Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?

Similar Messages

• ACE working with IronPort WSA server farm

  We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
  We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
  I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
  But we don't have this entry in the arp table.
  When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
  Some have this kind of problem in some ocasion?
  Thank you,
  Everaldo

  Hi Jorge,
  The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
  With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
  Follow the output the commands:
  show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
  Status     : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 304
    service-policy: WSA-VIPS
      class: WSA_VIP_TCP_3128
       VIP Address:                              Protocol:  Port:
       10.10.193.25                              tcp    eq   3128
        loadbalance:
          L7 loadbalance policy: WSA-POLICY
          VIP Route Metric     : 77
          VIP Route Advertise  : ENABLED-WHEN-ACTIVE
          VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 3         , hit count        : 1260
          dropped conns    : 4
          conns per second    : 0
          client pkt count : 19271     , client byte count: 2326106
          server pkt count : 26140     , server byte count: 16572023
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
          L7 Loadbalance policy : WSA-POLICY
            class/match : class-default
              LB action :
                 primary serverfarm: WSA_FARM
                      state: UP
                  backup serverfarm : -
              hit count        : 1260
              dropped conns    : 0
              compression      : off
        compression:
          bytes_in  : 0                          bytes_out : 0
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0
          Content size: 0               Content type       : 0
          Not HTTP 1.1: 0               HTTP response error: 0
          Others      : 0
  switch/WSA# show probe WSA_TCP_3128
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15076  72     15004  SUCCESS
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  switch/WSA# show probe WSA_TCP_3128 detail
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
  description :
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
     conn termination : FORCED
     expect offset    : 0         , open timeout     : 3
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15088  72     15016  SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 2         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Sep  3 21:06:47 2012
     Last fail time      : Mon Sep  3 20:45:05 2012
     Last active time    : Mon Sep  3 20:45:57 2012
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  Thank you,
  Everaldo

• IE crashing with Flash player and MS Firewall Client

  I have seen this on versions 6, 7, and 8 of Internet Explorer. I work in a firm where all are computers are behind proxy servers running Microsoft ISA. All our PCs have the MS Firewall Client installed. When visiting certain flash intensive sites, mostly online news sites, like nytimes.com, IE will always crash while browsing the page or after refreshing the page. Sometimes an error is generated and other times IE just closes without any notification of an error taking place.
  An example of the error sometimes generated will sometimes be a generic "iexplore.exe - Application Error : The instruction at "0x556038ae" referenced memory at "0x0000000f". The memory could not be read...." or "Microsoft Visual C++ Runtime Library. Runtime Error! Program: C:\Program Files\Internet Explorer\iexplore.exe. R6025 - pure virtual function call."
  Often times the crash of IE will be captured by XPs Dr Watson creating a .log file which can be examined with any text editor; a .dmp file will also be generated which can then be opened with the Windows Debuggin Tools. I have looked at a few of these files and in every instance there is a FAULT when wspwsp.dll is called.
  Wspwsp.dll is used by an older version of Microsofts Firewall Client for ISA. The IE/Adobe Flash crash can be resolved by upgrading to lastest version of the FWC for ISA (version 4.0 currently). Alternately, this issue can also be worked around by disabling the FWC while browsing the Internet from the FWC icon in the system tray (right click>disable or from the Control Panel>Firewall Client>Uncheck Enable option). To do this on the fly, you can place the ISATRAY.exe in the All Users startup folder if the FWC icon fails to stick in the system tray box.

  Ironically enough, I can reproduce the above mentioned R6025 error this morning by just going to Adobe's home page and waiting for the intro Adobe Acrobat 9 video to near the end. Clicking OK to the error will close IE. A minidump is not produced either by DrWatson or by using CrashLogEnable=1 in mms.cfg in this case.

• Cisco VPN client & Microsoft ISA firewall client.

  Hi all,
  could someone give me advice how to set
  up Cisco VPN client to route traffic
  to our proxy ISA 2004. We have installed
  Microsoft firewall client on PCs but we dont know how to set up routing of IPSEC
  to Proxy.
  I know that this is maybe problem of Microsoft but maybe it is possible to do this directly in Cisco VPN client.
  Any suggestions?
  BR
  jl

  Be sure that the Department or organizational unit (OU) corresponds to the Cisco VPN Client group name, as configured in the PIX vpngroup name. Select the correct Certificate Service Provider (CSP) appropriate for your setup
  http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml

• Windows 7 isa firewall client problem

  Hi,
  I have a problem with isa 2006 firewall client on windows 7 joined to domain , I can browse websites with webproxy but I cannot connect to any pop3 and smtp mailservers when using pop3 dns name on outlook, so if I add the full name of mail.something.com,
  it does not work with (name cannot be resolved), it works when adding ip address, also if I try to access ftp servers on internet it does not work.
  This only happens with windows 7 computers windows xp works correctly with firewall client.
  If secure nat client is used on windows 7 they work (but I need to authenticate users by name).
  I have searched many forums but cannot find a solution.
  I have rule in isa server that allows http,https,ftp,ping,smtp,pop, even the rule that applies to me which have all outbound ports open had the same problem.
  Thanks in advance.

  Hello everyone,
  I'm having the exact same issue at my workplace. i have a 2008R2 server running TMG 2010 and i have a pool of mixed client PCs (windows 7 and XP).
  I use forefront firewall client for authentication and access.
  I'm having the same trouble with name resolution in Outlook and another application but everything else works fine.
  There is no issue when using SecureNat (setting up gateway) though, everything is resolved and works well ... it's so strange and it's driving me crazy. 
  It would be much appreciated to have a more reasonable solution other than shortcuts like setting a fake gateway.
  Thank you in advance. 
  Best Regards,
  N

• Connecting through ISA firewall

  I am tring to connect Contribute 3.11 through our company ISA
  authentication (firewall). The network provider tells me that ports
  20 and 21 are open for FTP but about halfway through the connection
  process, I get prompted for authentication username and password. 3
  tries and I'm out
  . I have also tried full domainname\username with
  password and that bombs too. Has anybody else seen this or know how
  to get around it?
  I can connect just fine on my home PC so I know my
  destination settings and permissions are OK. Any help is greatly
  appreciated.

  1. You can specify proxy settings in Contribute by going to
  Edit > Preferences > FTP Proxy.
  2. try disabling any antivirus software or firewall running
  on your system.
  3. make sure you install the ISA Firewall Client in your
  System:
  http://www.isaserver.org/tutorials/Manually_installing_the_ISA_firewall_client.html
  4. to verify if FTP is indeed enabled, try to type this in
  IE: ftp://ftp.irs.gov
  see if you can access the folders; if not, your system admin
  is lying; ftp is not enabled
  5. go to control panel > internet options > advanced;
  make sure that user http 1.1 through proxy connections is checked

• IronPort WSA with Authentication unable to access 2 character domain names with 2 character TLDNs

  I've discovered an issue requiring user authentication and some of the short url sites likes e2.ma will not load in Internet Explorer explicitly configured to go through an IronPort WSA. In testing with bogus domains (a.to, aa.to) it seems the issue is if the domain name is 1-2 characters and the top level domain name is also 2 characters long. Longer domains (aaa.to) work and return an IronPort error for DNS_FAIL. Does anyone know of a workaround to not have to allow all these as unauthenticated destinations?

  Support pointed me towards that KB article as well, but it is for IE 5 (and fixed in IE 6), but IE 8+ uses a TLD list from Microsoft (visible by using res://urlmon.dll/ietldlist.xml) and I don't control the external website. I'm going to try using an IP address surrogate instead of session cookies for these domains and see if that resolves this.

• Request Sub-CA-Certificate for Ironport WSA

  How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.
  Thanks for your help.

  Here is the solution for this question:
  The steps to use the sample inf file are:
  run the command: certreq.exe -new certreq.inf cacert.req
  submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
  install the certificate by running the command: certreq.exe -accept newcacer.cer
  export the certificate to a PFX file including the private key
  using openssl convert the PFX file to PEM format with the following steps:
            * extract the certificate file (the signed public key) from the pfx file:
              openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts
            * extract private key from a pfx file and write it to PEM file:
              openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts
            * remove the password from the private key file:
              openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem
  That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).
  Sample for the INF-File:
  [Version]
  Signature="$Windows NT$"
  [Strings]
  CACN = "Issuing CA"
  [NewRequest]
  Subject = "CN=%CACN%"
  Exportable = True
  MachineKeySet = True
  KeyLength = 2048
  KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
  KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
  KeyContainer = "%CACN%"
  [Extensions]
  2.5.29.19 = "{text}ca=1&pathlength=0"
  Critical = 2.5.29.19

• Ironport WSA - Management interface

  Hello,
  I have installed one Ironport WSA appliance for my customer.
  I would configure the following interface :
  -M1 : for the management
  -P1 : for the production interface
  -T1 : for L4 inspection
  I have specified a default route for M1 and P1.
  When I tryed to ping Internet or perform an update of the WSA, I watched the request exit by the M1 interface.
  It doesn't work because the management network can't exit in Internet (it's the policy of the customer).
  -It's normal that the upgrade of WSA and the ping exit by the M1 interface ?
  -If I want perform authentication in NTLM (with an AD domain) the request with the server and the client is performed with P1 or M1 ?
  -The upgrade of antivirus & sensor base use M1 or P1 ?
  -I thinked that M1 was only used for the management of the WSA (SSH and HTTPS).
  -How the WSA appliance can manage two default routes ?
  Can you give me more information about M1 and P1 and the role of each one ?
  Best Regards
  Cédric

  You can change the route that the update and upgrades use by going to System Adminstration>Upgrade and Update Settings.  Then click on the "Edit Update Settings".  You can pick the routing table/interface here.  By default its set to the managment interface.
  I'm fairly sure that the NTLM traffice from the WSA to the domain is via the managment interface.
  P1 is for the proxy traffic. Whatever way you get internet traffice to the box, it goes through P1, in and out (unless you use P2)
  M1 is for all of the other stuff: web management, ssh, updates, ldap/ntauth, etc.

• Just replaced my iphone 4 with new 4.  restore from icloud is hung on an app I no longer use (password probably expired) how can i get the restore to move on to the next app

  just replaced my iphone 4 with new 4.  restore from icloud is hung on an app I no longer use (password probably expired) how can i get the restore to move on to the next app

  Read another post in the forum about this and it appears this app also installs a profile with a proxy service that you will have to try and delete as well. Check that out.

• QoS Cisco SCE8000, Caching Cisco IronPort WSA, Loadbalancing Cisco ACE solution

  Hi all,
  Our customer is a mobile operator. They need a integrated solution for caching, QoS and Loadbalancing in a combination. From my understanding of their goals, they need to providing stable and speedy broadband access as well as good user experience by the differentiation service offering. They need to classify IP traffic and prioritize and control of content-based services for a given subscriber while transparently and dynamically redirect and load balance the application level classified of IP traffic to a proxy caching server regardless of protocols such as http, https, ssl, ftp, flv, mms and rstp, sip, p2p....
  Attached pls find the RFP and technical specification for Caching and QoS.
  I appreciate your expertise to consult me whether I can propose for them the Cisco ACE standalone appliance or ACE engine module for 7600/6500 for loadbalancing, Cisco IronPort WSA for caching and dual Cisco SCE8000 for QoS as an integrated solution. Is this solution feasible/workable and where could I find the same reference or solution design or technical guidance on this?
  Thanks a lot and would like to hear from you at the soonest!
  Best regards,

• Proxy Scenario (abap client)- XI, ICM_CONNECTION_FAILED

  Hi Forum,
  I have a problem with a Proxy Scenario (ABAP client proxy),
  My scenario is R/3 (abap client proxy)--->XI   ,
  the client proxy while sending message to XI throws an error, which is seen in SXMB_MONI as:
  404 Resource not found
  Partner not reached
  Error: -20
  Version: 6040
  Component: ICM
  Date/Time: Fri Jan 25 09:20:54 2008 
  Module: icxxconn_mt.c
  Line: 2124
  Server: xxxap5_RP1_05
  Detail: Connection request from (143/22024/0) to host: xxXP1.xxx.com, service: 8000 failed (NIEHOST_UNKNOWN) AP-T143, U22024, 500 xxUSER, , 09:20:54, M0, W0, , 1/0
  I can see a stuck entry (LUW), for this in SMQ2, even on several re-execution of that LUW in SMQ2, it gives an error:
  SYSFAIL
  XI Error Client_Receive_Filaed

  Hi
  404 Resource not found
  There might be the problem with the server having not to find anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
  *Possible Tips:- *
  • 404 is an HTTP response code that indicates that the resource in question couldn't be found. Usually this is due to an incorrect URL, so it is better to cross check all URLs. Check pipeline URL in the SLD in the business system of the Integration Server For this go to SLD->Business System-><yourIntegrtaion Server>->Pipeline URL: It should be like this http://<host>:<port>/sap/xi/engine?type=entry Where host is the host name of the Integration Server and port is the HTTP(8xxx) port. To verify this in Integration Server you can do like this. Go to SXMB_ADM->Integration Engine Configuration->Choose Edit from Menu -> Change Global Configuration Data to switch to change mode. Then select System Landscape - Load Configuration. (This is not required always)
  • Check that the port really is the ICM HTTP Port and not the J2EE port i.e SMICM then menu GOTO --> SERVICES and check the port number for HTTP. It should be HTTP port
  • If the error is Page cannot be displayed, cannot find server in https configurations Check and correct the SSL configuration for the ABAP and the J2EE side of the system
  • If the error is because of integration server when using Proxy communications then check these. i.e SXMB_ADM->Integration Engine Configuration->Corresponding Integration Server enrty should be dest://<Http Integration server-Destination> Where < Http Integration server -Destination > is the RFC destination (SM59) of type HTTP connection (type H) to the Integration Server. In this case, host name, port, and path prefix are saved in the RFC destination
  Refer below link
  /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
  Thanks
  Swarup

• Sending files via File Adapter through FTP having a HTTP proxy as firewall

  Dear  experts,
  I am having a issue trying to send a file via FTP with the File Adapter. My client has a HTTP proxy with authentification required as firewall  in order to send files via FTP.
  I've tried several solutions but I cannot find a way to add the proxy name, user and password in the communication channel.
  Any ideas?
  Thanks in advance.
  Best Regards

  Hi,
  Unfortunately those changes didn't work. The adapter is not able to establish a connection within the FTP server. These are the parameters I added:
  -Dhttp.proxy.user=<usename>
  -Dhttp.proxy.password=<userpassword>
  -Dhttp.proxyHost=<proxy.domain...>
  -Dhttp.proxyPort=80
  -Dhttp.nonProxyHost="*domain1.com domain2com"
  -Dhttps.proxy.user=<usename>
  -Dhttps.proxy.password=<userpassword>
  -Dhttps.proxyHost=<proxy.domain...>
  -Dhttps.proxyPort=80
  -Dhttps.nonProxyHost="*domain1.com domain2com"
  And just in case, we tried with these other parameters at the same time.
  -Dftp.proxy.user=<usename>
  -Dftp.proxy.password=<userpassword>
  -Dftp.proxyHost=<proxy.domain...>
  -Ddftp.proxyPort=80
  -Dftp.nonProxyHost="*domain1.com domain2com"
  The errors in the adapter engine's log are:
  Error MP: Exception caught with cause com.sap.aii.af.ra.ms.api.RecoverableException: Error when getting an FTP connection from connection pool: com.sap.aii.af.service.util.concurrent.ResourcePoolException: Unable to create new pooled resource: ConnectException: Socket connection timed out: <ftp ip address>
  Error Exception caught by adapter framework: Error when getting an FTP connection from connection pool: com.sap.aii.af.service.util.concurrent.ResourcePoolException: Unable to create new pooled resource: ConnectException: Socket connection timed out: <ftp ip address>
  Error Delivery of the message to the application using connection File_http://sap.com/xi/XI/System failed, due to: com.sap.aii.af.ra.ms.api.RecoverableException: Error when getting an FTP connection from connection pool: com.sap.aii.af.service.util.concurrent.ResourcePoolException: Unable to create new pooled resource: ConnectException: Socket connection timed out: <ftp ip address>
  By the way, we are using  PI 7.0.
  Thanks in advance
  Edited by: SAPIMSA . on Apr 20, 2011 4:08 PM

• How to use App Store under proxy and firewall?

  Greetings all,
  We have an iPad which connects to Wifi with no problems. Under WiFi settings, I configure the Proxy HTTP manually.
  I know that Youtube is blocked by a proxy. But iTunes and APP Store don't load without any apparent reason. Every other programs (Safari, Mail, Google Maps, etc...) load perfectly.
  Ports 80 and 443 are open inside the proxy and firewall.
  Through which protocols, ports or ip works APP Store/iTunes?
  Thank you.
  Regards

  Just to be a bit clearer, this is what happens at work. At home, everything works perfectly.

• Arrowpoint Cookies, Reverse Proxy and Multiplexed Client Requests

  Hi,
  I have a reverse proxy which is performing SSL offload and making backend connections to two web servers. Between the reverse proxy and the two webservers, a CSS is in place to load balance between the web servers. There is a requirement for session stickiness on the web servers and since client IP details are lost through the reverse proxy I have used the arrowpoint-cookie method to load balance connections.
  However, the reverse proxy seems to make only a handful of connections to the servers compared to the number incoming client connections and we have noticed that stickiness is broken. Now, I would assume this is correct if arrowpoint-cookie makes a load balancing based on the first HTTP get in a tcp stream and not on a per transaction basis AND our reverse proxy is multiplexing client requests. However, I can not convince myself of how the arrowpoint-cookie method actually works.
  I wondered if anyone had any insight on this or had experienced similar issues with arrowpoint cookies?

  Hi Gilles,
  I have implemented this today, and we are still seeing issues with requests hitting the wrong server.
  A bit more info, the reverse proxy is an AXG Web Aopplication Firewall. I have been looking at this and am considering disabling connection re-use on here.
  However I am also wondering if this might be to do with the flow timeout multiplier I am using which is 5 (80 seconds). Perhaps this is too low?
  Thanks, David.