ISA Server Archives - Page 3 of 3

After-math and clear ISA cache

Posted on 2008-04-23 by wooway

You can clear the cache by stopping the Web Proxy Service (in the ISA Server Management tool) then deleting the urlcache folder or deleting the dir1.cdat file located at x:\urlcache, the location of which will be specified in the cache configuration section.
Restart the Web Proxy service and the urlcache folder and it’s contents will be recreated (albeit empty)

p.s this assumes that you have ISA server 2000.

About MTU

Posted on 2008-02-08 by wooway

Something basic, something overlooked, but important to know the following case.

SYMPTOMS

When a Microsoft Internet Security and Acceleration Server (ISA) 2004-based computer is operating under heavy load conditions, you may experience high CPU use. For example, CPU use on the ISA Server computer may be more than 50 percent.

CAUSE
This behavior may occur because of the TCP/IP maximum transmission unit (MTU) setting that is applied during ISA Server installation.

To prevent an attacker from changing the MTU value, ISA Server 2004 disables path MTU (PMTU) discovery. This setting is documented in Microsoft security bulletin MS05-019. To see this bulletin, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx
Notes

By default, Windows uses an MTU setting of 1,480 bytes and accepts Internet Control Message Protocol (ICMP) messages that request smaller packet sizes.
If MTU discovery is disabled on a Windows-based server, the server uses an MTU setting of 576 bytes.

MS/KB#902347 – CPU use may be more than 50 percent when an ISA Server 2004 computer is operating under heavy load conditions

TCP connection established using Firewall client may close unexpectedly

Posted on 2007-12-18 by wooway

Firewall Client software uses a control channel for communication between the Firewall client and ISA Server (UDP or TCP port 1745). If a client application wants to connect to an external computer on TCP port 23 (i.e. telnet protocol) , the control channel is used to negotiate a new dynamic port for this specific traffic (after ISA rule verification, of course). After this negotiation, telnet traffic goes through the above negotiated port. Let’s call this the data connection.

Now, what happens to the control channel TCP connection? It is left open until one of the peers closes the data connection.

To leave the control channel open, the Firewall client has to periodically send a KeepAlive packet to ISA Server. This is done by the Firewall client every 10 minutes. If a device between the client and ISA Server has an idle connection timeout configured for less than 10 Minutes, then this device will force the closing of the control channel, with the result that ISA Server and the firewall client drop the data connection shortly thereafter (depending on the third party device timeout value).

To correct this behavior always ensure that the third party device has an idle timeout greater than 10 minutes.

Franck Heilmann

Escalation Engineer EMEA ISA team

Published Thursday, January 18, 2007 11:35 AM by isablog

source: http://blogs.technet.com/isablog/archive/2007/01/18/tcp-connection-established-using-firewall-client-may-close-unexpectedly.aspx

ref: http://blogs.isaserver.org/pouseele/2007/01/19/tcp-connection-established-using-firewall-client-may-close-unexpectedly/

Java Plug-in troubleshooting

Posted on 2007-07-24 by wooway

Installation Difficulties

To confirm that the Java Plug-in is installed visit the Sun site at http://java.sun.com/getjava/
Click on the "Download Now" link.
You should receive a confirmation page that displays the coffee cup logo and a confirmation that you have the current version of Java installed.

If you don’t get confirmation the Plug-in was not successfully installed or network problems prevented the confirmation applet from loading.

To resolve these problems first visit the trouble shooting page at http://java.sun.com/j2se/1.4.1/jre/install-windows.html and confirm that your computer meets the stated minimum requirements.

If your computer does meet the minimum requirements and you have followed the installation instructions as laid out in the troubleshooting guide, and you are still not receiving the confirmation screen then the problem may be network related.

Network Related Difficulties

Many companies use Microsoft’s ISA Server to provide access to the internet. This server has a user authentication scheme that is incompatible with the current version of the Java Plug-in. To confirm that this is the cause of the problem, follow these steps:

Go to http://java.sun.com/getjava/ and click on the "Download Now" link.
Double click on the coffee-cup logo in the system tray of your computer (in the lower right corner). This will bring up the Java console.
In the console window scroll down past the list of menu options (enclosed between the dashed lines).
Look in the first few following lines after the menu for this content: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required or The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.
If you see the content described above then your computer is accessing the internet through a proxy (the ISA Server) that only supports NTLM authentication, which is not supported by Java version 1.4.1. In this case, you are advised to upgrade your Java installation to version 1.4.2.
To install the Plug-in, visit http://java.sun.com/j2se/1.4.2/download.html and download the 1.4.2 JRE (this includes the Java Plug-in)
This solution will immediately allow downloads of specification documents.

Support for electronic submission of tender responses over proxies supporting only NTLM authentication will be possible by mid-June.

Source: https://www.lgtenderbox.com.au/faqs/browse.do, https://www.tenders.sa.gov.au/tenders/faqs/browse.do#59

Cached Client Credentials May Cause Unexpected User Prompts – ISA 2004/2006

Posted on 2007-06-29 by wooway

Problem: ISA Server unexpectedly prompts users to input credentials.

Cause: If incorrect client credentials are cached on the client computer, clients making requests through ISA Server may be prompted for alternative credentials, even though the ISA Server COM property ReturnAuthRequiredIfAuthUserDenied is set to its default false value for outbound traffic.

Solution: Clear the cached credentials, as follows:

1.	Click Start, and then click Run.
2.	In the Run dialog box, type control keymgr.dll. Then click OK.
3.	In the Stored User Names and Passwords dialog box, select the entry that you want to remove, and then click Remove.
4.	Click Close to close the Stored User Names and Passwords dialog box.
5.	Restart the client computer.

For more information on the ReturnAuthRequiredIfAuthUserDenied COM property, see the ISA Server SDK documentation (http://msdn2.microsoft.com/en-us/library/ms826234.aspx).

Source: http://www.microsoft.com/technet/isa/2004/plan/ts_client_rules.mspx