ISA Server diagnostic logging troubleshooting scenarios
This document provides diagnostic logging samples for use when troubleshooting Microsoft Internet Security and Acceleration (ISA) Server traffic. The following five sample scenarios are provided:
- Troubleshooting a forward proxy access rule for which name resolution does not succeed
- Troubleshooting a reverse proxy Web publishing scenario when client authentication does not succeed and a path is configured incorrectly
- Troubleshooting forward Web proxy with authentication
- Troubleshooting reverse Web publishing when both links are HTTPS
- Troubleshooting a slow connection to an external Web server
Each scenario provides a diagnostic log sample that shows the traffic flow of the request.
This document includes the following scenarios:
- Troubleshooting forward Web proxy name resolution
- Lab setup
- Example 1: Running the baseline diagnostic log with successful name resolution for forward Web proxy
- Example 2: Running the diagnostic log when name resolution fails
- Troubleshooting reverse proxy Web publishing
- Lab setup
- Example 1: Running the baseline diagnostic log with a successful Web publishing request
- Example 2: Running the diagnostic log when authentication fails for a Web publishing rule
- Example 3: Running the diagnostic log when configuring a Web publishing rule with the wrong path
- Troubleshooting forward Web proxy with authentication
- Lab setup
- Troubleshooting reverse publishing where both links are HTTPS (to the ISA Server and Web server)
- Lab setup
- Troubleshooting a slow connection to a Web site
- Lab setup
Troubleshooting forward Web proxy name resolution
Two diagnostic log samples are provided for comparison. The first sample shows the traffic flow when name resolution for forward proxy succeeds. The second shows the flow when name resolution fails.
Lab setup
Use the following lab scenario:
| Computer configuration | Computer name | IP address |
|---|---|---|
Web proxy client |
Lcl-st |
40.0.202.1 |
Server |
Anet-srv |
70.0.11.1 |
ISA Server |
Fw-a2 |
40.0.2.1, 70.0.2.1 |
There is a single access rule allowing HTTP from the Internal network to the External network.
Example 1: Running the baseline diagnostic log with successful name resolution for forward Web proxy
After you turn on diagnostic logging and make the forward request, results appear in the diagnostic log summary, a sample of which is in the following table. The relevant entries are in bold and followed by comments between the <>.
Time |
Record number |
Context |
Log source |
Message |
2008-01-21 18:03:07 |
1 |
96d070e2 |
Web Proxy |
Web Proxy properties: Client IP address: 40.0.202.1 Client port: 3341 Local IP address: 40.0.2.1 Local port: 8080 SecureNAT client: false Web proxy client: true Inbound traffic: false <This entry is important. It provides a unique context ID (96d070e2), The context ID allows you to filter other non-relevant traffic.> |
2008-01-21 18:03:07 |
2 |
96d070e2 96d070e3 |
Web Proxy |
HTTP method: GET Check all the lines that start with the context ID. In this example, the context ID is 96d070e2. |
2008-01-21 18:03:07 |
3 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server started checking the policy rules for a Web request. |
2008-01-21 18:03:07 |
4 |
96d070e2 96d070e3 |
Web Proxy |
Target URL: / |
2008-01-21 18:03:07 |
5 |
96d070e2 96d070e3 |
Web Proxy |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
2008-01-21 18:03:07 |
6 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server is performing DNS name resolution for the host name anet-srv. <Verify whether Domain Name System (DNS) is in the ISA Server DNS cache.> |
2008-01-21 18:03:07 |
7 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server failed to perform DNS name resolution and will attempt to continue with the available information. Error: No such host is known. |
2008-01-21 18:03:07 |
8 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server started checking the access rules. |
2008-01-21 18:03:07 |
9 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol. |
2008-01-21 18:03:07 |
10 |
96d070e2 96d070e3 |
Firewall service |
The Firewall service is performing rule evaluation. |
2008-01-21 18:03:07 |
11 |
96d070e2 96d070e3 |
Firewall service |
Protocol: HTTP |
2008-01-21 18:03:07 |
12 |
96d070e2 96d070e3 |
Firewall Engine |
Packet properties: Source IP address: 40.0.202.1 Source array network: Internal Destination IP address: 0.0.0.0 Destination array network: <In the packet details, note that the IP address 0.0.0.0 appears because the name "anet-srv" is not resolved.> |
2008-01-21 18:03:07 |
13 |
96d070e2 96d070e3 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-01-21 18:03:07 |
14 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. <This is the first rule to be matched.> |
2008-01-21 18:03:07 |
15 |
96d070e2 96d070e3 |
Firewall service |
Source does not match the packet. <Rule was not matched.> |
2008-01-21 18:03:07 |
16 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 18:03:07 |
17 |
96d070e2 96d070e3 |
Firewall service |
Source does not match the packet. |
2008-01-21 18:03:07 |
18 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 18:03:07 |
19 |
96d070e2 96d070e3 |
Firewall service |
The source port does not match the rule. |
2008-01-21 18:03:07 |
20 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is evaluating the rule MyhttpRule. <This is the rule for which traffic should be allowed. Name resolution has not yet occurred.> |
2008-01-21 18:03:07 |
21 |
96d070e2 96d070e3 |
Firewall service |
The destination requires name resolution. |
2008-01-21 18:03:07 |
22 |
96d070e2 96d070e3 |
Firewall service |
The rule MyhttpRule requires name resolution for evaluation. |
2008-01-21 18:03:07 |
23 |
96d070e2 96d070e3 |
Firewall service |
The rule MyhttpRule requires DNS name resolution. |
2008-01-21 18:03:07 |
24 |
96d070e2 96d070e3 |
Web Proxy |
The access rule MyhttpRule denies the Web request. <The Web proxy filter, rather than the Firewall service, is handling the rule because the Web proxy filter will attempt to resolve the name "anet-srv". The policy rule engine assumes a positive response and then informs the Web proxy that the rule might pass.> |
2008-01-21 18:03:07 |
25 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server attempted to evaluate the policy rules without resolving the name of the requested destination. |
2008-01-21 18:03:07 |
26 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server is performing DNS name resolution for the host name anet-srv. |
2008-01-21 18:03:07 |
27 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server succeeded to perform DNS name resolution for the host name h_name: anet-srv h_aliases: h_addr_list: 70.0.11.1. <DNS resolution has succeeded.> |
2008-01-21 18:03:07 |
28 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server started rechecking the access rules after resolving the name of the requested destination through a DNS query. |
2008-01-21 18:03:07 |
29 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol. |
2008-01-21 18:03:07 |
30 |
96d070e2 96d070e3 |
Firewall service |
The Firewall service is performing rule evaluation. <If it fails, the policy rule engine attempts to perform rule evaluation once more by using the real resolved name.> |
2008-01-21 18:03:07 |
31 |
96d070e2 96d070e3 |
Firewall service |
Protocol: HTTP |
2008-01-21 18:03:07 |
32 |
96d070e2 96d070e3 |
Firewall Engine |
Packet properties: Source IP address: 40.0.202.1 Source array network: Internal Destination IP address: 70.0.11.1 Destination array network: External <These are the updated details for the packet.> |
2008-01-21 18:03:07 |
33 |
96d070e2 96d070e3 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-01-21 18:03:07 |
34 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-01-21 18:03:07 |
35 |
96d070e2 96d070e3 |
Firewall service |
Source does not match the packet. |
2008-01-21 18:03:07 |
36 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 18:03:07 |
37 |
96d070e2 96d070e3 |
Firewall service |
Source does not match the packet. |
2008-01-21 18:03:07 |
38 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 18:03:07 |
39 |
96d070e2 96d070e3 |
Firewall service |
The source port does not match the rule. |
2008-01-21 18:03:07 |
40 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is evaluating the rule MyhttpRule. |
2008-01-21 18:03:07 |
41 |
96d070e2 96d070e3 |
Firewall service |
The rule MyhttpRule matches the packet. The packet is allowed. |
2008-01-21 18:03:07 |
42 |
96d070e2 96d070e3 |
Firewall service |
The rule MyhttpRule allowed the packet. <The rule is allowed.> |
2008-01-21 18:03:07 |
43 |
96d070e2 96d070e3 |
Web Proxy |
The access rule MyhttpRule allows the Web request. |
2008-01-21 18:03:07 |
44 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server started to check the Web chaining rules. |
2008-01-21 18:03:07 |
45 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is looking for a Web chaining rule that matches the destination 70.0.11.1 in the packet. The packet may be passed to an upstream server. |
2008-01-21 18:03:07 |
46 |
96d070e2 96d070e3 |
Firewall service |
The Web chaining rule Default rule matches the packet. |
2008-01-21 18:03:07 |
47 |
96d070e2 96d070e3 |
Web Proxy |
The packet matches the Web chaining rule Default rule. |
2008-01-21 18:03:07 |
48 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server is directing the Web request to the IP address 0.0.0.0. |
2008-01-21 18:03:07 |
49 |
96d070e2 96d070e3 |
Firewall service |
ISA Server is looking for a cache rule that matches the destination 70.0.11.1 in the Web request. Cache rules are checked to determine whether to return a cached response. |
2008-01-21 18:03:07 |
50 |
96d070e2 96d070e3 |
Firewall service |
The cache rule Default rule matches the Web request. |
2008-01-21 18:03:07 |
51 |
96d070e2 96d070e3 |
Web Proxy |
The Web request matches the cache rule Default rule. |
2008-01-21 18:03:07 |
52 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-01-21 18:03:07 |
53 |
96d070e2 96d070e3 |
Web Proxy |
ISA Server will connect to the Web server anet-srv on the IP address 70.0.11.1 and port 80. <ISA Server connects to the server.> |
2008-01-21 18:03:07 |
54 |
96d070e2 96d070e3 |
Web Proxy |
Target URL: / |
2008-01-21 18:03:07 |
55 |
96d070e2 96d070e3 |
Web Proxy |
Web response properties: Response status: 200 Response MIME content type: text/html Response Via header: NULL HTTP Server header: Microsoft-IIS/5.0 <A 200 OK status message is issued. The traffic has passed.> |
Example 2: Running the diagnostic log when name resolution fails
By removing "anet-srv" from the host's file and running diagnostic logging again, you can examine the log summary when name resolution does not succeed. The relevant entries are in bold and followed by comments between the <>.
Time |
Record number |
Context |
Log source |
Message |
2008-01-21 17:51:21 |
1 |
96d070e0 |
Web Proxy |
Web Proxy properties: Client IP address: 40.0.202.1 Client port: 3337 Local IP address: 40.0.2.1 Local port: 8080 SecureNAT client: false Web proxy client: true Inbound traffic: false <The context ID of the original packet.> |
2008-01-21 17:51:21 |
2 |
96d070e0 96d070e1 |
Web Proxy |
HTTP method: GET |
2008-01-21 17:51:21 |
3 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server started checking the policy rules for a Web request. |
2008-01-21 17:51:21 |
4 |
96d070e0 96d070e1 |
Web Proxy |
Target URL: / |
2008-01-21 17:51:21 |
5 |
96d070e0 96d070e1 |
Web Proxy |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
2008-01-21 17:51:21 |
6 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server is performing DNS name resolution for the host name anet-srv. |
2008-01-21 17:51:21 |
7 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server failed to perform DNS name resolution and will attempt to continue with the available information. Error: No such host is known. |
2008-01-21 17:51:21 |
8 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server started checking the access rules. |
2008-01-21 17:51:21 |
9 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol. |
2008-01-21 17:51:21 |
10 |
96d070e0 96d070e1 |
Firewall service |
The Firewall service is performing rule evaluation. |
2008-01-21 17:51:21 |
11 |
96d070e0 96d070e1 |
Firewall service |
Protocol: HTTP |
2008-01-21 17:51:21 |
12 |
96d070e0 96d070e1 |
Firewall Engine |
Packet properties: Source IP address: 40.0.202.1 Source array network: Internal Destination IP address: 0.0.0.0 Destination array network: |
2008-01-21 17:51:21 |
13 |
96d070e0 96d070e1 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-01-21 17:51:21 |
14 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-01-21 17:51:21 |
15 |
96d070e0 96d070e1 |
Firewall service |
Source does not match the packet. |
2008-01-21 17:51:21 |
16 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 17:51:21 |
17 |
96d070e0 96d070e1 |
Firewall service |
Source does not match the packet. |
2008-01-21 17:51:21 |
18 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 17:51:21 |
19 |
96d070e0 96d070e1 |
Firewall service |
The source port does not match the rule. |
2008-01-21 17:51:21 |
20 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is evaluating the rule MyhttpRule. |
2008-01-21 17:51:21 |
21 |
96d070e0 96d070e1 |
Firewall service |
The destination requires name resolution. |
2008-01-21 17:51:21 |
22 |
96d070e0 96d070e1 |
Firewall service |
The rule MyhttpRule requires name resolution for evaluation. |
2008-01-21 17:51:21 |
23 |
96d070e0 96d070e1 |
Firewall service |
The rule MyhttpRule requires DNS name resolution. |
2008-01-21 17:51:21 |
24 |
96d070e0 96d070e1 |
Web Proxy |
The access rule MyhttpRule denies the Web request. |
2008-01-21 17:51:21 |
25 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server attempted to evaluate the policy rules without resolving the name of the requested destination. |
2008-01-21 17:51:21 |
26 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server is performing DNS name resolution for the host name anet-srv. |
2008-01-21 17:51:21 |
27 |
00006c93 |
Firewall Engine |
The Firewall Engine is performing rule evaluation. <The Firewall engine tries to resolve the name "anet-srv".> |
2008-01-21 17:51:21 |
28 |
00006c93 |
Firewall Engine |
ISA Server is looking for an applicable network rule. |
2008-01-21 17:51:21 |
29 |
00006c93 |
Firewall Engine |
The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied. |
2008-01-21 17:51:21 |
30 |
00006c93 |
Firewall Engine |
ISA Server will check only rules that are associated with the protocol Ping. |
2008-01-21 17:51:21 |
31 |
00006c93 |
Firewall Engine |
ISA Server is evaluating the rule Allow ICMP (PING) requests from selected computers to ISA Server. |
2008-01-21 17:51:21 |
32 |
00006c93 |
Firewall Engine |
Source does not match the packet. |
2008-01-21 17:51:21 |
33 |
00006c93 |
Firewall Engine |
ISA Server is evaluating the rule Allow ICMP requests from ISA Server to selected servers. |
2008-01-21 17:51:21 |
34 |
00006c93 |
Firewall Engine |
Source does not match the packet. |
2008-01-21 17:51:21 |
35 |
00006c93 |
Firewall Engine |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 17:51:21 |
36 |
00006c93 |
Firewall Engine |
Source does not match the packet. |
2008-01-21 17:51:21 |
37 |
00006c93 |
Firewall Engine |
ISA Server is evaluating the rule Default rule. |
2008-01-21 17:51:21 |
38 |
00006c93 |
Firewall service |
The rule Default rule matches the packet. The packet is denied. |
2008-01-21 17:51:21 |
39 |
00006c93 |
Firewall Engine |
The rule Default rule matches the packet. The packet is denied. |
2008-01-21 17:51:24 |
40 |
00006c94 |
Firewall Engine |
The Firewall Engine is performing rule evaluation. |
2008-01-21 17:51:24 |
41 |
00006c94 |
Firewall Engine |
ISA Server is looking for an applicable network rule. |
2008-01-21 17:51:24 |
42 |
00006c94 |
Firewall Engine |
The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied. |
2008-01-21 17:51:24 |
43 |
00006c94 |
Firewall Engine |
ISA Server will check only rules that are associated with the protocol Ping. |
2008-01-21 17:51:24 |
44 |
00006c94 |
Firewall Engine |
ISA Server is evaluating the rule Allow ICMP (PING) requests from selected computers to ISA Server. |
2008-01-21 17:51:24 |
45 |
00006c94 |
Firewall Engine |
Source does not match the packet. |
2008-01-21 17:51:24 |
46 |
00006c94 |
Firewall Engine |
ISA Server is evaluating the rule Allow ICMP requests from ISA Server to selected servers. |
2008-01-21 17:51:24 |
47 |
00006c94 |
Firewall Engine |
Source does not match the packet. |
2008-01-21 17:51:24 |
48 |
00006c94 |
Firewall Engine |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 17:51:24 |
49 |
00006c94 |
Firewall Engine |
Source does not match the packet. |
2008-01-21 17:51:24 |
50 |
00006c94 |
Firewall Engine |
ISA Server is evaluating the rule Default rule. |
2008-01-21 17:51:24 |
51 |
00006c94 |
Firewall service |
The rule Default rule matches the packet. The packet is denied. |
2008-01-21 17:51:24 |
52 |
00006c94 |
Firewall Engine |
The rule Default rule matches the packet. The packet is denied. |
2008-01-21 17:51:35 |
53 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server failed to perform DNS name resolution and will attempt to continue with the available information. Error: The requested name is valid, but no data of the requested type was found. <ISA Server failed to resolve the name "anet-srv".> |
2008-01-21 17:51:35 |
54 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server started to check the Web chaining rules. <Web chaining rules are checked because an upstream server may be able to resolve the name.> |
2008-01-21 17:51:35 |
55 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is looking for a Web chaining rule that matches the destination 0.0.0.0 in the packet. |
2008-01-21 17:51:35 |
56 |
96d070e0 96d070e1 |
Firewall service |
The Web chaining rule Default rule matches the packet. |
2008-01-21 17:51:35 |
57 |
96d070e0 96d070e1 |
Web Proxy |
The packet matches the Web chaining rule Default rule. |
2008-01-21 17:51:35 |
58 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server will assume that the destination is in the External network and recheck the access rules because the requested destination was not resolved as an internal resource. |
2008-01-21 17:51:35 |
59 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol. |
2008-01-21 17:51:35 |
60 |
96d070e0 96d070e1 |
Firewall service |
The Firewall service is performing rule evaluation. |
2008-01-21 17:51:35 |
61 |
96d070e0 96d070e1 |
Firewall service |
Protocol: HTTP |
2008-01-21 17:51:35 |
62 |
96d070e0 96d070e1 |
Firewall Engine |
Packet properties: Source IP address: 40.0.202.1 Source array network: Internal Destination IP address: 0.0.0.0 Destination array network: External |
2008-01-21 17:51:35 |
63 |
96d070e0 96d070e1 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-01-21 17:51:35 |
64 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-01-21 17:51:35 |
65 |
96d070e0 96d070e1 |
Firewall service |
Source does not match the packet. |
2008-01-21 17:51:35 |
66 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 17:51:35 |
67 |
96d070e0 96d070e1 |
Firewall service |
Source does not match the packet. |
2008-01-21 17:51:35 |
68 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 17:51:35 |
69 |
96d070e0 96d070e1 |
Firewall service |
The source port does not match the rule. |
2008-01-21 17:51:35 |
70 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is evaluating the rule MyhttpRule. |
2008-01-21 17:51:35 |
71 |
96d070e0 96d070e1 |
Firewall service |
The rule MyhttpRule matches the packet. The packet is allowed. |
2008-01-21 17:51:35 |
72 |
96d070e0 96d070e1 |
Firewall service |
The rule MyhttpRule allowed the packet. |
2008-01-21 17:51:35 |
73 |
96d070e0 96d070e1 |
Web Proxy |
The access rule MyhttpRule allows the Web request. |
2008-01-21 17:51:35 |
74 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server is directing the Web request to the IP address 0.0.0.0. <The web request is discarded.> |
2008-01-21 17:51:35 |
75 |
96d070e0 96d070e1 |
Firewall service |
ISA Server is looking for a cache rule that matches the destination 0.0.0.0 in the Web request. |
2008-01-21 17:51:35 |
76 |
96d070e0 96d070e1 |
Firewall service |
The cache rule Default rule matches the Web request. |
2008-01-21 17:51:35 |
77 |
96d070e0 96d070e1 |
Web Proxy |
The Web request matches the cache rule Default rule. |
2008-01-21 17:51:35 |
78 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-01-21 17:51:50 |
79 |
96d070e0 96d070e1 |
Web Proxy |
ISA Server rejected the request with the HTTP status code 0 and will return the following error message to the Web client. \"No data record is available. \" <ISA Server dropped the packet and sent an error message to the client.> |
Troubleshooting reverse proxy Web publishing
Three diagnostic log samples are provided so you can compare them. The first baseline sample shows the traffic flow when a Web publishing request succeeds, the second shows the flow when authentication fails, and the third shows how a request fails when a Web publishing path is configured incorrectly.
Lab setup
Use the following lab scenario:
| Computer configuration | Computer name | IP address |
|---|---|---|
Web client |
Anet-srv |
70.0.11.1 |
Web server |
Lcl-dc |
40.0.0.2 |
ISA Server |
Fw-a2 |
40.0.2.1, 70.0.2.1 |
There is a single Web publishing rule that forwards Web requests to the computer Lcl-dc/sports.
Example 1: Running the baseline diagnostic log with a successful Web publishing request
Turn on diagnostic logging, and then make a client request for Lcl-dc publishing that uses Web publishing. The results appear in the diagnostic log summary. The relevant entries are in bold and followed by comments between the <>.
Time |
Record number |
Context |
Log source |
Message |
2008-01-21 18:50:52 |
9 |
96d070f4 |
Web Proxy |
Web Proxy properties: Client IP address: 70.0.11.1 Client port: 3144 Local IP address: 70.0.2.1 Local port: 80 SecureNAT client: false Web proxy client: false Inbound traffic: true |
2008-01-21 18:50:52 |
10 |
96d070f4 96d070f5 |
Web Proxy |
HTTP method: GET |
2008-01-21 18:50:52 |
11 |
96d070f4 96d070f5 |
Web Proxy |
ISA Server started checking the policy rules for a Web request. |
2008-01-21 18:50:52 |
12 |
96d070f4 96d070f5 |
Web Proxy |
Target URL: /sports/ |
2008-01-21 18:50:52 |
13 |
96d070f4 96d070f5 |
Web Proxy |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
2008-01-21 18:50:52 |
14 |
96d070f4 96d070f5 |
Web Proxy |
ISA Server started checking Web publishing rules. |
2008-01-21 18:50:52 |
15 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow access to directory services for authentication purposes. |
2008-01-21 18:50:52 |
16 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
17 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow remote management from selected computers using MMC. |
2008-01-21 18:50:52 |
18 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
19 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow remote management from selected computers using Terminal Server. |
2008-01-21 18:50:52 |
20 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
21 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow RADIUS authentication from ISA Server to trusted RADIUS servers. |
2008-01-21 18:50:52 |
22 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
23 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow Kerberos authentication from ISA Server to trusted servers. |
2008-01-21 18:50:52 |
24 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
25 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow DNS from ISA Server to selected servers. |
2008-01-21 18:50:52 |
26 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
27 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow DHCP requests from ISA Server to all networks. |
2008-01-21 18:50:52 |
28 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
29 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow DHCP replies from DHCP servers to ISA Server. |
2008-01-21 18:50:52 |
30 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
31 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow ICMP (PING) requests from selected computers to ISA Server. |
2008-01-21 18:50:52 |
32 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
33 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow ICMP requests from ISA Server to selected servers. |
2008-01-21 18:50:52 |
34 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
35 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow Microsoft CIFS from ISA Server to trusted servers. |
2008-01-21 18:50:52 |
36 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
37 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-01-21 18:50:52 |
38 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
39 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow NetBIOS from ISA Server to trusted servers. |
2008-01-21 18:50:52 |
40 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
41 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow RPC from ISA Server to trusted servers. |
2008-01-21 18:50:52 |
42 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
43 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 18:50:52 |
44 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
45 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow NTP from ISA Server to trusted NTP servers. |
2008-01-21 18:50:52 |
46 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
47 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow SMTP from ISA Server to trusted servers. |
2008-01-21 18:50:52 |
48 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
49 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 18:50:52 |
50 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
51 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule lcl-dc. |
2008-01-21 18:50:52 |
52 |
96d070f4 96d070f5 |
Firewall service |
The rule lcl-dc matches the packet. The packet is allowed. <The packet is allowed as expected.> |
2008-01-21 18:50:52 |
53 |
96d070f4 96d070f5 |
Firewall service |
The listener on the IP address 70.0.2.1 accepted the request. |
2008-01-21 18:50:52 |
54 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is looking for a deny access rule that matches traffic from the source to the destination. <ISA Server checks that no access rule blocks the request.> |
2008-01-21 18:50:52 |
55 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is looking for a rule that is associated with the protocol HTTP. |
2008-01-21 18:50:52 |
56 |
96d070f4 96d070f5 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-01-21 18:50:52 |
57 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-01-21 18:50:52 |
58 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
59 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 18:50:52 |
60 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
61 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 18:50:52 |
62 |
96d070f4 96d070f5 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:50:52 |
63 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is evaluating the rule Default rule. |
2008-01-21 18:50:52 |
64 |
96d070f4 96d070f5 |
Firewall service |
The rule Default rule matches the packet. The packet is denied. <No access rule blocks the request.> |
2008-01-21 18:50:52 |
65 |
96d070f4 96d070f5 |
Web Proxy |
The Web publishing rule lcl-dc will allow the Web request. |
2008-01-21 18:50:52 |
66 |
96d070f4 96d070f5 |
Web Proxy |
ISA Server is performing DNS name resolution for the host name lcl-dc. |
2008-01-21 18:50:52 |
67 |
96d070f4 96d070f5 |
Web Proxy |
ISA Server succeeded to perform DNS name resolution for the host name h_name: lcl-dc.Local-Domain.Net h_aliases: h_addr_list: 40.0.0.2. |
2008-01-21 18:50:52 |
68 |
96d070f4 96d070f5 |
Web Proxy |
ISA Server started to check the Web chaining rules. |
2008-01-21 18:50:52 |
69 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is looking for a Web chaining rule that matches the destination 40.0.0.2 in the packet. |
2008-01-21 18:50:52 |
70 |
96d070f4 96d070f5 |
Firewall service |
The Web chaining rule Default rule matches the packet. |
2008-01-21 18:50:52 |
71 |
96d070f4 96d070f5 |
Web Proxy |
The packet matches the Web chaining rule Default rule. |
2008-01-21 18:50:52 |
72 |
96d070f4 96d070f5 |
Web Proxy |
ISA Server is directing the Web request to the IP address 0.0.0.0. |
2008-01-21 18:50:52 |
73 |
96d070f4 96d070f5 |
Firewall service |
ISA Server is looking for a cache rule that matches the destination 40.0.0.2 in the Web request. |
2008-01-21 18:50:52 |
74 |
96d070f4 96d070f5 |
Firewall service |
The cache rule Default rule matches the Web request. |
2008-01-21 18:50:52 |
75 |
96d070f4 96d070f5 |
Web Proxy |
The Web request matches the cache rule Default rule. |
2008-01-21 18:50:52 |
76 |
96d070f4 96d070f5 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-01-21 18:50:52 |
77 |
96d070f4 96d070f5 |
Web Proxy |
ISA Server will connect to the Web server lcl-dc on the IP address 40.0.0.2 and port 80. |
2008-01-21 18:50:52 |
78 |
96d070f4 96d070f5 |
Web Proxy |
Target URL: /sports/ |
2008-01-21 18:50:52 |
79 |
96d070f4 96d070f5 |
Web Proxy |
Target Host header: lcl-dc <The request is sent to the Web server.> |
2008-01-21 18:50:52 |
80 |
96d070f4 96d070f5 |
Web Proxy |
Web response properties: Response status: 200 Response MIME content type: text/html Response Via header: NULL HTTP Server header: Microsoft-IIS/6.0 <The expected response is received from the Web server.> |
Example 2: Running the diagnostic log when authentication fails for a Web publishing rule
When you modify the listener for the Web publishing rule in order to listen for HTTPS traffic only and require Basic authentication, the log summary provides information about why the request fails. The relevant entries are in bold and followed by comments between the <>.
Time |
Record number |
Context |
Log source |
Message |
2008-01-22 15:31:50 |
1 |
9fa4551e |
Web Proxy |
Web Proxy properties: Client IP address: 70.0.11.1 Client port: 3266 Local IP address: 70.0.2.1 Local port: 443 SecureNAT client: false Web proxy client: false Inbound traffic: true |
2008-01-22 15:31:50 |
2 |
9fa4551e 9fa4551f |
Web Proxy |
HTTP method: GET |
2008-01-22 15:31:50 |
3 |
9fa4551e 9fa4551f |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-01-22 15:31:50 |
4 |
9fa4551e 9fa4551f |
Web Proxy |
ISA Server cannot authenticate the client because the client's request does not contain Proxy-Authorization or Authorization headers. |
2008-01-22 15:31:50 |
5 |
9fa4551e 9fa4551f |
Web Proxy |
ISA Server rejected the request with the HTTP status code 401 and will return the following error message to the Web client. \"The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. \" <HTTP authentication works as expected and returns status code 401 to the client.> |
2008-01-22 15:31:50 |
6 |
9fa4551e 9fa4551f |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-01-22 15:31:58 |
7 |
9fa4551e 9fa45520 |
Web Proxy |
HTTP method: GET <This is another request. Notice the time difference. We presume that the client entered their credentials.> |
2008-01-22 15:31:58 |
8 |
9fa4551e 9fa45520 |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-01-22 15:31:58 |
9 |
9fa4551e 9fa45520 |
Web Proxy |
ISA Server will authenticate the client using Basic authentication. <The Web listener is matched and requires authentication.> |
2008-01-22 15:31:58 |
10 |
00000021 0000f120 |
Firewall service |
The Firewall service is performing rule evaluation. |
2008-01-22 15:31:58 |
11 |
00000021 0000f120 |
Firewall Engine |
Packet properties: Source IP address: 40.0.2.1 Source array network: Local Host Destination IP address: 40.0.0.2 Destination array network: Internal <Authentication of traffic between ISA Server and its domain controller.> |
2008-01-22 15:31:58 |
12 |
00000021 0000f120 |
Firewall service |
ISA Server is looking for an applicable network rule. |
2008-01-22 15:31:58 |
13 |
00000021 0000f120 |
Firewall service |
The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied. |
2008-01-22 15:31:58 |
14 |
9fa4551e 9fa45520 |
Web Proxy |
User authentication failed. The request was denied because the password for user MyUser expired. To resolve this problem, the user must request a new password in Active Directory. <This entry provides information about the problem. Active Directory directory service requires the user to change the password, but ISA Server fails without prompting the user.> |
2008-01-22 15:31:58 |
15 |
9fa4551e 9fa45520 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-01-22 15:31:58 |
16 |
9fa4551e 9fa45520 |
Web Proxy |
ISA Server rejected the request with the HTTP status code 401 and will return the following error message to the Web client. \"The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. \" |
2008-01-22 15:31:58 |
17 |
9fa4551e 9fa45520 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-01-22 15:32:02 |
18 |
9fa45521 |
Web Proxy |
Web Proxy properties: Client IP address: 70.0.11.1 Client port: 3267 Local IP address: 70.0.2.1 Local port: 443 SecureNAT client: false Web proxy client: false Inbound traffic: true Another request. The user probably got the credentials popup again and hit enter… |
2008-01-22 15:32:02 |
19 |
9fa45521 9fa45522 |
Web Proxy |
HTTP method: GET |
2008-01-22 15:32:02 |
20 |
9fa45521 9fa45522 |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-01-22 15:32:02 |
21 |
9fa45521 9fa45522 |
Web Proxy |
ISA Server will authenticate the client using Basic authentication. |
2008-01-22 15:32:02 |
22 |
9fa45521 9fa45522 |
Web Proxy |
User authentication failed. The request was denied because the password for user MyUser expired. To resolve this problem, the user must request a new password in Active Directory. <The client attempted to authenticate again. The request failed again.> |
2008-01-22 15:32:02 |
23 |
9fa45521 9fa45522 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-01-22 15:32:02 |
24 |
9fa45521 9fa45522 |
Web Proxy |
ISA Server rejected the request with the HTTP status code 401 and will return the following error message to the Web client. \"The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. \" |
2008-01-22 15:32:02 |
25 |
9fa45521 9fa45522 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-01-22 15:32:04 |
26 |
9fa45523 |
Web Proxy |
Web Proxy properties: Client IP address: 70.0.11.1 Client port: 3268 Local IP address: 70.0.2.1 Local port: 443 SecureNAT client: false Web proxy client: false Inbound traffic: true |
2008-01-22 15:32:04 |
27 |
9fa45523 9fa45524 |
Web Proxy |
HTTP method: GET |
2008-01-22 15:32:04 |
28 |
9fa45523 9fa45524 |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-01-22 15:32:04 |
29 |
9fa45523 9fa45524 |
Web Proxy |
ISA Server will authenticate the client using Basic authentication. |
2008-01-22 15:32:04 |
30 |
9fa45523 9fa45524 |
Web Proxy |
User authentication failed. The request was denied because the password for user MyUser expired. To resolve this problem, the user must request a new password in Active Directory. <The client tried to authenticate and failed. After three times, Windows Internet Explorer displays an access denied page.> |
2008-01-22 15:32:04 |
31 |
9fa45523 9fa45524 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-01-22 15:32:04 |
32 |
9fa45523 9fa45524 |
Web Proxy |
ISA Server rejected the request with the HTTP status code 401 and will return the following error message to the Web client. \"The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. \" |
2008-01-22 15:32:04 |
33 |
9fa45523 9fa45524 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
Example 3: Running the diagnostic log when configuring a Web publishing rule with the wrong path
When a Web publishing rule is configured with the wrong path, the log summary provides information about why the request fails. The relevant entries are in bold and followed by comments between the <>.
Time |
Record number |
Context |
Log source |
Message |
2008-01-21 18:39:56 |
1 |
96d070f1 |
Web Proxy |
Web Proxy properties: Client IP address: 70.0.11.1 Client port: 3142 Local IP address: 70.0.2.1 Local port: 80 SecureNAT client: false Web proxy client: false Inbound traffic: true <Shows the context ID for the request.> |
2008-01-21 18:39:56 |
2 |
96d070f1 96d070f2 |
Web Proxy |
HTTP method: GET |
2008-01-21 18:39:56 |
3 |
96d070f1 96d070f2 |
Web Proxy |
ISA Server started checking the policy rules for a Web request. |
2008-01-21 18:39:56 |
4 |
96d070f1 96d070f2 |
Web Proxy |
Target URL: /sports |
2008-01-21 18:39:56 |
5 |
96d070f1 96d070f2 |
Web Proxy |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
2008-01-21 18:39:56 |
6 |
96d070f1 96d070f2 |
Web Proxy |
ISA Server started checking Web publishing rules. <Rule evaluation has begun.> |
2008-01-21 18:39:56 |
7 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow access to directory services for authentication purposes. |
2008-01-21 18:39:56 |
8 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
9 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow remote management from selected computers using MMC. |
2008-01-21 18:39:56 |
10 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
11 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow remote management from selected computers using Terminal Server. |
2008-01-21 18:39:56 |
12 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
13 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow RADIUS authentication from ISA Server to trusted RADIUS servers. |
2008-01-21 18:39:56 |
14 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
15 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow Kerberos authentication from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
16 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
17 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow DNS from ISA Server to selected servers. |
2008-01-21 18:39:56 |
18 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
19 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow DHCP requests from ISA Server to all networks. |
2008-01-21 18:39:56 |
20 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
21 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow DHCP replies from DHCP servers to ISA Server. |
2008-01-21 18:39:56 |
22 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
23 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow ICMP (PING) requests from selected computers to ISA Server. |
2008-01-21 18:39:56 |
24 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
25 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow ICMP requests from ISA Server to selected servers. |
2008-01-21 18:39:56 |
26 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
27 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow Microsoft CIFS from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
28 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
29 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-01-21 18:39:56 |
30 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
31 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow NetBIOS from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
32 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
33 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow RPC from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
34 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
35 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 18:39:56 |
36 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
37 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow NTP from ISA Server to trusted NTP servers. |
2008-01-21 18:39:56 |
38 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
39 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow SMTP from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
40 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
41 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 18:39:56 |
42 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
43 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule lcl-dc. |
2008-01-21 18:39:56 |
44 |
96d070f1 96d070f2 |
Firewall service |
The rule lcl-dc matches the packet. The packet is allowed. <The packet is allowed as expected.> |
2008-01-21 18:39:56 |
45 |
96d070f1 96d070f2 |
Firewall service |
The listener on the IP address 70.0.2.1 accepted the request. |
2008-01-21 18:39:56 |
46 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is looking for a deny access rule that matches traffic from the source to the destination. |
2008-01-21 18:39:56 |
47 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is looking for a rule that is associated with the protocol HTTP. |
2008-01-21 18:39:56 |
48 |
96d070f1 96d070f2 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-01-21 18:39:56 |
49 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-01-21 18:39:56 |
50 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
51 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 18:39:56 |
52 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
53 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 18:39:56 |
54 |
96d070f1 96d070f2 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
55 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is evaluating the rule Default rule. |
2008-01-21 18:39:56 |
56 |
96d070f1 96d070f2 |
Firewall service |
The rule Default rule matches the packet. The packet is denied. |
2008-01-21 18:39:56 |
57 |
96d070f1 96d070f2 |
Web Proxy |
The Web publishing rule lcl-dc will allow the Web request. |
2008-01-21 18:39:56 |
58 |
96d070f1 96d070f2 |
Web Proxy |
ISA Server is performing DNS name resolution for the host name lcl-dc. |
2008-01-21 18:39:56 |
59 |
96d070f1 96d070f2 |
Web Proxy |
ISA Server succeeded to perform DNS name resolution for the host name h_name: lcl-dc.Local-Domain.Net h_aliases: h_addr_list: 40.0.0.2. <DNS name resolution is successful.> |
2008-01-21 18:39:56 |
60 |
96d070f1 96d070f2 |
Web Proxy |
ISA Server started to check the Web chaining rules. |
2008-01-21 18:39:56 |
61 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is looking for a Web chaining rule that matches the destination 40.0.0.2 in the packet. |
2008-01-21 18:39:56 |
62 |
96d070f1 96d070f2 |
Firewall service |
The Web chaining rule Default rule matches the packet. |
2008-01-21 18:39:56 |
63 |
96d070f1 96d070f2 |
Web Proxy |
The packet matches the Web chaining rule Default rule. |
2008-01-21 18:39:56 |
64 |
96d070f1 96d070f2 |
Web Proxy |
ISA Server is directing the Web request to the IP address 0.0.0.0. |
2008-01-21 18:39:56 |
65 |
96d070f1 96d070f2 |
Firewall service |
ISA Server is looking for a cache rule that matches the destination 40.0.0.2 in the Web request. |
2008-01-21 18:39:56 |
66 |
96d070f1 96d070f2 |
Firewall service |
The cache rule Default rule matches the Web request. |
2008-01-21 18:39:56 |
67 |
96d070f1 96d070f2 |
Web Proxy |
The Web request matches the cache rule Default rule. |
2008-01-21 18:39:56 |
68 |
96d070f1 96d070f2 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-01-21 18:39:56 |
69 |
96d070f1 96d070f2 |
Web Proxy |
ISA Server will connect to the Web server lcl-dc on the IP address 40.0.0.2 and port 80. |
2008-01-21 18:39:56 |
70 |
96d070f1 96d070f2 |
Web Proxy |
Target URL: /sports |
2008-01-21 18:39:56 |
71 |
96d070f1 96d070f2 |
Web Proxy |
Target Host header: lcl-dc |
2008-01-21 18:39:56 |
72 |
96d070f1 96d070f2 |
Web Proxy |
Web response properties: Response status: 301 Response MIME content type: text/html Response Via header: NULL HTTP Server header: Microsoft-IIS/6.0 <ISA Server redirects from /sports to /sports/, as requested by Internet Information Services (IIS).> |
2008-01-21 18:39:56 |
73 |
96d070f1 96d070f3 |
Web Proxy |
HTTP method: GET |
2008-01-21 18:39:56 |
74 |
96d070f1 96d070f3 |
Web Proxy |
ISA Server started checking the policy rules for a Web request. |
2008-01-21 18:39:56 |
75 |
96d070f1 96d070f3 |
Web Proxy |
Target URL: /sports/ <The client sends another request. This time with /sports/.> |
2008-01-21 18:39:56 |
76 |
96d070f1 96d070f3 |
Web Proxy |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
2008-01-21 18:39:56 |
77 |
96d070f1 96d070f3 |
Web Proxy |
ISA Server started checking Web publishing rules. |
2008-01-21 18:39:56 |
78 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow access to directory services for authentication purposes. |
2008-01-21 18:39:56 |
79 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
80 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow remote management from selected computers using MMC. |
2008-01-21 18:39:56 |
81 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
82 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow remote management from selected computers using Terminal Server. |
2008-01-21 18:39:56 |
83 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
84 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow RADIUS authentication from ISA Server to trusted RADIUS servers. |
2008-01-21 18:39:56 |
85 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
86 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow Kerberos authentication from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
87 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
88 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow DNS from ISA Server to selected servers. |
2008-01-21 18:39:56 |
89 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
90 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow DHCP requests from ISA Server to all networks. |
2008-01-21 18:39:56 |
91 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
92 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow DHCP replies from DHCP servers to ISA Server. |
2008-01-21 18:39:56 |
93 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
94 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow ICMP (PING) requests from selected computers to ISA Server. |
2008-01-21 18:39:56 |
95 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
96 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow ICMP requests from ISA Server to selected servers. |
2008-01-21 18:39:56 |
97 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
98 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow Microsoft CIFS from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
99 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
100 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-01-21 18:39:56 |
101 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
102 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow NetBIOS from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
103 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
104 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow RPC from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
105 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
106 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 18:39:56 |
107 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
108 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow NTP from ISA Server to trusted NTP servers. |
2008-01-21 18:39:56 |
109 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
110 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow SMTP from ISA Server to trusted servers. |
2008-01-21 18:39:56 |
111 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
112 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 18:39:56 |
113 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
114 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule lcl-dc. |
2008-01-21 18:39:56 |
115 |
96d070f1 96d070f3 |
Firewall service |
The path in the destination URL in the Web request does not match the path specified in the Web publishing rule. <This entry provides information about why the request failed. /* was not specified at the end of the path.> |
2008-01-21 18:39:56 |
116 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Default rule. |
2008-01-21 18:39:56 |
117 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
118 |
96d070f1 96d070f3 |
Firewall service |
No matching rule was found. |
2008-01-21 18:39:56 |
119 |
96d070f1 96d070f3 |
Firewall service |
The listener on the IP address 70.0.2.1 accepted the request. |
2008-01-21 18:39:56 |
120 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is looking for a deny access rule that matches traffic from the source to the destination. |
2008-01-21 18:39:56 |
121 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is looking for a rule that is associated with the protocol HTTP. |
2008-01-21 18:39:56 |
122 |
96d070f1 96d070f3 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-01-21 18:39:56 |
123 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-01-21 18:39:56 |
124 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
125 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-01-21 18:39:56 |
126 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
127 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Allow MS Firewall Control communication to selected computers. |
2008-01-21 18:39:56 |
128 |
96d070f1 96d070f3 |
Firewall service |
The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request. |
2008-01-21 18:39:56 |
129 |
96d070f1 96d070f3 |
Firewall service |
ISA Server is evaluating the rule Default rule. |
2008-01-21 18:39:56 |
130 |
96d070f1 96d070f3 |
Firewall service |
The rule Default rule matches the packet. The packet is denied. |
2008-01-21 18:39:56 |
131 |
96d070f1 96d070f3 |
Firewall service |
The deny access rule Default rule precedes the publishing rule in the list of policy rules. The packet is blocked. |
2008-01-21 18:39:56 |
132 |
96d070f1 96d070f3 |
Web Proxy |
The Web publishing rule Default rule will deny the Web request. |
2008-01-21 18:39:56 |
133 |
96d070f1 96d070f3 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-01-21 18:39:56 |
134 |
96d070f1 96d070f3 |
Web Proxy |
ISA Server rejected the request with the HTTP status code 403 and will return the following error message to the Web client. \"The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. \" <This is the response returned to the client.> |
Troubleshooting forward Web proxy with authentication
A diagnostic log sample shows the traffic flow when a Web client requests access to the Web server. ISA Server requests authentication from the Web client. The request succeeds.
Lab setup
Use the following lab scenario:
| Computer configuration | Computer name | IP address |
|---|---|---|
Web client |
Lcl-clt1 |
40.0.11.1 |
Web server |
Anet-srv |
70.0.11.1 |
ISA Server |
Fw-a2 |
40.0.2.1, 70.0.2.1 |
The log summary provides information about traffic from External client request to the Web server intercepted by ISA Server. ISA Server requires authentication from the Web client. The relevant entries are in bold and followed by comments between the <>.
Time |
Record number |
Context |
Log source |
Message |
2008-04-22 10:16:20 |
1 |
057c5086 |
Web Proxy |
Web Proxy properties: Client IP address: 40.0.11.1 Client port: 1489 Local IP address: 40.0.2.1 Local port: 8080 SecureNAT client: false Web proxy client: true Inbound traffic: false <This is the initial request.> |
2008-04-22 10:16:20 |
2 |
057c5086 057c5087 |
Web Proxy |
HTTP method: GET |
2008-04-22 10:16:20 |
3 |
057c5086 057c5087 |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-04-22 10:16:20 |
4 |
057c5086 057c5087 |
Web Proxy |
ISA Server cannot authenticate the client because the client's request does not contain Proxy-Authorization or Authorization headers. <ISA Server fails to authenticate the client and sends 407 to the client. (Proxy authentication is required.)> |
2008-04-22 10:16:20 |
5 |
057c5086 057c5087 |
Web Proxy |
ISA Server rejected the request with the HTTP status code 407 and will return the following error message to the Web client. "The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. (12209)" |
2008-04-22 10:16:20 |
6 |
057c5086 057c5087 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-04-22 10:16:20 |
7 |
057c5086 057c5088 |
Web Proxy |
HTTP method: GET <ISA Server requests client authentication by using NTLM (3-leg authentication). The following steps describe the NTLM authentication process:
|
2008-04-22 10:16:20 |
8 |
057c5086 057c5088 |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-04-22 10:16:20 |
9 |
057c5086 057c5088 |
Web Proxy |
ISA Server will authenticate the client using NTLM authentication. |
2008-04-22 10:16:20 |
10 |
057c5086 057c5088 |
Web Proxy |
Authentication is in progress. Authentication will fail for the current request, but the client should continue to attempt to authenticate on the same connection. |
2008-04-22 10:16:20 |
11 |
057c5086 057c5088 |
Web Proxy |
ISA Server rejected the request with the HTTP status code 407 and will return the following error message to the Web client. "Access is denied. (5)" |
2008-04-22 10:16:20 |
12 |
057c5086 057c5088 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-04-22 10:16:20 |
13 |
057c5086 057c5089 |
Web Proxy |
HTTP method: GET <Here, the client sends the response to ISA Server.> |
2008-04-22 10:16:20 |
14 |
057c5086 057c5089 |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-04-22 10:16:20 |
15 |
057c5086 057c5089 |
Web Proxy |
ISA Server will authenticate the client using NTLM authentication. |
2008-04-22 10:16:20 |
20 |
057c5086 057c5089 |
Web Proxy |
Authentication succeeded. <To validate client credentials, ISA Server sent all information required to the domain controller. This traffic also passes the policy rule engine.> |
2008-04-22 10:16:20 |
21 |
057c5086 057c5089 |
Web Proxy |
User name: LOCAL-DOMAIN\cadmin1 |
2008-04-22 10:16:20 |
22 |
057c5086 057c5089 |
Web Proxy |
Authentication succeeded. |
2008-04-22 10:16:20 |
23 |
057c5086 057c5089 |
Web Proxy |
ISA Server started checking the policy rules for a Web request with the target path /. |
2008-04-22 10:16:20 |
24 |
057c5086 057c5089 |
Web Proxy |
The connected client LOCAL-DOMAIN\cadmin1 was authenticated. |
2008-04-22 10:16:20 |
25 |
057c5086 057c5089 |
Web Proxy |
ISA Server is performing DNS name resolution for the host name anet-srv <After passing the “internal listener," ISA Server is ready to perform name resolution and rule evaluation.> |
2008-04-22 10:16:20 |
26 |
057c5086 057c5089 |
Web Proxy |
ISA Server succeeded to perform DNS name resolution for the host name h_name: anet-srv h_aliases: h_addr_list: 70.0.11.1. <Name resolution has succeeded.> |
2008-04-22 10:16:20 |
27 |
057c5086 057c5089 |
Web Proxy |
ISA Server started checking the access rules. <Rule evaluation (note that the source is moved from the Web proxy to the Firewall service).> |
2008-04-22 10:16:20 |
28 |
057c5086 057c5089 |
Web Proxy |
ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol. |
2008-04-22 10:16:20 |
29 |
057c5086 057c5089 |
Firewall service |
The Firewall service is performing rule evaluation. |
2008-04-22 10:16:20 |
30 |
057c5086 057c5089 |
Firewall service |
Protocol: HTTP |
2008-04-22 10:16:20 |
31 |
057c5086 057c5089 |
Firewall Engine |
Packet properties: Source IP address: 40.0.11.1 Source array network: Internal Destination IP address: 70.0.11.1 Destination array network: External |
2008-04-22 10:16:20 |
32 |
057c5086 057c5089 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-04-22 10:16:20 |
33 |
057c5086 057c5089 |
Firewall service |
ISA Server is evaluating the rule [System] "Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites." |
2008-04-22 10:16:20 |
34 |
057c5086 057c5089 |
Firewall service |
Source does not match the packet. |
2008-04-22 10:16:20 |
35 |
057c5086 057c5089 |
Firewall service |
ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-04-22 10:16:20 |
36 |
057c5086 057c5089 |
Firewall service |
Source does not match the packet. |
2008-04-22 10:16:20 |
37 |
057c5086 057c5089 |
Firewall service |
ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers. |
2008-04-22 10:16:20 |
38 |
057c5086 057c5089 |
Firewall service |
The source port does not match the rule. |
2008-04-22 10:16:20 |
39 |
057c5086 057c5089 |
Firewall service |
ISA Server is evaluating the rule Allow web traffic for internal clients. |
2008-04-22 10:16:20 |
40 |
057c5086 057c5089 |
Firewall service |
The rule Allow web traffic for internal clients matches the packet. The packet is allowed. |
2008-04-22 10:16:20 |
41 |
057c5086 057c5089 |
Firewall service |
The rule Allow web traffic for internal clients allowed the packet. <The packet is allowed.> |
2008-04-22 10:16:20 |
42 |
057c5086 057c5089 |
Web Proxy |
The access rule Allow web traffic for internal clients allows the Web request. |
2008-04-22 10:16:20 |
43 |
057c5086 057c5089 |
Web Proxy |
ISA Server started to check the Web chaining rules. |
2008-04-22 10:16:20 |
44 |
057c5086 057c5089 |
Firewall service |
ISA Server is looking for a Web chaining rule that matches the destination 70.0.11.1 in the packet. |
2008-04-22 10:16:20 |
45 |
057c5086 057c5089 |
Firewall service |
The Web chaining rule Default rule matches the packet. |
2008-04-22 10:16:20 |
46 |
057c5086 057c5089 |
Web Proxy |
The packet matches the Web chaining rule Default rule. |
2008-04-22 10:16:20 |
47 |
057c5086 057c5089 |
Web Proxy |
ISA Server is forwarding the Web request directly to the specified destination. |
2008-04-22 10:16:20 |
48 |
057c5086 057c5089 |
Firewall service |
ISA Server is looking for a cache rule that matches the destination 70.0.11.1 in the Web request. <ISA Server is checking the cache rules.> |
2008-04-22 10:16:20 |
49 |
057c5086 057c5089 |
Firewall service |
Rule does not match the packet. |
2008-04-22 10:16:20 |
50 |
057c5086 057c5089 |
Firewall service |
The cache rule Default rule matches the Web request. |
2008-04-22 10:16:20 |
51 |
057c5086 057c5089 |
Web Proxy |
The Web request matches the cache rule Default rule. |
2008-04-22 10:16:20 |
52 |
057c5086 057c5089 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-04-22 10:16:20 |
53 |
057c5086 057c5089 |
Web Proxy |
ISA Server will connect to the Web server anet-srv on the IP address 70.0.11.1 and port 80. <Traffic is passed to the Web server.> |
2008-04-22 10:16:20 |
54 |
057c5086 057c5089 |
Web Proxy |
ISA Server is forwarding the request to the target host server for the path /. |
2008-04-22 10:16:20 |
55 |
057c5086 057c5089 |
Web Proxy |
Web response properties: Response status: 200 Response MIME content type: text/html Response Via header: NULL HTTP Server header: Microsoft-IIS/5.0 <A 200 OK status message is issued. The traffic is passed.> |
2008-04-22 10:16:21 |
56 |
057c5086 057c508a |
Web Proxy |
HTTP method: GET <Another request is made for pagerror.gif. This requires another pass through the ISA Server chain.> |
2008-04-22 10:16:21 |
57 |
057c5086 057c508a |
Web Proxy |
ISA Server started checking the policy rules for a Web request with the target path /pagerror.gif. |
2008-04-22 10:16:21 |
58 |
057c5086 057c508a |
Web Proxy |
The connected client LOCAL-DOMAIN\cadmin1 was authenticated. |
2008-04-22 10:16:21 |
59 |
057c5086 057c508a |
Web Proxy |
ISA Server is performing DNS name resolution for the host name anet-srv. |
2008-04-22 10:16:21 |
60 |
057c5086 057c508a |
Web Proxy |
ISA Server succeeded to perform DNS name resolution for the host name h_name: anet-srv h_aliases: h_addr_list: 70.0.11.1. |
2008-04-22 10:16:21 |
61 |
057c5086 057c508a |
Web Proxy |
ISA Server started checking the access rules. |
2008-04-22 10:16:21 |
62 |
057c5086 057c508a |
Web Proxy |
ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol. |
2008-04-22 10:16:21 |
63 |
057c5086 057c508a |
Firewall service |
The Firewall service is performing rule evaluation. |
2008-04-22 10:16:21 |
64 |
057c5086 057c508a |
Firewall service |
Protocol: HTTP |
2008-04-22 10:16:21 |
65 |
057c5086 057c508a |
Firewall Engine |
Packet properties: Source IP address: 40.0.11.1 Source array network: Internal Destination IP address: 70.0.11.1 Destination array network: External |
2008-04-22 10:16:21 |
66 |
057c5086 057c508a |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-04-22 10:16:21 |
67 |
057c5086 057c508a |
Firewall service |
ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-04-22 10:16:21 |
68 |
057c5086 057c508a |
Firewall service |
Source does not match the packet. |
2008-04-22 10:16:21 |
69 |
057c5086 057c508a |
Firewall service |
ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-04-22 10:16:21 |
70 |
057c5086 057c508a |
Firewall service |
Source does not match the packet. |
2008-04-22 10:16:21 |
71 |
057c5086 057c508a |
Firewall service |
ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers. |
2008-04-22 10:16:21 |
72 |
057c5086 057c508a |
Firewall service |
The source port does not match the rule. |
2008-04-22 10:16:21 |
73 |
057c5086 057c508a |
Firewall service |
ISA Server is evaluating the rule Allow web traffic for internal clients. |
2008-04-22 10:16:21 |
74 |
057c5086 057c508a |
Firewall service |
The rule Allow web traffic for internal clients matches the packet. The packet is allowed. |
2008-04-22 10:16:21 |
75 |
057c5086 057c508a |
Firewall service |
The rule Allow web traffic for internal clients allowed the packet. |
2008-04-22 10:16:21 |
76 |
057c5086 057c508a |
Web Proxy |
The access rule Allow web traffic for internal clients allows the Web request. |
2008-04-22 10:16:21 |
77 |
057c5086 057c508a |
Web Proxy |
ISA Server started to check the Web chaining rules. |
2008-04-22 10:16:21 |
78 |
057c5086 057c508a |
Firewall service |
ISA Server is looking for a Web chaining rule that matches the destination 70.0.11.1 in the packet. |
2008-04-22 10:16:21 |
79 |
057c5086 057c508a |
Firewall service |
The Web chaining rule Default rule matches the packet. |
2008-04-22 10:16:21 |
80 |
057c5086 057c508a |
Web Proxy |
The packet matches the Web chaining rule Default rule. |
2008-04-22 10:16:21 |
81 |
057c5086 057c508a |
Web Proxy |
ISA Server is forwarding the Web request directly to the specified destination. |
2008-04-22 10:16:21 |
82 |
057c5086 057c508a |
Firewall service |
ISA Server is looking for a cache rule that matches the destination 70.0.11.1 in the Web request. |
2008-04-22 10:16:21 |
83 |
057c5086 057c508a |
Firewall service |
Rule does not match the packet. |
2008-04-22 10:16:21 |
84 |
057c5086 057c508a |
Firewall service |
The cache rule Default rule matches the Web request. |
2008-04-22 10:16:21 |
85 |
057c5086 057c508a |
Web Proxy |
The Web request matches the cache rule Default rule. |
2008-04-22 10:16:21 |
86 |
057c5086 057c508a |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-04-22 10:16:21 |
87 |
057c5086 057c508a |
Web Proxy |
ISA Server will connect to the Web server anet-srv on the IP address 70.0.11.1 and port 80. |
2008-04-22 10:16:21 |
88 |
057c5086 057c508a |
Web Proxy |
ISA Server is forwarding the request to the target host server for the path /pagerror.gif. |
2008-04-22 10:16:21 |
89 |
057c5086 057c508a |
Web Proxy |
Web response properties: Response status: 304 Response MIME content type: NULL Response Via header: NULL HTTP Server header: Microsoft-IIS/5.0 <A 304 status message is received. The Web site was not modified by the Web server. Traffic is passed.> |
Troubleshooting reverse publishing where both links are HTTPS (to the ISA Server and Web server)
A diagnostic log sample shows the traffic flow from Web client to Web server, and the traffic is intercepted by ISA Server where both ISA Server and Web server require authenticated access. Authentication is validated by the RADIUS server. When a request is made by an authenticated user, ISA Server requests authentication from Web proxy for client request. The request succeeds.
Lab setup
Use the following lab scenario:
| Computer configuration | Computer name | IP address |
|---|---|---|
Web server |
Lcl-st |
40.0.202.1 |
Client |
Anet-srv |
70.0.11.1 |
ISA Server |
Fw-a2 |
40.0.2.1, 70.0.2.1 |
The relevant entries are in bold and followed by comments between the <>.
Time |
Record number |
Context |
Log source |
Message |
2008-04-22 13:35:59 |
158 |
057c50f0 |
Web Proxy |
Web Proxy properties: Client IP address: 70.0.11.1 Client port: 1398 Local IP address: 70.0.2.1 Local port: 443 SecureNAT client: false Web proxy client: false Inbound traffic: true <This is the initial request.> |
2008-04-22 13:36:01 |
159 |
057c50f0 057c50f1 |
Web Proxy |
HTTP method: GET |
2008-04-22 13:36:01 |
160 |
057c50f0 057c50f1 |
Web Proxy |
ISA Server started checking the policy rules for a Web request with the target path /. |
2008-04-22 13:36:01 |
161 |
057c50f0 057c50f1 |
Web Proxy |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 401 (Unauthorized) or 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
2008-04-22 13:36:01 |
162 |
057c50f0 057c50f1 |
Web Proxy |
ISA Server started checking Web publishing rules. |
2008-04-22 13:36:01 |
163 |
057c50f0 057c50f1 |
Firewall service |
ISA Server is evaluating the rule web publishing rule with radius auth. <During rule evaluation, the policy engine finds the Web publishing rule.> |
2008-04-22 13:36:01 |
164 |
057c50f0 057c50f1 |
Firewall service |
The rule does not match because the rule requires authentication and no user is specified in the packet. |
2008-04-22 13:36:01 |
165 |
057c50f0 057c50f1 |
Firewall service |
ISA Server denied a request because policy rule web publishing rule with radius auth requires authentication before allowing traffic. |
2008-04-22 13:36:01 |
166 |
057c50f0 057c50f1 |
Firewall service |
The rule web publishing rule with radius auth requires user authentication for evaluation. |
2008-04-22 13:36:01 |
167 |
057c50f0 057c50f1 |
Firewall service |
The listener on the IP address 70.0.2.1 accepted the request. |
2008-04-22 13:36:01 |
168 |
057c50f0 057c50f1 |
Firewall service |
ISA Server is looking for a deny access rule that matches traffic from the source to the destination. |
2008-04-22 13:36:01 |
169 |
057c50f0 057c50f1 |
Firewall service |
ISA Server is looking for a rule that is associated with the protocol HTTPS. |
2008-04-22 13:36:01 |
170 |
057c50f0 057c50f1 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTPS. |
2008-04-22 13:36:01 |
171 |
057c50f0 057c50f1 |
Firewall service |
ISA Server is evaluating the rule Default rule. |
2008-04-22 13:36:01 |
172 |
057c50f0 057c50f1 |
Firewall service |
The rule Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet. <While failing to authenticate, ISA Server gives the client another chance to authenticate.> |
2008-04-22 13:36:01 |
173 |
057c50f0 057c50f1 |
Web Proxy |
The Web publishing rule web publishing rule with radius auth requires client authentication. |
2008-04-22 13:36:01 |
174 |
057c50f0 057c50f1 |
Web Proxy |
ISA Server denied the request with the following error: 0x00002FB1. |
2008-04-22 13:36:01 |
175 |
057c50f0 057c50f1 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-04-22 13:36:01 |
176 |
057c50f0 057c50f1 |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-04-22 13:36:01 |
177 |
057c50f0 057c50f1 |
Web Proxy |
ISA Server cannot authenticate the client because the client's request does not contain Proxy-Authorization or Authorization headers. |
2008-04-22 13:36:01 |
178 |
057c50f0 057c50f1 |
Web Proxy |
ISA Server rejected the request with the HTTP status code 401 and will return the following error message to the Web client. "The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)" <Here, ISA Server sends the required 401 authentication to the external Web client.> |
2008-04-22 13:36:01 |
179 |
057c50f0 057c50f1 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-04-22 13:36:13 |
530 |
057c50f0 057c50f2 |
Web Proxy |
HTTP method: GET |
2008-04-22 13:36:13 |
531 |
057c50f0 057c50f2 |
Web Proxy |
ISA Server started checking the policy rules for a Web request with the target path /. |
2008-04-22 13:36:13 |
532 |
057c50f0 057c50f2 |
Web Proxy |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 401 (Unauthorized) or 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
2008-04-22 13:36:13 |
533 |
057c50f0 057c50f2 |
Web Proxy |
ISA Server started checking Web publishing rules. |
2008-04-22 13:36:13 |
534 |
057c50f0 057c50f2 |
Firewall service |
ISA Server is evaluating the rule web publishing rule with radius auth. |
2008-04-22 13:36:13 |
535 |
057c50f0 057c50f2 |
Firewall service |
The rule does not match because the rule requires authentication and no user is specified in the packet. |
2008-04-22 13:36:13 |
536 |
057c50f0 057c50f2 |
Firewall service |
ISA Server denied a request because policy rule web publishing rule with radius auth requires authentication before allowing traffic. |
2008-04-22 13:36:13 |
537 |
057c50f0 057c50f2 |
Firewall service |
The rule web publishing rule with radius auth requires user authentication for evaluation. |
2008-04-22 13:36:13 |
538 |
057c50f0 057c50f2 |
Firewall service |
The listener on the IP address 70.0.2.1 accepted the request. |
2008-04-22 13:36:13 |
539 |
057c50f0 057c50f2 |
Firewall service |
ISA Server is looking for a deny access rule that matches traffic from the source to the destination. |
2008-04-22 13:36:13 |
540 |
057c50f0 057c50f2 |
Firewall service |
ISA Server is looking for a rule that is associated with the protocol HTTPS. |
2008-04-22 13:36:13 |
541 |
057c50f0 057c50f2 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTPS. |
2008-04-22 13:36:13 |
542 |
057c50f0 057c50f2 |
Firewall service |
ISA Server is evaluating the rule Default rule. |
2008-04-22 13:36:13 |
543 |
057c50f0 057c50f2 |
Firewall service |
The rule Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet. |
2008-04-22 13:36:13 |
544 |
057c50f0 057c50f2 |
Web Proxy |
The Web publishing rule web publishing rule with radius auth requires client authentication. |
2008-04-22 13:36:13 |
545 |
057c50f0 057c50f2 |
Web Proxy |
ISA Server denied the request with the following error: 0x00002FB1. |
2008-04-22 13:36:13 |
546 |
057c50f0 057c50f2 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-04-22 13:36:13 |
547 |
057c50f0 057c50f2 |
Web Proxy |
ISA Server tries to authenticate connected client <Here, ISA Server calls the RADIUS server and checks user authentication (see records at the end of this log).> |
2008-04-22 13:36:15 |
557 |
057c50f0 057c50f2 |
Web Proxy |
RADIUS authentication failed because user local-domain\cadmin1 could not be authenticated by the RADIUS server <Authentication fails because the password supplied is incorrect.> |
2008-04-22 13:36:15 |
558 |
057c50f0 057c50f2 |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-04-22 13:36:15 |
559 |
057c50f0 057c50f2 |
Web Proxy |
Authentication failed. Error = The specified network password is not correct. |
2008-04-22 13:36:15 |
560 |
057c50f0 057c50f2 |
Web Proxy |
ISA Server rejected the request with the HTTP status code 401 and will return the following error message to the Web client. "The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)" <ISA Server returns 401. Authentication failed.> |
2008-04-22 13:36:15 |
561 |
057c50f0 057c50f2 |
Web Proxy |
Authentication failed. Error = 0x00002FB1 |
2008-04-22 13:36:17 |
590 |
057c50f0 057c50f3 |
Web Proxy |
HTTP method: GET <Here, the client tries to access the Web server again.> |
2008-04-22 13:36:17 |
591 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server started checking the policy rules for a Web request with the target path /. |
2008-04-22 13:36:17 |
592 |
057c50f0 057c50f3 |
Web Proxy |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 401 (Unauthorized) or 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
2008-04-22 13:36:17 |
593 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server started checking Web publishing rules. |
2008-04-22 13:36:17 |
594 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is evaluating the rule web publishing rule with radius auth. |
2008-04-22 13:36:17 |
595 |
057c50f0 057c50f3 |
Firewall service |
The rule does not match because the rule requires authentication and no user is specified in the packet. |
2008-04-22 13:36:17 |
596 |
057c50f0 057c50f3 |
Firewall service |
ISA Server denied a request because policy rule web publishing rule with radius auth requires authentication before allowing traffic. |
2008-04-22 13:36:17 |
597 |
057c50f0 057c50f3 |
Firewall service |
The rule web publishing rule with radius auth requires user authentication for evaluation. |
2008-04-22 13:36:17 |
598 |
057c50f0 057c50f3 |
Firewall service |
The listener on the IP address 70.0.2.1 accepted the request. |
2008-04-22 13:36:17 |
599 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is looking for a deny access rule that matches traffic from the source to the destination. |
2008-04-22 13:36:17 |
600 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is looking for a rule that is associated with the protocol HTTPS. |
2008-04-22 13:36:17 |
601 |
057c50f0 057c50f3 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTPS. |
2008-04-22 13:36:17 |
602 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is evaluating the rule Default rule. |
2008-04-22 13:36:17 |
603 |
057c50f0 057c50f3 |
Firewall service |
The rule Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet. |
2008-04-22 13:36:17 |
604 |
057c50f0 057c50f3 |
Web Proxy |
The Web publishing rule web publishing rule with radius auth requires client authentication. |
2008-04-22 13:36:17 |
605 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server denied the request with the following error: 0x00002FB1. |
2008-04-22 13:36:17 |
606 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-04-22 13:36:17 |
607 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server tries to authenticate connected client |
2008-04-22 13:36:17 |
608 |
057c50f0 057c50f3 |
Web Proxy |
An ISA Server authentication Web filter is handling client authentication. |
2008-04-22 13:36:17 |
609 |
057c50f0 057c50f3 |
Web Proxy |
User name: local-domain\cadmin1 |
2008-04-22 13:36:17 |
610 |
057c50f0 057c50f3 |
Web Proxy |
User namespace: RADIUS |
2008-04-22 13:36:17 |
611 |
057c50f0 057c50f3 |
Web Proxy |
Authentication succeeded. |
2008-04-22 13:36:17 |
612 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server started checking the policy rules for a Web request with the target path /. |
2008-04-22 13:36:17 |
613 |
057c50f0 057c50f3 |
Web Proxy |
The connected client local-domain\cadmin1 was authenticated. |
2008-04-22 13:36:17 |
614 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server started checking Web publishing rules. |
2008-04-22 13:36:17 |
615 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is evaluating the rule web publishing rule with radius auth. |
2008-04-22 13:36:17 |
616 |
057c50f0 057c50f3 |
Firewall service |
The rule web publishing rule with radius auth matches the packet. The packet is allowed. |
2008-04-22 13:36:17 |
617 |
057c50f0 057c50f3 |
Firewall service |
The listener on the IP address 70.0.2.1 accepted the request. |
2008-04-22 13:36:17 |
618 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is looking for a deny access rule that matches traffic from the source to the destination. |
2008-04-22 13:36:17 |
619 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is looking for a rule that is associated with the protocol HTTPS. |
2008-04-22 13:36:17 |
620 |
057c50f0 057c50f3 |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTPS. |
2008-04-22 13:36:17 |
621 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is evaluating the rule Default rule. |
2008-04-22 13:36:17 |
622 |
057c50f0 057c50f3 |
Firewall service |
The rule Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet. |
2008-04-22 13:36:17 |
623 |
057c50f0 057c50f3 |
Web Proxy |
The Web publishing rule web publishing rule with radius auth will allow the Web request. |
2008-04-22 13:36:17 |
624 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server is performing DNS name resolution for the host name lcl-st. |
2008-04-22 13:36:17 |
625 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server succeeded to perform DNS name resolution for the host name h_name: lcl-st.Local-Domain.Net h_aliases: h_addr_list: 40.0.202.1. |
2008-04-22 13:36:17 |
626 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server started to check the Web chaining rules. |
2008-04-22 13:36:17 |
627 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is looking for a Web chaining rule that matches the destination 40.0.202.1 in the packet. |
2008-04-22 13:36:17 |
628 |
057c50f0 057c50f3 |
Firewall service |
The Web chaining rule Default rule matches the packet. |
2008-04-22 13:36:17 |
629 |
057c50f0 057c50f3 |
Web Proxy |
The packet matches the Web chaining rule Default rule. |
2008-04-22 13:36:17 |
630 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server is forwarding the Web request directly to the specified destination. |
2008-04-22 13:36:17 |
631 |
057c50f0 057c50f3 |
Firewall service |
ISA Server is looking for a cache rule that matches the destination 40.0.202.1 in the Web request. |
2008-04-22 13:36:17 |
632 |
057c50f0 057c50f3 |
Firewall service |
Rule does not match the packet. |
2008-04-22 13:36:17 |
633 |
057c50f0 057c50f3 |
Firewall service |
The cache rule Default rule matches the Web request. |
2008-04-22 13:36:17 |
634 |
057c50f0 057c50f3 |
Web Proxy |
The Web request matches the cache rule Default rule. |
2008-04-22 13:36:17 |
635 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-04-22 13:36:17 |
636 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server will connect to the Web server lcl-st on the IP address 40.0.202.1 and port 443. |
2008-04-22 13:36:17 |
637 |
057c50f0 057c50f3 |
Web Proxy |
ISA Server is forwarding the request to the target host server for the path /. |
2008-04-22 13:36:17 |
638 |
057c50f0 057c50f3 |
Web Proxy |
Target Host header: lcl-st |
2008-04-22 13:36:17 |
639 |
057c50f0 057c50f3 |
Web Proxy |
Web response properties: Response status: 304 Response MIME content type: NULL Response Via header: NULL HTTP Server header: Microsoft-IIS/6.0 <A 304 status message is received. The Web site was not modified by the Web server.> |
Troubleshooting a slow connection to a Web site
A diagnostic log sample shows the traffic flow from client to external Web server, and the traffic is intercepted by a downstream ISA Server and an upstream ISA Server.
Lab setup
Use the following lab scenario:
| Type | Computer name | IP address |
|---|---|---|
External Web server |
Anet-srv |
70.0.11.1 |
Internal client |
lcl-clt1 |
40.0.11.1 |
ISA Server - downstream |
Fw-a1 |
40.0.1.1, 41.0.101.1 |
ISA Server – upstream |
Fw-a2 |
41.0.102.1, 70.0.2.1 |
The relevant entries are in bold and followed by comments between the <>.
Time |
Record number |
Context |
Log source |
Message |
2008-04-22 15:45:25 |
45 |
0ca80afe |
Web Proxy |
Web Proxy properties: Client IP address: 40.0.11.1 Client port: 1666 Local IP address: 40.0.1.1 Local port: 8080 SecureNAT client: false Web proxy client: true Inbound traffic: false <This is the initial request.> |
2008-04-22 15:45:25 |
46 |
0ca80afe 0ca80aff |
Web Proxy |
HTTP method: GET |
2008-04-22 15:45:25 |
47 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server started checking the policy rules for a Web request with the target path /. |
2008-04-22 15:45:25 |
48 |
0ca80afe 0ca80aff |
Web Proxy |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 401 (Unauthorized) or 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
2008-04-22 15:45:25 |
49 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server is performing DNS name resolution for the host name anet-srv. |
2008-04-22 15:45:25 |
50 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server failed to perform DNS name resolution and will attempt to continue with the available information. Error: No such host is known. |
2008-04-22 15:45:25 |
51 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server started checking the access rules. |
2008-04-22 15:45:25 |
52 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol. |
2008-04-22 15:45:25 |
53 |
0ca80afe 0ca80aff |
Firewall service |
The Firewall service is performing rule evaluation. |
2008-04-22 15:45:25 |
54 |
0ca80afe 0ca80aff |
Firewall service |
Protocol: HTTP |
2008-04-22 15:45:25 |
55 |
0ca80afe 0ca80aff |
Firewall Engine |
Packet properties: Source IP address: 40.0.11.1 Source array network: Internal Destination IP address: 0.0.0.0 Destination array network: |
2008-04-22 15:45:25 |
56 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-04-22 15:45:25 |
57 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-04-22 15:45:25 |
58 |
0ca80afe 0ca80aff |
Firewall service |
Source does not match the packet. |
2008-04-22 15:45:25 |
59 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-04-22 15:45:25 |
60 |
0ca80afe 0ca80aff |
Firewall service |
Source does not match the packet. |
2008-04-22 15:45:25 |
61 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers. |
2008-04-22 15:45:25 |
62 |
0ca80afe 0ca80aff |
Firewall service |
The source port does not match the rule. |
2008-04-22 15:45:25 |
63 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is evaluating the rule allow http. |
2008-04-22 15:45:25 |
64 |
0ca80afe 0ca80aff |
Firewall service |
The destination requires name resolution. |
2008-04-22 15:45:25 |
65 |
0ca80afe 0ca80aff |
Firewall service |
The rule allow http requires name resolution for evaluation. |
2008-04-22 15:45:25 |
66 |
0ca80afe 0ca80aff |
Firewall service |
The rule allow http requires DNS name resolution. |
2008-04-22 15:45:25 |
67 |
0ca80afe 0ca80aff |
Web Proxy |
The access rule allow http denies the Web request. |
2008-04-22 15:45:25 |
68 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server attempted to evaluate the policy rules without resolving the name of the requested destination. Name resolution will now commence. |
2008-04-22 15:45:25 |
69 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server is performing DNS name resolution for the host name anet-srv. |
2008-04-22 15:45:39 |
704 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server failed to perform DNS name resolution and will attempt to continue with the available information. Error: The requested name is valid, but no data of the requested type was found. <The downstream ISA Server failed to resolve the name "anet-srv". After a 15-second timeout, traffic was uploaded to the upstream ISA Server. The upstream ISA Server was able to resolve the name.> |
2008-04-22 15:45:39 |
705 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server started to check the Web chaining rules. <Web chaining rules are checked to see where traffic can be redirected.> |
2008-04-22 15:45:39 |
706 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is looking for a Web chaining rule that matches the destination 0.0.0.0 in the packet. |
2008-04-22 15:45:39 |
707 |
0ca80afe 0ca80aff |
Firewall service |
The Web chaining rule fw-a2 matches the packet. |
2008-04-22 15:45:39 |
708 |
0ca80afe 0ca80aff |
Web Proxy |
The packet matches the Web chaining rule fw-a2. |
2008-04-22 15:45:39 |
709 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server will assume that the destination is in the External network because the destination name cannot be resolved. ISA Server will recheck the access rules. |
2008-04-22 15:45:39 |
710 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol. |
2008-04-22 15:45:39 |
711 |
0ca80afe 0ca80aff |
Firewall service |
The Firewall service is performing rule evaluation. |
2008-04-22 15:45:39 |
712 |
0ca80afe 0ca80aff |
Firewall service |
Protocol: HTTP |
2008-04-22 15:45:39 |
713 |
0ca80afe 0ca80aff |
Firewall Engine |
Packet properties: Source IP address: 40.0.11.1 Source array network: Internal Destination IP address: 0.0.0.0 Destination array network: External |
2008-04-22 15:45:39 |
714 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server will check only rules that are associated with the protocol HTTP. |
2008-04-22 15:45:39 |
715 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is evaluating the rule [System] Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites. |
2008-04-22 15:45:39 |
716 |
0ca80afe 0ca80aff |
Firewall service |
Source does not match the packet. |
2008-04-22 15:45:39 |
717 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is evaluating the rule [System] Allow HTTP/HTTPS requests from ISA Server to specified sites. |
2008-04-22 15:45:39 |
718 |
0ca80afe 0ca80aff |
Firewall service |
Source does not match the packet. |
2008-04-22 15:45:39 |
719 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is evaluating the rule [System] Allow MS Firewall Control communication to selected computers. |
2008-04-22 15:45:39 |
720 |
0ca80afe 0ca80aff |
Firewall service |
The source port does not match the rule. |
2008-04-22 15:45:39 |
721 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is evaluating the rule allow http. |
2008-04-22 15:45:39 |
722 |
0ca80afe 0ca80aff |
Firewall service |
The rule allow http matches the packet. The packet is allowed. |
2008-04-22 15:45:39 |
723 |
0ca80afe 0ca80aff |
Firewall service |
The rule allow http allowed the packet. |
2008-04-22 15:45:39 |
724 |
0ca80afe 0ca80aff |
Web Proxy |
The access rule allow http allows the Web request. |
2008-04-22 15:45:39 |
725 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server is redirecting the request to an upstream proxy server. |
2008-04-22 15:45:39 |
726 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server will send request to the upstream proxy server fw-a2, which is not an array. |
2008-04-22 15:45:39 |
727 |
0ca80afe 0ca80aff |
Firewall service |
ISA Server is looking for a cache rule that matches the destination 0.0.0.0 in the Web request. |
2008-04-22 15:45:39 |
728 |
0ca80afe 0ca80aff |
Firewall service |
Rule does not match the packet. |
2008-04-22 15:45:39 |
729 |
0ca80afe 0ca80aff |
Firewall service |
The cache rule Default rule matches the Web request. |
2008-04-22 15:45:39 |
730 |
0ca80afe 0ca80aff |
Web Proxy |
The Web request matches the cache rule Default rule. |
2008-04-22 15:45:39 |
731 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server completed checking the policy rules for the Web request. |
2008-04-22 15:45:39 |
732 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server will connect to the Web server fw-a2 on the IP address 40.0.2.1 and port 8080. |
2008-04-22 15:45:39 |
733 |
0ca80afe 0ca80aff |
Web Proxy |
ISA Server is forwarding the request to the target host server for the path https://anet-srv/. |
2008-04-22 15:45:39 |
734 |
0ca80afe 0ca80aff |
Web Proxy |
Web response properties: Response status: 200 Response MIME content type: text/html Response Via header: 1.1 FW-A2 HTTP Server header: Microsoft-IIS/5.0 <A 200 OK status message is issued. The traffic has passed.> |