isa2004_sp3 - Localhost very slow loading webpages, clients also effected


  • Hi,

    All my clients that connect to the ISA 2004 proxy server experience extreme delays when trying to access webpages on the internet.  Some pages are worse than others, for example is an offender and so is   In the case of amtrak it just takes a very very long time for the page to finally load. just renders a few links and images, it's as if the CSS and JS don't make it.   If I try these same sites on a machine not going through the proxy no issues - nice and fast.   I've also had timeout errors from the Microsoft site according to the ISA network error page.

    Another vexing item is the localhost running ISA also experiences these delays.  I see there is a firewall rule to allow internet access from from the ISA local host which to me sounds a little odd.  Why would the local host need it's access mediated?  If the localhost has issues than no surprise the clients do too. 

    I've enabled monitoring and tried to find a problem but nothing looks erroneous.  How can I improve the page loading time?   Thoughts where my bottleneck is happening?  I don't have AV enabled either..




    Tuesday, February 07, 2012 10:30 PM

All replies

  • In my opinion you may have one or two possible issues here.

    1. DNS resolution.

    For instance loads content from a bunch of servers that resides in the namespace (e.g. www, a, b, whatever...) and if name resolution is an issue, then you'll have issues.

    Recommendation, use only DNS on internal NIC (which is bound as the first adapter) and point it to internal DNS that forwards request to an Internet DNS. Make sure that the policy in ISA allows outbound DNS from this server. Another way is to install DNS on ISA and, again on the internal NIC, point DNS to Configure DNS with a conditional fowarder for your internal domain and a regular forwarder for your Internet DNS.

    2. Proxy chaining

    This doesn't seem to be a fresh install and this may be less likely because of that, but if you do proxy chaining and this is the downstream proxy, disable name resolution for proxy requests on this server as per Make sure that the upstream server can resolve names properly

    Hth, Anders Janson Enfo Zipper

    Wednesday, February 08, 2012 9:49 AM


    Thank you for the post.

    Please have a look at this blog regarding slow browsing behavior:


    Nick Gu - MSFT

    Thursday, February 09, 2012 8:25 AM
  • Anders,

    I agree, this does sound like a DNS issue.  However I am not sure your configuration is applicaple with my setup.   I have a single NIC on my ISA server.  The DNS of the NIC points to the internal DNS server on my network. 

    My policies that relate to the ISA server are
    1.  Allow LAN access to ISA Server  -- All outbound traffic , from internal, to localhost, all users.
    (basically wide open for the local host)

    2.  Allow Internet Access from the ISA Server -- All Outbound traffic, from localhost, to external and internal, all users.

    So based on the above I believe ISA allows outbound DNS from this server....

    I could try installing DNS now if that's recommended.  I haven't set conditional forwards, etc before but I am sure I can find instructions. 

    Tuesday, February 14, 2012 5:36 PM
  • Here is the error I get from the ISA server if I try to hit

    Network Access Message: The page cannot be displayed
    Explanation: The request timed out before the page could be retrieved.

    Try the following:
    • Refresh page: Search for the page again by clicking the Refresh button. This may have been a one-time error.
    If you are still not able to view the requested page, try contacting your administrator or Helpdesk.

    Technical Information (for support personnel)
    • Error Code 1460: Timeout
    • Background: The gateway could not receive a timely response from the website you are trying to access, a DNS server, or another gateway server. This might indicate that the network is congested or that the website is experiencing technical difficulties.
    • Date: 2/14/2012 7:05:50 PM
    • Server: xxxxxxxxxxxx
    • Source: Firewall
    Tuesday, February 14, 2012 7:08 PM


    Thank you for the update.

    “Allow Internet Access from the ISA Server -- All Outbound traffic, from localhost, to external and internal, all users.

    ”- In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. For more information, refer to:


    Nick Gu - MSFT

    Thursday, February 16, 2012 8:55 AM
  • I removed the "external" network object from the ISA rule so now it just has from = Local host  ,  To = Internal, All users. 

    I still have the same issue....

    Thursday, February 16, 2012 6:38 PM
  • I noticed something while running the monitoring tool.   The destination: field URL is internal to an outside IP.  That doesn't look right, agreed? 

    Failed Connection Attempt  
    Log type: Web Proxy (Forward)
    Status: 995 The I/O operation has been aborted because of either a thread exit or an application request.
    Rule: Allow ResAgents Internet Access
    Source: Internal ( x.x.0.50:0)
    Destination: Internal (
    Filter information: Req ID: 06d9cbde
    Protocol: SSL-tunnel


    But then about two entries later it says it went through?  I don't get it...

    Allowed Connection MS-APP2 2/20/2012 10:41:18 AM
    Log type: Web Proxy (Forward)
    Status: 0 The operation completed successfully.
    Rule: Allow ResAgents Internet Access
    Source: Internal ( x.x.0.50:0)
    Destination: Internal (
    Filter information: Req ID: 06d9cbe3
    Protocol: SSL-tunnel
    User:  t

    • Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)
    • Object source: Internet Processing time: 0
    • Cache info: 0x0 MIME type:
    Monday, February 20, 2012 6:46 PM