Announcement

Collapse
No announcement yet.

ISA 2004 blocking certain sites

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ISA 2004 blocking certain sites

    Hi all,


    I recently took on a new position and ISA firewall is now one of my responsibilities. I received numerous complaints from users that some of the sites are blocked by ISA 2004 HTTP filter.

    Example: users are able to browse www.abebooks.com site without problems until they hit search, then the error listed below is generated.
    Error Code: 502 Proxy Error. The request was rejected by the HTTP filter. Contact your ISA Server administrator. (12217)
    IP Address: XX.XX.XX.XX
    Date: 2/8/2008 4:24:01 PM
    Server: server.domain.com
    Source: web filter

    Browsing to some UK sites also generates this error.

    I found a solution, but I donít think it`s quite safeÖ Disabling the HTTP filter from ISA>Server>Configuration>Add-ins is the only fix that works for now.
    What else can I do to resolve it without having to install a Service Pack ?
    I need to be able to fix this problem, but at the same time, I donít want to leave HTTP filter disabled.
    HTTP filter is currently setup in BOTH directions.


    I was looking at this article http://support.microsoft.com/kb/894483
    But it didn't help in finding the alternative solution. Cache is already disabled.

    There are some rules that previous admin created (currently enabled) that block access to XXX and other junk sites. During after hours I temporarily disabled those rules, but it didnít help. I tried restarting the firewall, restarting the serverÖ still no luck UGGGHHH !!!
    Previous admin had attempted to install SP2, but it crashed ISA altogether.


    And another big thing is internet slowness. We have a T1 line. Office has approximately 70 users....but browsing the web is more like trying to ride a turtle. I will submit a ticket to ISP to look into it, but I have a feeling the problem is internal.


    I'm pretty sure that Network Configuration in ISA was not properly setup. For the passed few months ISA was generating a lot of errors. All internal IPs are in 10.0.0.0-10.0.0.255 range when looking at Networks in ISA (ISA>Server>Networks>Networks Tab)Address Range is 10.0.0.0 - 10.255.225.255 That just doesnít look right.

    This is the error/alert that Iím receiving:
    ISA server detected routes through adaptor LAN that do not collerate with the network element to which the adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adaptor as defined in routing table. Otherwise valid packets may be dropped as spoofed... The address ranges in conflict are 10.0.1.0 -10.255.255.254


    I'm new to ISA and I could really use some help. If you are posting a solution, please be as specific as possible.

    Thank you in advance.

  • #2
    Re: ISA 2004 blocking certain sites

    Well first start to update the ISA server to ISA SP3.
    In the servicepack the HTTP filter is corrected. Otherwise you need to disable the filter if it causes you problems because the filter has some bugs.

    About you're network setup. Can you make a drawing of it how you're network looks like including the subnets?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: ISA 2004 blocking certain sites

      Sorry about the delay.
      The internal network is the following range: 10.0.0.0- 10.0.0.255
      I found an error in ISA Network configuration, it was setup this way 10.0.0.0 - 10.255.255.255 and here is a part of notification message that I'm receiving:

      "Description: ISA Server detected routes through adapter LAN that do not corelate with the network element to which adapter belongs.... The address ranges in conflict are: 10.0.1.0-10.255.255.254"

      Even if I correct the network range, it will still not correct the issue with the webfilter....

      You are absolutely right, I need to upgrade to SP3, I'm just a bit concerned about deploying SP3, especially as previous two admins attempted to install SP2 and it crashed ISA, so they had to revert back.

      In order to upgrade to SP3, would I have to install SP2 first ?
      What is the easiest way to go back in case SP3 crashes ISA sait did with SP2? Reinstall ISA and reimport settings?
      I think the first thing I'm going to do is correct the network range to 10.0.0.0-10.0.0.255 and see if I can get rid of that annoying notification.

      What is the safest way to deploy SP3 ?

      Comment


      • #4
        Re: ISA 2004 blocking certain sites

        Sorry about the delay.
        The internal network is in the following range: 10.0.0.0- 10.0.0.255
        I found an error in ISA Network configuration, it was setup this way 10.0.0.0 - 10.255.255.255 and here is a part of notification message that I'm receiving:

        "Description: ISA Server detected routes through adapter LAN that do not corelate with the network element to which adapter belongs.... The address ranges in conflict are: 10.0.1.0-10.255.255.254"

        Even if I correct the network range, it will still not correct the issue with the webfilter....

        You are absolutely right, I need to upgrade to SP3, I'm just a bit concerned about deploying SP3, especially as previous two admins attempted to install SP2 and it crashed ISA, so they had to revert back.

        In order to upgrade to SP3, would I have to install SP2 first ?
        What is the safest way to deploy SP3 ?
        What is the easiest way to go back in case SP3 crashes ISA as it did with SP2? (Reinstall ISA and reimport settings?)

        Comment


        • #5
          Re: ISA 2004 blocking certain sites

          The safest way is indeed exporting the settings (firewall rules) and making a backup.
          With a backup you export much more then only the firewall rules.
          The best way is to make a backup using the ISA manager and exporting every rule separately. Why? I've seen numbers of times that just one rule can crash ISA. If you export rule by rule and import it later when needed you can find out which rule could cause the crash.

          However, when IS crashes it a good idea to investigate why it crashes (evenlogs etc)

          About you're network setup, have you setup VPN connections in the same range? Best way is to make a simple drawing.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment

          Working...
          X