لطفا منتظر باشید ...
Lesson 4 Troubleshooting ISA Server Client Connectivity
Though establishing secure Internet connectivity through ISA Server is a simple process on a clean installation, any number of factors can complicate your configuration and create connectivity problems. This lesson discusses many of the most common problems leading to client connectivity and dial-up connection problems.
After this lesson, you will be able to
Troubleshoot problems with ISA Server client connections
Troubleshoot problems with dial-up connections in ISA Server
Restart ISA Server services after configuration changes
Estimated lesson time: 20 minutes
Troubleshooting Client Connections
Client connectivity problems range from poor performance to complete lack of Internet access on SecureNAT, Firewall, and Web Proxy clients. To simplify future troubleshooting, it is important to avoid unnecessary complexities in your network configuration and to keep track of all changes made after your initial, successful installation. In general, you will profit from using a systematic approach in your troubleshooting, one that begins with the examination of physical connectivity and works up through the various network layers to the examination of specific access policies configured in ISA Server.
To further assist you in your troubleshooting, you can use Table 3.4 to check for the most common errors in client configurations that hinder Internet connectivity.
Table 3.4 Common Errors in Client Configurations
| Problems | Causes | Solutions |
|---|---|---|
| Internal connections are slow for firewall clients. | Clients are unable to resolve local names using a external DNS server because the external DNS server may not have the correct records needed. The client must waste time waiting for the queries to the DNS server to time out before trying other methods of name resolution. | An internal DNS server should be configured with the names and addresses of all internal hosts. In addition, if packet filtering is operating, create an IP packet filter that uses DNS Lookup—a predefined filter—to allow the ISA Server computer to send out DNS name queries for Internet names. |
| SecureNAT clients cannot connect to the Internet. | If SecureNAT clients are not configured properly, the ISA Server will not be able to connect them to the Internet. | Configure the default gateway and configure the DNS server. |
| Clients cannot connect to external SSL sites. | When a client connects through the Web Proxy service to a secure Web site, ISA Server must open a tunnel for the traffic, since the traffic is encrypted end to end. By default, ISA Server only allows tunnel connections to ports 443 and 563 (Secure-News). If a client attempts to connect to a secure site that is running on a port other than 443 or 563, the connection fails. | To allow tunneling on additional ports, modify the ISA Administration COM object, FPCProxyTunnelPortRange. |
| SecureNAT connections work when the client specifies IP addresses but not when the client specifies computer names. | If the DNS server used by the client is an internal DNS server, it cannot resolve Internet domain names. | Configure the DNS server to forward the request to an external (Internet) DNS server. As an alternative, configure the clients to use a DNS server that forwards name resolution requests to an external DNS server. |
| SecureNAT clients cannot connect to a specific port because the connection times out, even though a Protocol Rule allows "Any IP traffic." | SecureNAT clients can only connect using protocols that are listed in the Protocol Definitions node of ISA Management. Furthermore, the protocol cannot require a secondary connection, unless an application filter that implements the protocol is available. | If the application only uses a single port, define a protocol in which the specific port is the primary port. If the application uses multiple ports, some of which are determined dynamically, they must be specified and defined by an application filter. |
| Server cannot bind to or allocate required port. | There is an allocation conflict for a port—more than one service on the ISA Server computer, possibly including ISA Server itself, is requesting to bind with a specific port on the external interface. | In general, Microsoft recommends that you do not run additional services on your primary firewall. If possible, install computers running other services behind the ISA Server computer. Bind the other server to the internal interface, so that only ISA Server listens on the external interface. |
Troubleshooting Dial-up Entries
Problems with dial-up connections generally stem from only a few possible causes. Use Table 3.5 below to troubleshoot your dial-up connections.
Table 3.5 Troubleshooting Your Dial-up Connections
| Problems | Causes | Solutions |
|---|---|---|
| Automatic dial-out to the Internet failed, although manual dial-out works. | The dial-up entry credentials were not specified correctly, although you may have specified credentials for the network dial-up connection correctly. | Reconfigure the dial-up entry credentials. |
| The ISA Server computer does not have permissions to use the dial-up connection. | Reconfigure the dial-up connection, allowing everyone to use the connection. See Windows 2000 online Help for more information. | |
| The client is configured as a SecureNAT client. | Install and enable the Firewall Client software on the client computer. | |
| Failed to dial out to the Internet, because the connection is already being dialed. | Another service on the computer is connecting with this dial- up connection. | Wait a while—ISA Server will reattempt the connection when a request is subsequently made. If the problem persists, restart the ISA Server services. |
| The dial-up connection was dropped. | Someone may have inadvertently disconnected the dial-up connection. | Restart the ISA Server services. The services will automatically re-establish the connection. |
| The dial-up connection never hangs up, even though there is no dialing activity. | Whenever a client request is made, even if for a computer on the local network, ISA Server sends name resolution requests to both the internal DNS server and an external DNS server. | Configure ISA Server to use only internal DNS servers.Note that this solution works only if the internal DNS Server is capable of forwarding name resolution requests externally when necessary. |
| Cannot connect to the Internet via a dial-up connection. | The client is configured as a SecureNAT client, and a dial-up entry has not been fully configured. | Install the Firewall Client software on the client computer, or create a dial-up entry and configure Network Configuration properties to route upstream through the dial-up entry. |
Restarting Services after Configuration Changes
If Internet connectivity suddenly stops on your client computers after having been active, try restarting one of the ISA Server services, such as the Firewall service and/or the Web Proxy service. Some changes to the ISA Server configuration require that you restart one or more of the ISA Server services on all the servers in the array. Without restarting ISA Server services, client connectivity will be lost. In the case of such a configuration change, ISA Management usually, but not always, displays a message box informing you that the service needs to be restarted.
Table 3.6 lists the configuration changes for which services must be restarted.
Table 3.6 Configuration Changes Requiring Service Restart
| Configuration change | Service restarted |
|---|---|
| Installing, removing, enabling, or disabling an application filter | Firewall service |
| Reducing or increasing cache size, and adding or removing a disk from the cache | Firewall service |
| Changes to the LAT that affect a network adapter's internal or external state | Firewall service, Web Proxy service |
| Enabling or disabling packet filtering | Firewall service |
| Enabling or disabling a network adapter | Firewall service, Web Proxy service |
| Changing IP address of a network adapter | Firewall service, Web Proxy service |
| Routing table changes | Firewall service |
| Installing, enabling, disabling, removing, or changing order of Web filter | Web Proxy service |
| Changing port numbers for Web Proxy | Web Proxy service |
| Changing Firewall Client application settings in ISA Management | Firewall service |
| Updating SSL certificate | Web Proxy service |
| Adding or removing a server to or from the array | Web Proxy service |
| Changing H.323 Gatekeeper network interface | H.323 Gatekeeper service |
| Changing network configuration properties, or configuring firewall chaining | Firewall service |
Figure 3.6 shows the Monitor Servers And Services taskpad in ISA Management, on which you can start and stop an ISA Server service.
Figure 3.6 Starting and stopping a service in ISA Management in Taskpad view. Service control is also accomplished in Advanced view.
Follow these steps to start a service:
In the console tree of ISA Management, click Services.
On the View menu, click Advanced.
In the details pane, right-click the applicable service, and then click Start.
Follow these steps to stop a service:
In the console tree of ISA Management, click Services.
On the View menu, click Advanced.
In the details pane, right-click the applicable service, and then click Stop.
Lesson Summary
Connectivity problems are minimized by avoiding unnecessary complexities in your ISA Server configuration and by keeping track of all changes you have made from your base installation. When troubleshooting connectivity, you will profit from a systematic approach and from a review of common problems, causes, and solutions presented in this lesson.
In addition, many breaks in client connectivity result from changes to the ISA Server configuration. Such changes require that one or more of the ISA Server services be restarted on all servers in an array.
