I have solved a weird issue with ISA where when you try to stream data from a website you get balnk boxes where data should be, basically the site shows your template outline of the site but going via ISA 2004 it does not show you the content only a white box.
I also got nay different errors when attempting to load the website including but not limited to:
ISA Error 64 : Host not Found
HTTP Error 407 : Authentication Required
ISA Error 1229 : Connection Closed
HTTP Error 404 : File Not Found
Also there error where red herrings to the cause of the actual problem, upon researching on the internet I found many articles relating to:
1. An Error with ISA and HTTP 1.1 requets via a proxy server
2. An error with Kerberos and "Enable Windows Authentication" in Internet Explorer
3. An issue with Internet Explorer 6/7
4. The firewall service terminating the connection
5. Disconnections from the remote end (where the web server is)
6. ISA configuration issues
All the above did not resolve the ISA issue I encountered and I found many of these solutions took me down the wrong path altogether...so what is the name of everything holy is going on here?
This is a HTTP 1.1 response that works and loads the website.....so it can talk to the remote site...
HTTP/1.1 200 OK
Via: 1.1 Proxy1
Connection: close
Proxy-Connection: close
Expires: -1
Date: Fri, 10 Oct 2008 09:47:09 GMT
Content-type: text/html; charset=ISO-8859-1
Server: Microsoft-IIS/5.0
Cache-control: no-cache
Set-Cookie: BIGipServerT1EW-WWW-POOL=104097951.20480.0000; path=/
If you have no access due to "authorisation" being required then you get this as the HTTP header....
HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 Proxy1
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="Proxy1"
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4103
Proxy-Support: Session-Based-Authentication
This is expects if you have the "Require all users to authenticate" checked and Basic authentication denied, but in this instant we have Basic authentication enabled.....which means this issue should not be occuring!
After waiting for the 600 seconds timeout value (which is 10 minutes) we get the error:
HTTP/1.1 403 Forbidden ( The ISA Server denied the specified Uniform Resource Locator (URL). )
Via: 1.1 Proxy1
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 1994
The following actions have been performed to try to remedy the action:
1. Removed the "Require all users to authenticate" from the Internal network connection
2. Enabled basic authentication for all users
3. Forcing Java to use our proxy server (for the website access)
4. Created a new rule allowing all HTTP/HTTPS traffic to the site
5. Disabled the Compression Filter in Web Filters
6. Excluded this site from the Caching
7. Removed the "Allow HTTP1.1 for Proxy Connections" from client browser
8. Added site to Trusted Site Security Zone
9. Removed client cache from browser (by deleteing)
10. Ran the command "dnscmd /Config /EnableEDnsProbes 0"
11. Noticed that when trying to visit "http://www.thomsononeequity.com/dynamic/scripts/streaming.jsp" we get Host not Avaliable
12. Enabling Logging in ISA to trace issues with connection (we only get HTTP errors 64) to 159.104.6.78
13. Enable client logging with Fiddler to the site in Step 11 to get the error:
HTTP/1.1 502 Proxy Error ( The specified network name is no longer available. )
Via: 1.1 Proxy1
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4156
With the DNS timing of:
ClientConnected: 10:42:37:2524
ClientDoneRequest: 10:42:37:2524
DNS Lookup: 0ms
TCP/IP Connect: 0ms
ServerGotRequest: 10:42:37:2524
ServerBeginResponse: 10:42:37:2825
ServerDoneResponse: 10:42:37:4727
ClientBeginResponse: 10:42:37:4727
ClientDoneResponse: 10:42:37:4727
Thats seems awfully quick, so I tried a connection to Google which registered and got a HTTP 200, all OK here then....
Allowed Connection Proxy1 11/10/2008 14:42:55
Log type: Web Proxy (Forward)
Status: 200 OK.
Rule: Internet Access
Source: Internal (x.x.x.x)
Destination: External (64.233.183.147:80)
Request: GET http://www.google.co.uk/
Filter information: Req ID: 0968b770; Compression: client=No, server=Yes, compress rate=0% decompress rate=239%
Protocol: http
I tried a connection to the site in suspect and I got no entries in the log whatsoever which was a little odd so lets look at the facts:
1. The client issues a request
2. ISA does not receive the issue
3. The Firewall Service is not blocking the traffic
4. The issue must be related to the ISA box
So I have an issue that is limited to the ISA box, this issue cannot be caused by the Firewall, Proxy or Internet Connection and all my Access Rules allow traffic to the website!
Finally, in desperation I look at the packets that ISA is processing and start to see that the data is coming back from the intenet but before the returned information is being processed by ISA it is being buffered by my HTTP Antivirus Filter.....
This is causing my issue, the traffic is being buffered and as you cannot effectively buffer streaming media with a anti-virus products you need to exclude this website from the "scan" list, immediately after this exclusion rule was added the website worked!
Resolved : Check your anti-virus is not buffering HTTP traffic for streaming sites
I also got nay different errors when attempting to load the website including but not limited to:
ISA Error 64 : Host not Found
HTTP Error 407 : Authentication Required
ISA Error 1229 : Connection Closed
HTTP Error 404 : File Not Found
Also there error where red herrings to the cause of the actual problem, upon researching on the internet I found many articles relating to:
1. An Error with ISA and HTTP 1.1 requets via a proxy server
2. An error with Kerberos and "Enable Windows Authentication" in Internet Explorer
3. An issue with Internet Explorer 6/7
4. The firewall service terminating the connection
5. Disconnections from the remote end (where the web server is)
6. ISA configuration issues
All the above did not resolve the ISA issue I encountered and I found many of these solutions took me down the wrong path altogether...so what is the name of everything holy is going on here?
This is a HTTP 1.1 response that works and loads the website.....so it can talk to the remote site...
HTTP/1.1 200 OK
Via: 1.1 Proxy1
Connection: close
Proxy-Connection: close
Expires: -1
Date: Fri, 10 Oct 2008 09:47:09 GMT
Content-type: text/html; charset=ISO-8859-1
Server: Microsoft-IIS/5.0
Cache-control: no-cache
Set-Cookie: BIGipServerT1EW-WWW-POOL=104097951.20480.0000; path=/
If you have no access due to "authorisation" being required then you get this as the HTTP header....
HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 Proxy1
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="Proxy1"
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4103
Proxy-Support: Session-Based-Authentication
This is expects if you have the "Require all users to authenticate" checked and Basic authentication denied, but in this instant we have Basic authentication enabled.....which means this issue should not be occuring!
After waiting for the 600 seconds timeout value (which is 10 minutes) we get the error:
HTTP/1.1 403 Forbidden ( The ISA Server denied the specified Uniform Resource Locator (URL). )
Via: 1.1 Proxy1
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 1994
The following actions have been performed to try to remedy the action:
1. Removed the "Require all users to authenticate" from the Internal network connection
2. Enabled basic authentication for all users
3. Forcing Java to use our proxy server (for the website access)
4. Created a new rule allowing all HTTP/HTTPS traffic to the site
5. Disabled the Compression Filter in Web Filters
6. Excluded this site from the Caching
7. Removed the "Allow HTTP1.1 for Proxy Connections" from client browser
8. Added site to Trusted Site Security Zone
9. Removed client cache from browser (by deleteing)
10. Ran the command "dnscmd /Config /EnableEDnsProbes 0"
11. Noticed that when trying to visit "http://www.thomsononeequity.com/dynamic/scripts/streaming.jsp" we get Host not Avaliable
12. Enabling Logging in ISA to trace issues with connection (we only get HTTP errors 64) to 159.104.6.78
13. Enable client logging with Fiddler to the site in Step 11 to get the error:
HTTP/1.1 502 Proxy Error ( The specified network name is no longer available. )
Via: 1.1 Proxy1
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4156
With the DNS timing of:
ClientConnected: 10:42:37:2524
ClientDoneRequest: 10:42:37:2524
DNS Lookup: 0ms
TCP/IP Connect: 0ms
ServerGotRequest: 10:42:37:2524
ServerBeginResponse: 10:42:37:2825
ServerDoneResponse: 10:42:37:4727
ClientBeginResponse: 10:42:37:4727
ClientDoneResponse: 10:42:37:4727
Thats seems awfully quick, so I tried a connection to Google which registered and got a HTTP 200, all OK here then....
Allowed Connection Proxy1 11/10/2008 14:42:55
Log type: Web Proxy (Forward)
Status: 200 OK.
Rule: Internet Access
Source: Internal (x.x.x.x)
Destination: External (64.233.183.147:80)
Request: GET http://www.google.co.uk/
Filter information: Req ID: 0968b770; Compression: client=No, server=Yes, compress rate=0% decompress rate=239%
Protocol: http
I tried a connection to the site in suspect and I got no entries in the log whatsoever which was a little odd so lets look at the facts:
1. The client issues a request
2. ISA does not receive the issue
3. The Firewall Service is not blocking the traffic
4. The issue must be related to the ISA box
So I have an issue that is limited to the ISA box, this issue cannot be caused by the Firewall, Proxy or Internet Connection and all my Access Rules allow traffic to the website!
Finally, in desperation I look at the packets that ISA is processing and start to see that the data is coming back from the intenet but before the returned information is being processed by ISA it is being buffered by my HTTP Antivirus Filter.....
This is causing my issue, the traffic is being buffered and as you cannot effectively buffer streaming media with a anti-virus products you need to exclude this website from the "scan" list, immediately after this exclusion rule was added the website worked!
Resolved : Check your anti-virus is not buffering HTTP traffic for streaming sites
Tags
Proxy