j = 0; j < cNodes; j++){
bestscore = -1;
for(i = 0; i < cNodes-j; i++){
score = Proxies[pl].score;
if(score > bestscore){
bestscore = score;
ibest = i;
}}
list = list + "PROXY " + Proxies[pl[ibest]].name + ":" + HttpPort + "; ";
pl[ibest] = pl[cNodes-j-1];
}
list = list + BackupRoute;
return list;
}
var h_tbl = new Array(0,0x10D01913,0x21A03226,0x31702B35,0x4340644C,0x53907D5F,0x62E0566A,0x72304F79,0x8680C898,0x9650D18B,0xA720FABE,0xB7F0E3AD,0xC5C0ACD4,0xD510B5C7,0xE4609EF2,0xF4B087E1);
function HashString(str, h){
for(var i=0; i<str.length; i++){
var c = str.charAt(i);
if(c ==':' || c == '/') break;
c = CharToAscii(c.toLowerCase());
h = (h >>> 4) ^ h_tbl[(h ^ c) & 15];
h = (h >>> 4) ^ h_tbl[(h ^ (c>>>4)) & 15];
h = MakeInt(h);
}
return h;
}
function Scramble(h){
h += ((h & 0xffff) * 0x1965) + ((((h >> 16) & 0xffff) * 0x1965) << 16) + (((h & 0xffff) * 0x6253) << 16);
h = MakeInt(h);
h += (((h & 0x7ff) << 21) | ((h >> 11) & 0x1fffff));
return MakeInt(h);
}
var Chars =" !\"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~€???????????Ž????????????ž? ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþ ";
function CharToAscii(c){
return Chars.indexOf(c) + 32;
}
function MakeInt(x){
x %= 4294967296;
if(x < 0)
x += 4294967296;
return x;
}

when unchecked the option to directly access the internet, I compared the wpad.dat file with the earlier one, but it was identical.

This is the bit that I think may be causing the problem:

BackupRoute="DIRECT";

Please can somebody offer any advise?

Regards

Web access and remote work place stopped functioning

Tue, 22 Sep 2009 17:47:50 Z

Setup is on SBS 2003 enterprise edition - ISA

I was editing a rule to block remote access except from one ip address -

The problem i i created a new network and automatically it created a virtual network card.

From that point after my web access and remote work place stoped working.

I deleted the new network and set all the settings back to its place but the problem is still persistent.

i think it is something to do with the new network card creeated - and when i try to uninstall the network card from device manager. it crashes.

Any help please?

Is it possible to configure a timed exclusion in TMG Web access policies?

Fri, 18 Sep 2009 13:36:57 Z

We'd like to allow our users to access certain site categories for 30-60 minutes per day.
Previously we used SurfControl as a web filtering application, which allows that. Many other web filtering applications also support that.
The question is: is that possible to configure that in TMG Beta 3? If not, will it be possible in production versions?
Regards,
Alex

Problem Accessing ftp sites REQUIRE authentication behind ISA 2006

Thu, 10 Sep 2009 19:44:57 Z

I have allowed full access behind isa for webproxy and firewall clients , but when i try to access any ftp site with authentication , isa does not prompt user for authentication and just opens ftp site but i am not able access all folders since they need authentication , is this something a bug in isa that it strips authentication and seems make web proxy clients access external ftp site as integrated authentication mode , i am using isa behind ASA and all clients are routed through router to isa and in isa i have persistent routes configured.

help from Top Micorosoft engineers will be really appreciated

12209 The ISA Server requires authorization to fulfill the request

Fri, 11 Sep 2009 19:33:09 Z

Could really use some help. I have a user trying to access an https site through an app, and it's not allowing the connection. I added the site in the Bypass Sites but it still is not allowing the user through. Here is what I am seeing in the log...

Denied Connection	LAXINTERNET 9/11/2009 2:23:19 PM
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Rule: Proxy Outbound
Source: Internal (10.210.11.122)
Destination: Internal (10.210.10.249:443)
Request: directconnect.scramnetwork.com:443
Filter information: Req ID: 192c2173; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: anonymous
Additional information Client agent: Object source: Internet (Source is the Internet. Object was added to the cache.) Cache info: 0x0 Processing time: 0 ms MIME type:

Denied Connection	LAXINTERNET 9/11/2009 2:23:19 PM
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Rule: Proxy Outbound
Source: Internal (10.210.11.122)
Destination: Internal (10.210.10.249:443)
Request: directconnect.scramnetwork.com:443
Filter information: Req ID: 192c2173; Req ID: 192c2173; Compression: client=No, server=No, compress rate=0% decompress rate=0%, Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: anonymous
Additional information Client agent: Object source: Internet (Source is the Internet. Object was added to the cache.) Cache info: 0x0 Processing time: 0 ms MIME type:

Thanks for any help! We are using ISA 2006.

-Ryan

Error Code: 502 Proxy Error. ISA Server is not configured to allow SSL requests from this port

Mon, 26 Nov 2007 16:50:18 Z

I currently have ISA Server 2006 Standard and I am only using as a web proxy on my network.

When I am trying to access a website that is using a non-standard SSL Port, ISA is blocking the page due to the port not being configured to be used.

Error:

Error Code: 502 Proxy Error. The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)

PLEASE HELP

Asking a question in the Forefront: Edge Forums

Tue, 08 Sep 2009 17:47:07 Z

Before you ask your question, please take a bit of time to think about what it is you are looking to get help on. The more specific you are about what you are trying to achieve - and need help with, the easier it is for us to target the responses.

Tell us about the basic environment in which an error occurs or that you are working in. If you don't tell us then we will make assumptions and this can cause confusion.

Telling us the versions of ISA Server and service pack; whether ISA is a Proxy only or proxy/firewall installation; is the ISA FWC deployed; each of these small bits of information allow respondees to focus on the issue rather than having to make guesses or keep requesting further clarity.

Please be aware that the expectation will be that you have applied ALL ISA/Forefront Service Packs and updates and retested prior to asking the question.........

Keith Alabaster
Moderator

ISA Server 2000 + BBC I-Player and Embedded YouTube Video's

Thu, 03 Sep 2009 08:33:30 Z

Hello,

We are running ISA Server 2000 Enterprise with SP2 on Windows 2000 Advanced Server with SP4. We are running ISA Server in Cache Only Mode.
We are patched to the latest releases.

We are unable to get embedded media to play on bbc.co.uk and embedded YouTube Videos on web pages. The YouTube videos play if you go to the YouTube website and we don't have any problems with the BBC I-player.

The issue with the BBC site appears to be with the BBC Media player. Live and recorded content will not play. The same is also true of the ITV player on itv.co.uk. I'm also thinking that the same problem is causing the embedded YouTube issue.

The message on the YouTube embedded vidoes is: An error occurred, please try again later. The BBC Videos simply display the 'rotating dots' and nothing starts.

Does anyone know how I can get the embedded videos to play?

Thanks.

Dave.

Problem Importing ISA server Array

Sun, 02 Aug 2009 11:39:42 Z

Hello Friedns :

I want ti Import ISa server array backup but i get an error message like this "

You should import files originating from a trusted source

how can i fix the problem ?

Network is my LOVE

Isa server blocking

Fri, 21 Aug 2009 16:53:44 Z

I am facing a problem with outlook and ISA 2006 in our small company here is the details:

We have subscribed with yahoo domain and email services recently with the following information:

Pop: pop.gmail.com
SMTP: smtp.gmail.com
Server requires a secure connection (SSL); port number "587" in the "Outgoing mail (SMTP)" .
Server requires a secure connection (SSL); port number "995' in the "Incoming mail (POP3)"

Before installing the ISA 2006 in the company, the outlook was working fine with above configuration. But after installing the ISA 2006 , the outlook cannot connect the above server.
I already made some rules to allow all traffic from internal to external for all users and also I made rules for ssl smtp and ssl pop3 to be allowed for all users from internal to external network but still it is not working but without Isa it is working fine.
I am looking to know how configure the ISA server to allow outlook clients to connect with the above server.

ISA 2006 and PPPoE

Sun, 30 Aug 2009 17:06:36 Z

I have a small office, and connect to the Internet using DSL. My area is wired with fiber, so I HAVE to use PPPoE.
I can configure Windows 2003 with RRAS with no problem, but when I tried to install ISA 2006 I can't find a configuration that works.

When I try to use demand-dial connection from the general setup tab in ISA, I get a timeout when I try to access the Internet, and monitoring never seems to show any traffic to that port.

Configuration:
Windows 2003 on a server with 2 NICS.

NIC1: Internal - 1GB on-board, IP 192.168.101.1/255.255.255.0
NIC2: External - 10/100 3Com, tried IP=static IP assigned by ISP and leaving unconfigured outside of ISA.

ISA 2006: Monitoring Sessions does now show anything as soon as filter is applied

Wed, 05 Aug 2009 15:03:14 Z

In ISA 2006, I go to Arrays/<server>/Monitoring/Sessions, and I see all sessions. But if I specify a filter, then no session shows up. Any filter. For example, I can specify "server name contains" or "server name Not Contains", zero results are displayed. Why?

A strange problem facing with ISA client?

Sun, 09 Aug 2009 12:37:17 Z

Hi,
I am facing strange problem . Before in client pc user is able to get internet. Now in internet explorer when he type any web address. He is getting an error message. Network Access Message: The page cannot be displayed.
Error code: 502 proxy Error. The ISA server denied the specified (URL). (12002)

Client Browser: Internet Explorer 6
Note: With Mozila firefox internet is working.

Even if login with other username(Full internet access username) also its not working.

My ISA Server Configuration:
Hardware: Intel P4 3.2ghz processor, 1GB RAM, 160GB Hard disk. 1 LAN card
Its ISA Server 2006 standard edition with One NIC. We r using as proxy and firewall. Internet is coming through router to ISA server. All other computers are in side the ISA. We publish Exchange server 2003 standard edition through ISA. We r using RPC over http and OWA.

My firewall policy:
1. Blocked sites: Deny-> All outbound traffic -> Internal-> URL SET(Blocked sites, Block exception)-> Userset(un autharaised users group)

2. Blocked objectss: Deny-> HTTP, MMS Server, MMS, PNM Server, PNM, RTSP Server, RTSP-> Internal-> External-> Userset(Un autharised group)->
Content type(Audio, Video, Video Stream)

3. Blocking Mesngers: Deny-> AOL Instant mesenger, H.323 protocal, ICQ 2000, ICQ, MSN Mesenger, NET2phone, Net2phone Registration -> Internal-> External-> Userset(un autharaised users group)

4. Net with restriction: Allow -> All outband -> Internal-> External -> Userset(un autharaised users group)

5. OWA and RPC/HTTP: Allow -> HTTP -> SSL Listener-> Published sites(owa.domain.com) -> All authanticated users.

6. Open net : Allow -> All outband -> Internal-> External -> Userset(Autharaised group, IT users)

Steps which i Tried:
I check with internet some are telling to uncheck Enable Integrated authantication From Browser (Internet Explorer 6)
Internet Options -> Advance tab-> Security -> Enable Integrated Authantication.
I did same still my problem is not solved. Please some one help me to solve my problem.
Thank you

How can I Block IDM(Internet download Manager)with Isa server

Tue, 12 Feb 2008 05:12:21 Z

Hello,

I saw the link www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx

It is very useful but some application like IDM(Internet download manager ) uses the IE standard User-agent: ,so we can not block this software I want block IDM(Internet download manager ) in my Network

please help me how can i Block this applications ?

ISA 2006 Remote Site Issues

Tue, 04 Aug 2009 17:41:51 Z

I am running an ISA 2006 install on a Win 2k3 box that is joined to the domain. I am using ISA in a single NIC setup as web proxy. My company has a headquarters (HQ) and 15 remote sites (RS). The problem that I am having is that the users at the remote sites can't ping or connect to the ISA server. HQ is fine. I can ping other servers from the the remote sites and I can also ping the remote sites from the ISA server. I ran Wireshark on the ISA server to see what was happening with the ping traffic and I see 4 requests from the RS and 4 replys from the ISA server but for some reason at the RS it says it timed out. I can ping by host name and it will resolve to IP but the request times out. When I try to access a shared folder on the ISA from the RS the ISA Logging shows that the RS is trying to connect but closes the connection. It iniateates the connection and then immediatly closes the connection.

I currently have 3 rules setup in the firewall policy:

Allow Microsoft CIFS TCP & UDP/ PING / NetBios Name Service From: (Internal & Local Host) To: (Internal & Local Host) ALL USERS
Allow All Outbound Traffic From: (Internal & Local Host) To: (Internal & Local Host) ALL USERS
Default rule (Deny All Traffic that isn't handled by the first two rules)

Does anybody have an idea of what I'm doing wrong?

HOW DO I BLOCK WEBSITES SUCH AS FACEBOOK USING ISA 2000

Wed, 05 Aug 2009 14:16:09 Z

Please understand that i have no experience of isa 2000 , however i did try and set up a rule with the content & rule wizard and a destination set , In the content & rule folder are 3 rules" Spoofed addresses" set to DENY ," Prevent Adverts "set to DENY and another rule "Allow Rule "set to ALLOW for client sets INTERNAL ,always ,content = all .I created a new rule Selected DENY selected clients access to all destinations, then selected the destination set I had created referring to www.bt.com as an example , apply this to user /groups , choose myself from active directory , hoiwever when i tried to
browse to the site bt.com a server logon box appeared asking for username and password ,then if i cancel that i still get to browse the net and that bt.com site , and all other users were asked to logon on with username & password if they commenced browsing

Custom forms don't work

Wed, 29 Jul 2009 14:06:46 Z

Hi,

I'm trying to customize logon form to access sharepoint site I'm trying to publish to internet. It works ok with standard forms. I've followed this article: http://technet.microsoft.com/en-gb/library/bb794733.aspx.
When I setup to use custom forms I get error 500. When I've tried to change images in default forms it was still showing me default form.

Strange behaviour on our new ISA server

Thu, 23 Jul 2009 09:47:49 Z

Hi There,

We are experiencing issues with our new ISA2k6/Websense 7.1 set-up. This is a single server, with one NIC, that we want to use to provide Web Proxy/Filtering.

As part of the normal day-to-day operations of my company, 2 groups of users (controlled by Websense) need to be able to watch and upload videos to YouTube and Upload pictures to Facebook.

Our old system, which was hosted on a similar system (ISA2k and Websense 6.x) used to handle both Youtube and Facebook with no problems.

Since we have switched to the new server, even though the access rules in Websense are effectively the same, we can no longer do either.

Facebook eventually times out with an ISA generated error page, and Youtube just seems to hang at a "loading" state - the main pages are fine, this happens when you try and watch a video.

One strange thing though; If you go to video.google.com and try and watch the same video you were trying to play on YouTube - it plays, no problems. So obviously it's not the protocol being "blocked". In fact it looks like it's the page timing out in some way, as we get no block page from Websense as we would expect (blocked pages from other categories) do display the block page as expected.

One last problem is that the Proxy aslo seems to be giving out "personalised" pages to anyone. For example, My iGoogle page can be seen by others if they go there after me, until they refresh. Is there any way to stop this bahaviour in ISA2k6?

Regards,

Paul Fletcher