404 errors and pages won't load correctly using upstream server using ISA 2006
- Hi,We've got a single network adapter scenario.I configured ISA 2006 to work as the default router/firewall for the network.It works good, with no problems, but when I create a webchaining rule which redirects to an upstream server (a proxy server), it won't work properly. Many pages comes with error, like 404 error, some pages won't load. But the weird thing is that many pages will work right too.The problem isn't on the external proxy server, because I can use it normally on proxy settings on IE, for example.Both SSL and HTTP ports are 8080.I tried a hotfix for ISA http://support.microsoft.com/?kbid=941297, but it didn't work.When I run best practices analyzer, it comes with some issues:The secure channel to the domain controller cannot be verified. > I don't believe it's relevant, but says its critical.Strict RPC compliance is enforced in the access rule web, which allows traffic to or from the Local Host network. This message can be safely ignored if this is your intention. To allow non-strict RPC traffic, expand the Firewall Policy node, right-click the rule web, click Configure RPC protocol, and clear the Enforce strict RPC compliance check box. > Not sure about this one.This computer has only one connected network adapter. Note that several ISA Server features, for example, application filters, cannot be used with only one network adapter. Traffic requiring an application filter (for example, FTP traffic) will not pass through an ISA Server computer operating in a single network adapter scenario. Not sure about this one, but shouldn't be a problem, it works ok when web chaining upstream is disabled.Another thing is that I'm using NAT instead Route relationship. Could it be relevant?Well, thanks fro any helpMK2
Respostas
- 1. You cannot have "default router/firewall for the network" and "single network adapter". http://technet.microsoft.com/en-us/library/cc302678.aspx describes this limitation. Likewise, the network relationship is irrelevant because all networks are effectively "internal" in this depoloyment.
2. You cannot use 8080 for the HTTP and SSL ports; this creates a resuource conflict.
QW - is there another firewall between ISA and the domain? If so, you need to allow traffic as described in http://technet.microsoft.com/en-us/library/cc891503.aspx.
You need to resolve these issues before you work on anything else.
Jim Harrison Forefront Edge CS- Marcado como RespostaNick Gu - MSFTMSFT, Moderadorsexta-feira, 4 de dezembro de 2009 5:44
Todas as Respostas
Hi,
Thank you for the post.
According to the description, I understand that you receive error message” 404: Page not found” when you accesses any website through downstream ISA. And you have configured the downstream ISA point to the upstream proxy server. You can access the website through the upstream proxy server. If anything misunderstand, please let me know.
To get a better understand of the issue, would you please tell us how do you create the web chaining rule. And please collect network trace on the ISA server when a client pointing to the downstream ISA tried to access internet. After collecting the log, you can use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.
Regards,
Nick Gu - MSFT- 1. You cannot have "default router/firewall for the network" and "single network adapter". http://technet.microsoft.com/en-us/library/cc302678.aspx describes this limitation. Likewise, the network relationship is irrelevant because all networks are effectively "internal" in this depoloyment.
2. You cannot use 8080 for the HTTP and SSL ports; this creates a resuource conflict.
QW - is there another firewall between ISA and the domain? If so, you need to allow traffic as described in http://technet.microsoft.com/en-us/library/cc891503.aspx.
You need to resolve these issues before you work on anything else.
Jim Harrison Forefront Edge CS- Marcado como RespostaNick Gu - MSFTMSFT, Moderadorsexta-feira, 4 de dezembro de 2009 5:44
Thanks Nick and Jim for the reply.
I'm not very experienced on ISA server, but what I intend is to have this windows 2003 server to work as a proxy and use this external proxy address to filter the web for a school. It's an external watchdog.
Maybe I'm doing the wrong way, so if you have any other solution that would be simpler, I'm open mind.
I just found that since the school got the ISA license, I should take advantage.
The problem is that ISA and domain server is on the same server due to low budget, and I don't have another option at the moment, like build other server. It's a non-profit thing.
I’d like to keep the single network adapter scenario if possible. We got a static IP on the server and I can’t play too much with the current settings. But I still got a second adapter just available on the server.
Jim, the 404 error happens when I turn on the webchaining rule that points to the upstream proxy. But this error just occur in certain sites, like when you click on google mail link. Some of them works fine. I believe it’s a http problem and the port 8080 could explain that.
The way I created that rule: server config > networks > webchaining > create new webchaining rule >
I tried all combinations above
On the logs you can see the way people access when webchaining rule is enabled.The log files I uploaded to skydrive as adivsed:Thanks very much for the helpMk2- Editado-MK2- quarta-feira, 18 de novembro de 2009 21:50correcting
