locked
Problem accessing Google Picasa web albums

    Question

  • We have got a problem accessing Google Picasa web albums through ISA server 2006 with SP1.

    Try this link: 

    http://picasaweb.google.nl/pwzwza 

    And the select an album. It should then show the pictures in the album, but instead we receive javascript errors.
    I have reproduced this problem on 3 different ISA2006 servers. When I connect  a pc directly to the Internet instead of using the ISA server, the page works fine so it is definitly a ISA server problem.

    Could some confirm that they are having the same problem?

    Thanks.


    ForeFront Client Security rulez!
    Friday, September 19, 2008 2:58 PM

Answers

  • I just upgraded my ISA production server to GFIWebMonitor 4.1 and the problem is solved!

    Thanks for all the help.
    ForeFront Client Security rulez!
    • Marked as answer by Joop Idema Thursday, January 08, 2009 7:33 AM
    Wednesday, January 07, 2009 4:40 PM

All replies

  • Yes, we have the same problem ... javscript error on IE page on all stations behind the ISA 2006 Server while trying to open an album on the Picasa website.
    Still looking for a solution.
    Thanks
    Sunday, October 05, 2008 8:18 PM
  • Works OK on ISA2004 SP3 for XP and Vista clients.
    Just re-installing my ISA2006 test lab now.

    In the meantime - anything noticed in the ISA log when you access that link?

    Keith Alabaster
    Tuesday, October 07, 2008 7:13 PM
    Owner
  • No, a far as I can see in the ISALogs nothing out of the ordinary happens.
    ForeFront Client Security rulez!
    Wednesday, October 08, 2008 7:54 AM
  • Do you get the same error from the browser on the ISA Server itself?
    Wednesday, October 08, 2008 5:20 PM
    Owner
  • Yes, same problem occurs on the ISA server itself.
    ForeFront Client Security rulez!
    Thursday, October 09, 2008 6:39 AM
  • Hi there.

    We experience the same problem here at a customers site. We have a ISA 2006 SP1 2 Node Cluster here. I noticed that the IE often tries to get webcontent without authentication first and then supplies the right credentials. May this cause the bug?

    Good day,
    Christoph
    Tuesday, October 14, 2008 7:45 AM
  • Thats not a bug Cristoph - but would be nice if that was the cause...

    Joop, can you provide more details on your setup?

    Are you using ISA as a firewall/proxy or just proxy?
    If as a firewall/proxy, are you using the fwc? Securenat? web proxy? combination?

    What version of java are you running?

    I have tried a number of combinations now and seem unable to reproduce your issue so anything that might point to differences would be useful.

    Keith

    Tuesday, October 14, 2008 5:58 PM
    Owner
  • Hi there,

    I ran a new logging and have to correct my opinion. The authentification seems not to be the problem. I think the following error may lead to the solution:

    Fehlgeschlagener Verbindungsversuch ISA01 15.10.2008 09:32:17
    Protokollierungstyp: Webproxy (Forward) 
    Status: 2 Das System kann die angegebene Datei nicht finden. 
    Regel: HTTP ausgehend erlauben (Proxy)
    Quelle: Intern (XXX.XXX.XXX.XXX)
    Ziel: Extern (74.125.47.190:80)
    Anforderung: GET http://picasaweb.google.nl/s/v/39.20/script/lh_view__de.js
    Filterinformationen: Req ID: 092a5c37; Compression: client=No, server=No, compress rate=0% decompress rate=0%
    Protokoll: http
    Benutzer: abc\john-doe

    Sorry, the customer insists on using localized versions...

    Status: 2 The System cannot find the file specified
    The javascript seems to be missing and as well seems to be responsible for displaying the images...

    Any thoughts?
    IT Consultant in Germany MCP & MCTS
    Wednesday, October 15, 2008 8:04 AM
  • Keith,

    My ISA servers are configured as firewall/proxy. I've tested it with and without fwc. Not with securenat.

    When that didn't work I connected the PC directly to the Internet and than it worked, so i do not think the Java version is relevant.

    ForeFront Client Security rulez!
    Wednesday, October 15, 2008 10:15 AM
  • Joop, could you please check your logs if you find anything like in my previous post?
    IT Consultant in Germany MCP & MCTS
    Wednesday, October 15, 2008 10:17 AM
  • Christoph,

    This is my ISA logging:

    Failed Connection Attempt ISA002 15-10-2008 13:28:19
    Log type: Web Proxy (Forward)
    Status: 2 The system cannot find the file specified.
    Rule: HTTP, HTTPS, FTP Download - Allow out
    Source: Internal (xxx.xxx.xxx.xxx)
    Destination: External (74.125.47.91:80)
    Request: GET http://picasaweb.google.nl/s/v/39.20/script/lh_view__nl.js
    Filter information: Req ID: 1ba5dc54; Compression: client=No, server=No, compress rate=0% decompress rate=0%
    Protocol: http
    User: XXX\test.user1
     Additional information
    • Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
    • Object source: Internet (Source is the Internet. Object was added to the cache.)
    • Cache info: 0x61820000 (Response includes the CACHE-CONTROL: PRIVATE header. Response includes the LAST-MODIFIED header. Response includes the EXPIRES header. Response includes the TRANSFER-ENCODING header. Response should not be cached.)
    • Processing time: 1312 ms
    • MIME type:

    ForeFront Client Security rulez!
    Wednesday, October 15, 2008 11:32 AM
  • Hmmm - sounds promising Christoph. Good effort. Would be interested to see a securenat/web proxy client operate - this is what I have been testing.

    Keith :)

    Forefront MVP, ISA MCT - UK

    Wednesday, October 15, 2008 7:28 PM
    Owner
  • I've tested it with securenat. Doesn't work either, although I do not see the connection failed in the ISA logging.
    ForeFront Client Security rulez!
    Thursday, October 16, 2008 8:10 AM
  • Same problem here with ISA2006 SP1 and ISA2004 SP3.

    Is there a solution?

    Regards!

    • Edited by Benjamin B Friday, November 07, 2008 9:41 AM spelling error
    Friday, November 07, 2008 9:38 AM
  • Problem is, Benjamin - I can't reproduce it. If necessary I will escalate this anyway but I like to be able to give formative infomation to the team but as I cannot make it fail, it is a little problematic. Naturally there must be a difference between our setups but as yet I have not been able to identify it....

    Keith
    Friday, November 07, 2008 10:48 PM
    Owner
  •  Keith, can we provide anything to help you reproduce our situation?

    And Joop / Benjamin: What Anti-Virus and/or Contentfilters do you use? Maybe we find the problem there!
    We are using GFI Webmontor here...

    Best regards!
    Monday, November 10, 2008 9:10 AM
  •  Here in my lab I am testing with Sophos Anti Virus and I am using with an All Users authentication and All protocols outbound allowed.
    my setup (so far tested has been ISA2004 with SP3 and ISA 2006 with supportability pack and SP1. All tests have been on W2K3 R2 SP2 x86 using the front-firewall wizard as my template. ISA is a domain member in all implementations.

    If any of you have a more detailed, alternate setup you want me to follow then I will see what i can do.

    If I can get some detailed configurations that I can pass these up the line and ask one of the team to investigate and advise although I am sure they will have their own questions. It is possible they will ask that you run up the BPA and create an output file for diagnosis purposes but maybe it will not need to come to that.

    Regards

    keith
    Monday, November 10, 2008 6:51 PM
    Owner
  • Hi Keith,

    I try to give you as much information as possible.

    Tech specs: Windows 2003 Standard with SP2 - ISA Server 2006 Enterprise Version 5.0.5721.240
    Two servers running in NLB Cluster.

    The path for internet traffic looks like this:
    Client (internal net) -> ISA NLB Cluster -> Router (in DMZ) -> Checkpoint Firewall (Border) -> Internet

    All clients use WPAD as proxy configuration. All http/https traffic to the internet has to be authenticated.

    I just ran a test, allowing my client full access to the internet without authentication:

    Fehlgeschlagener Verbindungsversuch ISA02 12.11.2008 09:04:47   
    Protokollierungstyp: Webproxy (Forward)   
    Status: 5 Zugriff verweigert    
    Regel: Ping von TT erlauben   
    Quelle: Intern (x)   
    Ziel: Extern (209.85.129.93:80)   
    Anforderung: GET http://lh3.ggpht.com/s/v/40.14/script/lh_view__de.js   
    Filterinformationen: Req ID: 0a9cfe66; Compression: client=Noserver=No, compress rate=0% decompress rate=0%   
    Protokoll: http   
    Benutzer: anonymous   
     

    It's all about that damn java script. "Status: 5 Access Denied" ... I don't see any reason for this. My testrule is one of the first, no other rule should prevent me from getting that file.

    ------

    Just tested another few times. It seems that my ISA01 is giving me a diffrent error than the ISA02 in the cluster. ISA01 states "cannot find the file specified" and ISA02 states "access denied".

    Fehlgeschlagener Verbindungsversuch ISA01 12.11.2008 09:11:27   
    Protokollierungstyp: Webproxy (Forward)   
    Status: 2 Das System kann die angegebene Datei nicht finden.    
    Regel: Ping von TT erlauben   
    Quelle: Intern (x)   
    Ziel: Extern (209.85.129.91:80)   
    Anforderung: GET http://lh3.ggpht.com/s/v/40.14/script/lh_view__de.js   
    Filterinformationen: Req ID: 0982bf0e; Compression: client=Noserver=No, compress rate=0% decompress rate=0%   
    Protokoll: http   
    Benutzer: anonymous   
     Zusätzliche Informationen   
    Client-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9) Gecko/2008052906 Firefox/3.0  
    Objektquelle: Internet (Quelle ist das Internet. Das Objekt wurde dem Cache hinzugefügt.)  
    Cacheinfo: 0x61820005 (Die Anforderung darf nicht aus dem Cache bedient werden. Die Anforderung enthält einen der folgenden Header: CACHE-CONTROL:NO-CACHE oder PRAGMA:NO-CACHE. Die Antwort enthält den CACHE-CONTROL: PRIVATE-Header. Die Antwort enthält den LAST-MODIFIED-Header. Die Antwort enthält den EXPIRES-Header. Die Antwort enthält den TRANSFER-ENCODING-Header. Die Antwort darf nicht zwischengespeichert werden.)  
    Verarbeitungszeit: 500 MIME-Typ:   
     


    I cannot explain this behaviour...

    If I can provide any more information, just tell me what you need.

    Thanks a lot for your efforts!

    Regards
    Christoph
    Wednesday, November 12, 2008 8:23 AM
  • Christoph - so sorry, I missed your response. I'll pass these details up now.

    Regards

    Keith
    Thursday, November 27, 2008 3:43 PM
  • Christoph, I have sent the URL for this question to my escalation points to see if I can gain some 'better-brains-than-mine' to look this over. Some of them are ahead of me (UK) in respect of time-zone whilst anotheer is behind. Between them they are the best I know so hopefully we can get this brought to a conclusion for you all.

    Thanks
    Keith
    Thursday, November 27, 2008 3:49 PM
  • Joop/Cristophe,

    Could you provide the outputs from the Best practice Analyser please? This link takes you to the ISA Tools section where you can see the ISA BPA tool http://technet.microsoft.com/en-us/forefront/edgesecurity/bb734830.aspx (you need .net 1.1 installed on the ISA also).

    Anything untoward reported?
    Tuesday, December 02, 2008 6:13 PM
    Owner
  • The only issue worth mentioning is this one:

    Path maximum transmission unit (MTU) discovery is disabled

    When path maximum transmission unit (MTU) discovery is disabled, long delays may occur in accessing some Web sites. This mechanism can be safely enabled when using Windows Server 2003 with Service Pack 1. Path MTU discovery can be enabled by setting the registry value HKLM\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\EnablePMTUDiscovery to 1. For more information see KB 905179.

     
    ForeFront Client Security rulez!
    Thursday, December 04, 2008 4:25 PM
  • Yes, I know it is rather frustrating in that there is no ability to add attachments - I asked this question myself and was advised that I am supposed to ask you to place the output in a public location and then insert a link tag into your post but I know many people will either not have that public facility or even understand what that means.

    However, I have fed back your findings.
    Christoph, same sort of results for you?

    Thursday, December 04, 2008 7:01 PM
    Owner
  • Thursday, December 04, 2008 7:24 PM
  • The feedback from the escalation point is to ask you to log this as an MS Incident. (Please do not shoot the messenger)..... I will see if I can get assistance from another source.
    Sunday, December 07, 2008 11:10 AM
    Owner
  • Can you please run ISABPA in repro mode:

    1.      Start, All Programs, Microsoft ISA Server, ISA Tools,  ISA Data Packager

    2.      Select Collect data from one of the following repro scenarios

    3.      Select Web Proxy and Web Publishing, click Next

    4.      Click Modify Options

    5.      In Options,

    ·        select ISAInfo

    ·        click Start Data Collection

    6.      When prompted in Collecting Data, hit <Space> to start the data collection

    7.      Perform the exact steps that create the problem state

    8.      A moment after the repro is complete, hit <Space> again to stop the data capture

     

    BPA will gather config data from the ISA server that will help us understand your set-up and will output all the data captures to a file on the desktop called isapackage.cab.  It's this data that we'll want to see.  You can send the link kdirectly to me if you don't want your configuration publicized.


    Jim Harrison Forefront Edge CS
    Sunday, December 07, 2008 4:47 PM
  • Guys,

    Can you also confirm the version of IE you have tested with?

    cheers
    MS
    Monday, December 08, 2008 3:09 AM
  • In my case the version of IE is 7.0.5730.13
    Monday, December 08, 2008 10:13 AM
  • Grrr, the customer I am working for does not want me to publish any data...
    I hope Joop can provide all data in that case :-(

    To the browser question: We testet IE7 and Firefox 2+3

    Greetings
    Christoph
    Monday, December 08, 2008 10:52 AM
  • In that case, how about some network captures (or is this HTTPS traffic)?
    It's very difficult to answer questions about ISA behavior with little data (as I'm sure you can appreciate).
    Jim Harrison Forefront Edge CS
    Monday, December 08, 2008 2:38 PM
  •  At the moment I'm on a training (SCCM2007) so I will not be at the office this week.
    I will perform the BPA analysis next week and post the results here.

    For testing  we used the IE6 version default installed on Windows XP SP2/3.
    ForeFront Client Security rulez!
    Monday, December 08, 2008 4:34 PM
  • Hopefully someone should be able to give us the Data repro package that Jim requested which should lead us to something!!
    Another quick question for everyone....is your ISA on the edge or is there another FW ahead of it? And which one?

    Regards
    MS
    Regards MS
    Tuesday, December 09, 2008 8:48 AM
  • We have a pair of Checkponts in front of it.

    I finally got my customer to allow me the gathering of all data requested here... and now guess what: the problem is GONE. I can open the link in the first post and browse the galleries... any gallery indeed. 

    I am kind of disappointed because I do not know what has changed since the problem occoured. One thing I remember is updating the GFI Webmonitor a few weeks ago. But Joop does not have that program on his setup, so I can't say what happend.

    Very unfortunate for us I guess, I'd been really happy to provide more info but now it seems I can't help anymore :-(

    Regards
    Christoph 
    Tuesday, December 09, 2008 10:18 AM
  •  At least it supports the view that this is likely a configuration issue rather than a bug and (in fairness) also supports the view of my escalation points within MS.

    Hopefully Joop or Maltyx will be able to supply the data file when they are next available.

    As an aside, my thanks to Jim and Mohit for jumping aboard with this one.

    Keith
    Tuesday, December 09, 2008 5:41 PM
    Owner
  • The output from our ISA server: ISAPackage.cab
    Wednesday, December 10, 2008 6:44 AM
  • Hi Maltyx,

    Quick question for you.

    I see that your default gateway on your ISA is 172.16.0.1. What is 172.16.0.254 since we keep getting a redirect to use that as a default gateway while connecting to picasaweb. Is that another route to the internet?

    Your Internet Network rule from Internal to External is set to Route instead of default NAT. Is that set like that for a specific reason?

    cheers
    MS
    Regards MS
    Wednesday, December 10, 2008 9:35 AM
  •  Thanx for a quick response ... 172.16.0.254 is trusted interface of the front-end firewall (Netsreen 100). In my case the ISA server is a back-end fw it does not do NAT - only Routing packets to the front-end FW and the rest of the network. All NAT jobs for the whole net are made on the front-end Netscreen box.

    Regards,
    Mike
    Wednesday, December 10, 2008 9:44 AM
  • Sorry about the late reply folks....I still am looking through the data and also checking with Jim on the few things I have analysed so far. Hopefully will have something soon.


    Regards MS
    Thursday, December 11, 2008 9:07 AM
  • Maltyx,

    I notice you too have GFI WebMonitor 4 filter on your ISA. Is it possible for you to update your GFI to 4.1 and check? Chris what is the version of your GFI WebMon?
    Regards MS
    • Proposed as answer by Dgaleano Tuesday, March 03, 2009 10:19 PM
    Thursday, December 11, 2008 9:23 AM
  • Hi Mohit,

    it is Version 4.1 (Build 20081104) ... I updated it about 3 weeks ago.
    Thursday, December 11, 2008 9:29 AM
  • Well i will try, or I can try to disable Webmonitor just to check if that is the problem.
    Thursday, December 11, 2008 9:30 AM
  • I remember disabling it with no change on that problem.
    Thursday, December 11, 2008 9:31 AM
  • Well you will have to disable the filter and the services and restart the server. if that is okay then yea that would be a good test as well :)....thanks for your help here to isolate the issue Maltyx.


    Regards MS
    Thursday, December 11, 2008 9:32 AM
  • Well I can't believe - It Works today!! - with or without Webmonitor webfilter ON .... I can't understand what it was .... and I can't explain how ...
    The only change on ISA server was to disable Webmonitor add-on and enabling it back again..
    Thursday, December 11, 2008 9:46 AM
  •  <VBG>
    So is Joop the only one now with a repro of this issue?
    Regards MS
    Thursday, December 11, 2008 9:52 AM
  • I have the problem on 2 ISA servers. One of them has GFI WebMonitor installed, the other uses Burstek WebFilter. To be sure these are not the cause of the problem, I will disabled them on a quiet moment and test it.

    If no result then I will post the BPA result for both servers.

    By the way, sorry for the late reaction but it has been a busy week.
    ForeFront Client Security rulez!
    Wednesday, December 17, 2008 3:07 PM
  • I found a third (test) ISA 2006 server with the same problem and with GFI Monitor 4.0 installed..

    Steps taken so far:

    - Upgraded GFI WebMonitor to 4.1 --> no result.
    - Disabled GFI WebMonitor and restarted the ISA services --> no result

    So here is the ISA package. Hope this helps...



    ForeFront Client Security rulez!
    Wednesday, December 17, 2008 8:02 PM
  • Joop is there any way you can test this from a pure SNAT client?
    Regards MS
    Saturday, January 03, 2009 9:41 AM
  • I'm experiencing the same as al the others with this problem.
    Now suddenly everything works on my test ISA server and I changed nothing. And I am sure that 2 weeks ago it did not work.
    But on my production servers the problem still exists. So I will upgrade GFI web monitor on my production servers to see if that solves the problem.

    I will inform you of the result.


    ForeFront Client Security rulez!
    Monday, January 05, 2009 10:26 AM
  • I just upgraded my ISA production server to GFIWebMonitor 4.1 and the problem is solved!

    Thanks for all the help.
    ForeFront Client Security rulez!
    • Marked as answer by Joop Idema Thursday, January 08, 2009 7:33 AM
    Wednesday, January 07, 2009 4:40 PM
  • Joop, as yours was the first post here - can I ask you to mark one of the posts from the experts as the appropriate answer to close this one down? If anyone else who has been assisted within this thread could take the time to indicate posts that were helpful, that would also be really appreciated. it earns points for the people wjho have assisted.

    Glad that everyone seems to have been sorted here.

    Thanks

    Keith Alabaster
    Forum Moderator
    Wednesday, January 07, 2009 6:08 PM
    Owner