We have got a problem accessing Google Picasa web albums through ISA server 2006 with SP1.
Try this link:
I have reproduced this problem on 3 different ISA2006 servers. When I connect a pc directly to the Internet instead of using the ISA server, the page works fine so it is definitly a ISA server problem.
Could some confirm that they are having the same problem?
ForeFront Client Security rulez!Friday, September 19, 2008 2:58 PM
We experience the same problem here at a customers site. We have a ISA 2006 SP1 2 Node Cluster here. I noticed that the IE often tries to get webcontent without authentication first and then supplies the right credentials. May this cause the bug?
ChristophTuesday, October 14, 2008 7:45 AM
Thats not a bug Cristoph - but would be nice if that was the cause...
Joop, can you provide more details on your setup?
Are you using ISA as a firewall/proxy or just proxy?
If as a firewall/proxy, are you using the fwc? Securenat? web proxy? combination?
What version of java are you running?
I have tried a number of combinations now and seem unable to reproduce your issue so anything that might point to differences would be useful.
KeithTuesday, October 14, 2008 5:58 PMOwner
I ran a new logging and have to correct my opinion. The authentification seems not to be the problem. I think the following error may lead to the solution:
Fehlgeschlagener Verbindungsversuch ISA01 15.10.2008 09:32:17
Protokollierungstyp: Webproxy (Forward)
Status: 2 Das System kann die angegebene Datei nicht finden.
Regel: HTTP ausgehend erlauben (Proxy)
Quelle: Intern (XXX.XXX.XXX.XXX)
Ziel: Extern (188.8.131.52:80)
Anforderung: GET http://picasaweb.google.nl/s/v/39.20/script/lh_view__de.js
Filterinformationen: Req ID: 092a5c37; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Sorry, the customer insists on using localized versions...
Status: 2 The System cannot find the file specified
IT Consultant in Germany MCP & MCTSWednesday, October 15, 2008 8:04 AM
My ISA servers are configured as firewall/proxy. I've tested it with and without fwc. Not with securenat.
When that didn't work I connected the PC directly to the Internet and than it worked, so i do not think the Java version is relevant.
ForeFront Client Security rulez!Wednesday, October 15, 2008 10:15 AM
This is my ISA logging:
Failed Connection Attempt ISA002 15-10-2008 13:28:19 Log type: Web Proxy (Forward) Status: 2 The system cannot find the file specified. Rule: HTTP, HTTPS, FTP Download - Allow out Source: Internal (xxx.xxx.xxx.xxx) Destination: External (184.108.40.206:80) Request: GET http://picasaweb.google.nl/s/v/39.20/script/lh_view__nl.js Filter information: Req ID: 1ba5dc54; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: http User: XXX\test.user1
- Additional information
- Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
- Object source: Internet (Source is the Internet. Object was added to the cache.)
- Cache info: 0x61820000 (Response includes the CACHE-CONTROL: PRIVATE header. Response includes the LAST-MODIFIED header. Response includes the EXPIRES header. Response includes the TRANSFER-ENCODING header. Response should not be cached.)
- Processing time: 1312 ms
- MIME type:
ForeFront Client Security rulez!Wednesday, October 15, 2008 11:32 AM
Hmmm - sounds promising Christoph. Good effort. Would be interested to see a securenat/web proxy client operate - this is what I have been testing.
Forefront MVP, ISA MCT - UK
Wednesday, October 15, 2008 7:28 PMOwner
- Edited by Keith AlabasterOwner Wednesday, October 15, 2008 7:30 PM
Problem is, Benjamin - I can't reproduce it. If necessary I will escalate this anyway but I like to be able to give formative infomation to the team but as I cannot make it fail, it is a little problematic. Naturally there must be a difference between our setups but as yet I have not been able to identify it....
KeithFriday, November 07, 2008 10:48 PMOwner
Keith, can we provide anything to help you reproduce our situation?
And Joop / Benjamin: What Anti-Virus and/or Contentfilters do you use? Maybe we find the problem there!
We are using GFI Webmontor here...
Monday, November 10, 2008 9:10 AM
- Edited by Christoph SchmidtMicrosoft employee Monday, November 10, 2008 9:12 AM
Here in my lab I am testing with Sophos Anti Virus and I am using with an All Users authentication and All protocols outbound allowed.
my setup (so far tested has been ISA2004 with SP3 and ISA 2006 with supportability pack and SP1. All tests have been on W2K3 R2 SP2 x86 using the front-firewall wizard as my template. ISA is a domain member in all implementations.
If any of you have a more detailed, alternate setup you want me to follow then I will see what i can do.
If I can get some detailed configurations that I can pass these up the line and ask one of the team to investigate and advise although I am sure they will have their own questions. It is possible they will ask that you run up the BPA and create an output file for diagnosis purposes but maybe it will not need to come to that.
keithMonday, November 10, 2008 6:51 PMOwner
I try to give you as much information as possible.
Tech specs: Windows 2003 Standard with SP2 - ISA Server 2006 Enterprise Version 5.0.5721.240
Two servers running in NLB Cluster.
The path for internet traffic looks like this:
Client (internal net) -> ISA NLB Cluster -> Router (in DMZ) -> Checkpoint Firewall (Border) -> Internet
All clients use WPAD as proxy configuration. All http/https traffic to the internet has to be authenticated.
I just ran a test, allowing my client full access to the internet without authentication:
It's all about that damn java script. "Status: 5 Access Denied" ... I don't see any reason for this. My testrule is one of the first, no other rule should prevent me from getting that file.
Just tested another few times. It seems that my ISA01 is giving me a diffrent error than the ISA02 in the cluster. ISA01 states "cannot find the file specified" and ISA02 states "access denied".
I cannot explain this behaviour...
If I can provide any more information, just tell me what you need.
Thanks a lot for your efforts!
ChristophWednesday, November 12, 2008 8:23 AM
Christoph, I have sent the URL for this question to my escalation points to see if I can gain some 'better-brains-than-mine' to look this over. Some of them are ahead of me (UK) in respect of time-zone whilst anotheer is behind. Between them they are the best I know so hopefully we can get this brought to a conclusion for you all.
KeithThursday, November 27, 2008 3:49 PM
Could you provide the outputs from the Best practice Analyser please? This link takes you to the ISA Tools section where you can see the ISA BPA tool http://technet.microsoft.com/en-us/forefront/edgesecurity/bb734830.aspx (you need .net 1.1 installed on the ISA also).
Anything untoward reported?Tuesday, December 02, 2008 6:13 PMOwner
The only issue worth mentioning is this one:
Path maximum transmission unit (MTU) discovery is disabled
When path maximum transmission unit (MTU) discovery is disabled, long delays may occur in accessing some Web sites. This mechanism can be safely enabled when using Windows Server 2003 with Service Pack 1. Path MTU discovery can be enabled by setting the registry value HKLM\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\EnablePMTUDiscovery to 1. For more information see KB 905179.
ForeFront Client Security rulez!Thursday, December 04, 2008 4:25 PM
Yes, I know it is rather frustrating in that there is no ability to add attachments - I asked this question myself and was advised that I am supposed to ask you to place the output in a public location and then insert a link tag into your post but I know many people will either not have that public facility or even understand what that means.
However, I have fed back your findings.
Christoph, same sort of results for you?Thursday, December 04, 2008 7:01 PMOwner
Hope it wiil be usefull ...Thursday, December 04, 2008 7:24 PM
Can you please run ISABPA in repro mode:
1. Start, All Programs, Microsoft ISA Server, ISA Tools, ISA Data Packager
2. Select Collect data from one of the following repro scenarios
3. Select Web Proxy and Web Publishing, click Next
4. Click Modify Options
5. In Options,
· select ISAInfo
· click Start Data Collection
6. When prompted in Collecting Data, hit <Space> to start the data collection
7. Perform the exact steps that create the problem state
8. A moment after the repro is complete, hit <Space> again to stop the data capture
BPA will gather config data from the ISA server that will help us understand your set-up and will output all the data captures to a file on the desktop called isapackage.cab. It's this data that we'll want to see. You can send the link kdirectly to me if you don't want your configuration publicized.
Jim Harrison Forefront Edge CSSunday, December 07, 2008 4:47 PM
At the moment I'm on a training (SCCM2007) so I will not be at the office this week.
I will perform the BPA analysis next week and post the results here.
For testing we used the IE6 version default installed on Windows XP SP2/3.
ForeFront Client Security rulez!Monday, December 08, 2008 4:34 PM
Hopefully someone should be able to give us the Data repro package that Jim requested which should lead us to something!!
Another quick question for everyone....is your ISA on the edge or is there another FW ahead of it? And which one?
Regards MSTuesday, December 09, 2008 8:48 AM
We have a pair of Checkponts in front of it.
I finally got my customer to allow me the gathering of all data requested here... and now guess what: the problem is GONE. I can open the link in the first post and browse the galleries... any gallery indeed.
I am kind of disappointed because I do not know what has changed since the problem occoured. One thing I remember is updating the GFI Webmonitor a few weeks ago. But Joop does not have that program on his setup, so I can't say what happend.
Very unfortunate for us I guess, I'd been really happy to provide more info but now it seems I can't help anymore :-(
ChristophTuesday, December 09, 2008 10:18 AM
At least it supports the view that this is likely a configuration issue rather than a bug and (in fairness) also supports the view of my escalation points within MS.
Hopefully Joop or Maltyx will be able to supply the data file when they are next available.
As an aside, my thanks to Jim and Mohit for jumping aboard with this one.
KeithTuesday, December 09, 2008 5:41 PMOwner
Quick question for you.
I see that your default gateway on your ISA is 172.16.0.1. What is 172.16.0.254 since we keep getting a redirect to use that as a default gateway while connecting to picasaweb. Is that another route to the internet?
Your Internet Network rule from Internal to External is set to Route instead of default NAT. Is that set like that for a specific reason?
Regards MSWednesday, December 10, 2008 9:35 AM
Thanx for a quick response ... 172.16.0.254 is trusted interface of the front-end firewall (Netsreen 100). In my case the ISA server is a back-end fw it does not do NAT - only Routing packets to the front-end FW and the rest of the network. All NAT jobs for the whole net are made on the front-end Netscreen box.
MikeWednesday, December 10, 2008 9:44 AM
I have the problem on 2 ISA servers. One of them has GFI WebMonitor installed, the other uses Burstek WebFilter. To be sure these are not the cause of the problem, I will disabled them on a quiet moment and test it.
If no result then I will post the BPA result for both servers.
By the way, sorry for the late reaction but it has been a busy week.
ForeFront Client Security rulez!Wednesday, December 17, 2008 3:07 PM
I found a third (test) ISA 2006 server with the same problem and with GFI Monitor 4.0 installed..Steps taken so far:
- Upgraded GFI WebMonitor to 4.1 --> no result.
- Disabled GFI WebMonitor and restarted the ISA services --> no resultSo here is the ISA package. Hope this helps...
ForeFront Client Security rulez!Wednesday, December 17, 2008 8:02 PM
I'm experiencing the same as al the others with this problem.
Now suddenly everything works on my test ISA server and I changed nothing. And I am sure that 2 weeks ago it did not work.
But on my production servers the problem still exists. So I will upgrade GFI web monitor on my production servers to see if that solves the problem.
I will inform you of the result.
ForeFront Client Security rulez!Monday, January 05, 2009 10:26 AM
Joop, as yours was the first post here - can I ask you to mark one of the posts from the experts as the appropriate answer to close this one down? If anyone else who has been assisted within this thread could take the time to indicate posts that were helpful, that would also be really appreciated. it earns points for the people wjho have assisted.
Glad that everyone seems to have been sorted here.
Forum ModeratorWednesday, January 07, 2009 6:08 PMOwner