ISA 2004 - web access intermittent problem

[SimonC]

First of all, a big hello! As you can tell I'm new here & this is my first post. Sorry it's so long...

I'm currently testing ISA 2004 on server 2003 R2 to act as a proxy, cache & firewall but I've run into a problem. External web pages are occasionally extremely slow to appear, that is, the same site can sometimes arrive almost straight away and sometimes sites don't appear until you refresh or click again on a link.

I use major sites such as Google and the BBC to test access, clearing the cache, cookies and off-line files on the test client each time. When I make a change to ISA I restart the firewall service to give me a new connection.

My access rule is:

Allow
Protocols: HTTP, HTTPS
All users
All the time
Internal to External networks

standard Caching is enabled on the server. When I use an "allow all outbound traffic" rule I do not encounter this problem.

I'm stumped - does anyone see what I'm missing?

[localzuk]

What sort of spec is the machine you are running ISA on? Also, why ISA 2004 and not ISA 2006?

[SimonC]

The PC I'm testing ISA on is a ordinary base unit - AMD 3200 X2 with beefed-up RAM (2 Gig), 2 gigabyte NICs & an 80 gig SATA drive. The reason I'm using 2004 is it was originally purchased before 2006 came out.

[spc-rocket]

Hi,

Have you applied SP2 and also post SP2 hotfixes?

Apply SP2 and the fixes and also enable the PMTU discovery, this will speed up the net access.

Also how is the DNS setup, do you use an internal DNS server or DNS on the isa server itself. The recommended practice is to have an internal DNS server and configure forwarders on it.

You will also need to create an access rule to allow DNS traffic from the internal DNS server to Enternal network.

Joining the ISA server to the domain is also a good idea as this will allow you to do seamless AD user authentication.

Enabling PMTU ---> http://support.microsoft.com/kb/902347

Also run the Isa server best practises analyser --> http://www.microsoft.com/downloads/d...displaylang=en

This sorts outs or atlest tells you most of the problems.

HTH,

Ash.

[SimonC]

Thanks Ash, I've applied SP2 but I need to check if all post SP2 fixes have been applied.

The test server is a member of the domain, using internal DNS - I've enabled internal DNS to the ISA server in the system rules. But I don't think I created a rule to allow internal DNS to external networks - isn't this a security risk?

Thanks for the heads-up about PMTU and the best practise analyser, I'll look at these when I get back to work on Monday.

[Geoff]

If your ISP/RBC blocks ICMP traffic PMTU wont work. Also if the route changes due to load balancing/congestion/outages/etc PMTU will fail and packets will be lost until your systems discover the new safe MTU value for the route.

[SimonC]

Thanks for that Geoff, not sure I'll bother with PMTU after all - I think the problem lies with either external DNS, the rule I've created or perhaps the build (hotfixes). I've only been working in IT for 17 months & have a lot to learn...

Might be a dumb question but our GP for IE proxy settings has HTTP traffic (and the rest) on port 8080 - the default port for ISA's HTTP filter is 80, do I have to create a new protocol for port 8080 traffic?

[PiqueABoo]

If your ISP/RBC blocks ICMP traffic PMTU wont work

Yes but that's what PMTU black hole detection is for (we're due the new improved version turned on by default in 2K3 SP2).

not sure I'll bother with PMTU after all

Well beware of sites who's f/w admins probably ticked every protocol screening box because they could (more ticks must = more safe right?).

[SimonC]

Sorry PiqueABoo, not really sure what you're telling me - I hadn't actually heard of PMTU until today...

[PiqueABoo]

Mmm.. there's quite a lot involved. First read:

http://en.wikipedia.org/wiki/PMTU#Path_MTU_discovery.

The key concept is that if you're not doing PMTU then some of the packets you send to some corners of the Internet may get fragmented into smaller packets. Packet fragmentation shouldn't be common and shouldn't be a problem if it happens, however a lot of firewalls[1] can be told to drop framented packets.. and a lot of people who don't understand the consequences sometime do that. One symptom you might get: User can happily connect to website X, but some bits don't work, in particular pages that rely on the user posting lots of data back to the website.

The workaround for dropped fragments is PMTU, however it relies on receiving certain ICMP messages which is less likely to happen these days thanks to various factors such as Steve Gibson + disciples promoting "stealthed" boxes, the ammount of ICMP traffic SQL Slammer caused etc., etc.

The workaround for broken PMTU is PMTU "black hole detection". That MS are supposed to be turning that on by default in 2K3 SP2 (don't have a copy, but I understand it's on in Vista), suggests that this stuff has become a significant problem.

[1] It's not just firewalls, load balancers have been known to cause the same issue.

[john]

The workaround for broken PMTU is PMTU "black hole detection". That MS are supposed to be turning that on by default in 2K3 SP2 (don't have a copy, but I understand it's on in Vista), suggests that this stuff has become a significant problem.

Server 2003 SP2 is due this Spring, its undergoing the later stages of beta testing at present, and will arrive shortly

[SimonC]

Just though I'd let you know, the problem was DNS, I've installed it on the server, set it to transfer zones from the master external (network) DNS server & bingo, problem solved.

Thanks for all the advice!