+ Post New Thread
Results 1 to 12 of 12
Windows Thread, ISA 2004 - web access intermittent problem in Technical; First of all, a big hello! As you can tell I'm new here & this is my first post. Sorry ...
  1. #1

    Join Date
    Feb 2007
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    ISA 2004 - web access intermittent problem

    First of all, a big hello! As you can tell I'm new here & this is my first post. Sorry it's so long...

    I'm currently testing ISA 2004 on server 2003 R2 to act as a proxy, cache & firewall but I've run into a problem. External web pages are occasionally extremely slow to appear, that is, the same site can sometimes arrive almost straight away and sometimes sites don't appear until you refresh or click again on a link.

    I use major sites such as Google and the BBC to test access, clearing the cache, cookies and off-line files on the test client each time. When I make a change to ISA I restart the firewall service to give me a new connection.

    My access rule is:

    Allow
    Protocols: HTTP, HTTPS
    All users
    All the time
    Internal to External networks

    standard Caching is enabled on the server. When I use an "allow all outbound traffic" rule I do not encounter this problem.

    I'm stumped - does anyone see what I'm missing?

  2. #2

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,157
    Thank Post
    522
    Thanked 2,552 Times in 1,981 Posts
    Blog Entries
    24
    Rep Power
    877

    Re: ISA 2004 - web access intermittent problem

    What sort of spec is the machine you are running ISA on? Also, why ISA 2004 and not ISA 2006?

  3. #3

    Join Date
    Feb 2007
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: ISA 2004 - web access intermittent problem

    The PC I'm testing ISA on is a ordinary base unit - AMD 3200 X2 with beefed-up RAM (2 Gig), 2 gigabyte NICs & an 80 gig SATA drive. The reason I'm using 2004 is it was originally purchased before 2006 came out.

  4. #4

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    742
    Thank Post
    17
    Thanked 106 Times in 66 Posts
    Rep Power
    37

    Re: ISA 2004 - web access intermittent problem

    Hi,

    Have you applied SP2 and also post SP2 hotfixes?

    Apply SP2 and the fixes and also enable the PMTU discovery, this will speed up the net access.

    Also how is the DNS setup, do you use an internal DNS server or DNS on the isa server itself. The recommended practice is to have an internal DNS server and configure forwarders on it.

    You will also need to create an access rule to allow DNS traffic from the internal DNS server to Enternal network.

    Joining the ISA server to the domain is also a good idea as this will allow you to do seamless AD user authentication.

    Enabling PMTU ---> http://support.microsoft.com/kb/902347

    Also run the Isa server best practises analyser --> http://www.microsoft.com/downloads/d...displaylang=en

    This sorts outs or atlest tells you most of the problems.

    HTH,

    Ash.

  5. #5

    Join Date
    Feb 2007
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: ISA 2004 - web access intermittent problem

    Thanks Ash, I've applied SP2 but I need to check if all post SP2 fixes have been applied.

    The test server is a member of the domain, using internal DNS - I've enabled internal DNS to the ISA server in the system rules. But I don't think I created a rule to allow internal DNS to external networks - isn't this a security risk?

    Thanks for the heads-up about PMTU and the best practise analyser, I'll look at these when I get back to work on Monday.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,820
    Thank Post
    110
    Thanked 590 Times in 511 Posts
    Blog Entries
    1
    Rep Power
    226

    Re: ISA 2004 - web access intermittent problem

    If your ISP/RBC blocks ICMP traffic PMTU wont work. Also if the route changes due to load balancing/congestion/outages/etc PMTU will fail and packets will be lost until your systems discover the new safe MTU value for the route.

  7. #7

    Join Date
    Feb 2007
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: ISA 2004 - web access intermittent problem

    Thanks for that Geoff, not sure I'll bother with PMTU after all - I think the problem lies with either external DNS, the rule I've created or perhaps the build (hotfixes). I've only been working in IT for 17 months & have a lot to learn...

    Might be a dumb question but our GP for IE proxy settings has HTTP traffic (and the rest) on port 8080 - the default port for ISA's HTTP filter is 80, do I have to create a new protocol for port 8080 traffic?

  8. #8

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: ISA 2004 - web access intermittent problem

    If your ISP/RBC blocks ICMP traffic PMTU wont work
    Yes but that's what PMTU black hole detection is for (we're due the new improved version turned on by default in 2K3 SP2).

    not sure I'll bother with PMTU after all
    Well beware of sites who's f/w admins probably ticked every protocol screening box because they could (more ticks must = more safe right?).

  9. #9

    Join Date
    Feb 2007
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: ISA 2004 - web access intermittent problem

    Sorry PiqueABoo, not really sure what you're telling me - I hadn't actually heard of PMTU until today...

  10. #10

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: ISA 2004 - web access intermittent problem

    Mmm.. there's quite a lot involved. First read:

    http://en.wikipedia.org/wiki/PMTU#Path_MTU_discovery.

    The key concept is that if you're not doing PMTU then some of the packets you send to some corners of the Internet may get fragmented into smaller packets. Packet fragmentation shouldn't be common and shouldn't be a problem if it happens, however a lot of firewalls[1] can be told to drop framented packets.. and a lot of people who don't understand the consequences sometime do that. One symptom you might get: User can happily connect to website X, but some bits don't work, in particular pages that rely on the user posting lots of data back to the website.

    The workaround for dropped fragments is PMTU, however it relies on receiving certain ICMP messages which is less likely to happen these days thanks to various factors such as Steve Gibson + disciples promoting "stealthed" boxes, the ammount of ICMP traffic SQL Slammer caused etc., etc.

    The workaround for broken PMTU is PMTU "black hole detection". That MS are supposed to be turning that on by default in 2K3 SP2 (don't have a copy, but I understand it's on in Vista), suggests that this stuff has become a significant problem.

    [1] It's not just firewalls, load balancers have been known to cause the same issue.

  11. #11

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,407
    Thank Post
    1,520
    Thanked 1,057 Times in 926 Posts
    Rep Power
    303

    Re: ISA 2004 - web access intermittent problem

    Quote Originally Posted by PiqueABoo
    The workaround for broken PMTU is PMTU "black hole detection". That MS are supposed to be turning that on by default in 2K3 SP2 (don't have a copy, but I understand it's on in Vista), suggests that this stuff has become a significant problem.
    Server 2003 SP2 is due this Spring, its undergoing the later stages of beta testing at present, and will arrive shortly

  12. #12

    Join Date
    Feb 2007
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: ISA 2004 - web access intermittent problem

    Just though I'd let you know, the problem was DNS, I've installed it on the server, set it to transfer zones from the master external (network) DNS server & bingo, problem solved.

    Thanks for all the advice!

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 4
    Last Post: 17th January 2011, 02:36 PM
  2. Replies: 2
    Last Post: 7th September 2007, 02:13 PM
  3. My Docs access problem
    By Ste_Harve in forum Windows
    Replies: 2
    Last Post: 30th August 2007, 12:32 PM
  4. problem with software access policy
    By goodhead in forum Windows
    Replies: 10
    Last Post: 23rd February 2007, 11:19 AM
  5. ISA 2004 Publish Web Server Problem
    By Nij.UK in forum Windows
    Replies: 7
    Last Post: 30th November 2006, 09:48 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •