All my clients that connect to the ISA 2004 proxy server experience extreme delays when trying to access webpages on the internet. Some pages are worse than others, for example amtrak.com is an offender and so is microsoft.com. In the case of amtrak it just takes a very very long time for the page to finally load. Microsoft.com just renders a few links and images, it's as if the CSS and JS don't make it. If I try these same sites on a machine not going through the proxy no issues - nice and fast. I've also had timeout errors from the Microsoft site according to the ISA network error page.
Another vexing item is the localhost running ISA also experiences these delays. I see there is a firewall rule to allow internet access from from the ISA local host which to me sounds a little odd. Why would the local host need it's access mediated? If the localhost has issues than no surprise the clients do too.
I've enabled monitoring and tried to find a problem but nothing looks erroneous. How can I improve the page loading time? Thoughts where my bottleneck is happening? I don't have AV enabled either..
In my opinion you may have one or two possible issues here.
1. DNS resolution.
For instance microsoft.com loads content from a bunch of servers that resides in the microsoft.com namespace (e.g. www, a, b, whatever...) and if name resolution is an issue, then you'll have issues.
Recommendation, use only DNS on internal NIC (which is bound as the first adapter) and point it to internal DNS that forwards request to an Internet DNS. Make sure that the policy in ISA allows outbound DNS from this server. Another way is to install DNS on ISA and, again on the internal NIC, point DNS to 127.0.0.1. Configure DNS with a conditional fowarder for your internal domain and a regular forwarder for your Internet DNS.
2. Proxy chaining
This doesn't seem to be a fresh install and this may be less likely because of that, but if you do proxy chaining and this is the downstream proxy, disable name resolution for proxy requests on this server as per http://technet.microsoft.com/en-us/library/cc302443.aspx. Make sure that the upstream server can resolve names properly
Hth, Anders Janson Enfo Zipper
Thank you for the post.
Please have a look at this blog regarding slow browsing behavior: http://blogs.technet.com/b/yuridiogenes/archive/2010/08/04/another-performance-caveat-when-troubleshooting-tmg-or-isa-slow-browsing-behavior.aspx.
Nick Gu - MSFT
- Proposed as answer by Nick Gu - MSFTMicrosoft contingent staff, Moderator Tuesday, February 14, 2012 7:29 AM
I agree, this does sound like a DNS issue. However I am not sure your configuration is applicaple with my setup. I have a single NIC on my ISA server. The DNS of the NIC points to the internal DNS server on my network.
My policies that relate to the ISA server are
1. Allow LAN access to ISA Server -- All outbound traffic , from internal, to localhost, all users.
(basically wide open for the local host)
2. Allow Internet Access from the ISA Server -- All Outbound traffic, from localhost, to external and internal, all users.
So based on the above I believe ISA allows outbound DNS from this server....
I could try installing DNS now if that's recommended. I haven't set conditional forwards, etc before but I am sure I can find instructions.
Here is the error I get from the ISA server if I try to hit microsoft.com
Network Access Message: The page cannot be displayed Explanation: The request timed out before the page could be retrieved.
Try the following:
- Refresh page: Search for the page again by clicking the Refresh button. This may have been a one-time error.
Technical Information (for support personnel)
- Error Code 1460: Timeout
- Background: The gateway could not receive a timely response from the website you are trying to access, a DNS server, or another gateway server. This might indicate that the network is congested or that the website is experiencing technical difficulties.
- Date: 2/14/2012 7:05:50 PM
- Server: xxxxxxxxxxxx
- Source: Firewall
Thank you for the update.
“Allow Internet Access from the ISA Server -- All Outbound traffic, from localhost, to external and internal, all users.
”- In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. For more information, refer to: http://technet.microsoft.com/en-us/library/cc302586.aspx.
Nick Gu - MSFT
I noticed something while running the monitoring tool. The destination: field URL is internal to an outside IP. That doesn't look right, agreed?
Failed Connection Attempt Log type: Web Proxy (Forward) Status: 995 The I/O operation has been aborted because of either a thread exit or an application request. Rule: Allow ResAgents Internet Access Source: Internal ( x.x.0.50:0) Destination: Internal ( 220.127.116.11:443) Request: www.rockymountaineer.com:443 Filter information: Req ID: 06d9cbde Protocol: SSL-tunnel User:
But then about two entries later it says it went through? I don't get it...
Allowed Connection MS-APP2 2/20/2012 10:41:18 AM Log type: Web Proxy (Forward) Status: 0 The operation completed successfully. Rule: Allow ResAgents Internet Access Source: Internal ( x.x.0.50:0) Destination: Internal ( 18.104.22.168:443) Request: www.rockymountaineer.com:443 Filter information: Req ID: 06d9cbe3 Protocol: SSL-tunnel User: t
- Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)
- Object source: Internet Processing time: 0
- Cache info: 0x0 MIME type: