Troubleshooting ISA Client Problems

Many ISA-related problems, even if they result from misconfiguration on the server side, manifest themselves on the client side. In the following sections, we discuss some common client problems and how you can resolve them. These problems include:

• Client performance problems

• Client connection problems

Client Performance Problems

Performance problems at the client end are often caused by configuration problems on the ISA server. The origin of the slow client connections might vary, depending on the client type. In the next sections, we look at possible causes and fixes for slow client connections involving SecureNAT clients and firewall clients.

Slow Client Connection: SecureNAT Clients

If Secure NAT (S-NAT) connections are slow, the cause could be the result of not enabling packet filtering.

You can solve this problem by enabling IP packet filtering. If IP routing is enabled (either in RRAS or in the ISA console), you should enable dynamic packet filtering.

To enable packet filtering, expand the name of the server or array in the left console pane of the ISA Management MMC, expand Access Policy, and right-click IP Packet Filters; select Properties. Check the Enable packet filtering check box on the General tab of the Properties sheet. To enable IP routing, check the Enable IP routing check box on the same sheet, as shown in Figure 26.13.

Figure 26.13: You Can Enable IP Packet Filtering and IP Routing to Improve S-NAT Performance

Note that if IP routing is enabled via the Windows 2000 RRAS console on the ISA server, IP forwarding will be enabled, even if the check box on the Packet Filters Properties sheet is unchecked.

Slow Internal Connections: Firewall Clients

If the internal connections are inordinately slow for firewall clients, it might be due to the fact that clients cannot resolve local names using an external DNS server that does not have the necessary records. When the client sends requests to the DNS server, it must wait for the requests to time out before attempting to resolve the names using some other method.

The solution is to configure an internal DNS server that has records for the names and addresses of all clients on the internal network. The clients using the Firewall Service should be configured with a DNS address; all client name resolution requests will be handled by the ISA Server computer, and clients will not be delayed by waiting for a response from a DNS server that cannot resolve the internal names.

If packet filtering is enabled, you should also create an IP packet filter to use DNS Lookup. This will allow the ISA server to send DNS queries for names of external hosts on the Internet. Note that if you are using internal DNS servers that are configured as forwarders, this might not be necessary.

Client Connection Problems

Client connection problems can take many forms. The inability of clients to connect can be caused by a variety of circumstances, including misconfiguration of the client or of the ISA server. In the following sections, we look at several scenarios in which clients are unable to connect, including:

• Inability of clients to connect via modem

• Inability of SecureNAT clients to connect to the Internet

• Inability of clients to connect to external SSL sites

• Inability of SecureNAT clients to connect using computer names

• Inability of SecureNAT clients to connect to specific port due to a timeout

Inability of Clients to Connect Via Modem

Client machines running the firewall client software cannot dial out directly to the Internet; this is a security feature.

To solve this problem, you must disable the firewall client. To do so, in Start | Settings | Control Panel, open the Firewall Client applet (shown in Figure 26.14). Uncheck the Enable Firewall Client check box to allow the client to dial out directly via the modem.

Figure 26.14: Disable the Firewall Client to Allow Direct Dial-Out from the Machine

Inability of SecureNAT Clients to Connect to the Internet

SecureNAT clients will not be able to connect to the Internet through the ISA server if the client is not properly configured with the default gateway and DNS server. Check the configuration settings in the client's TCP/IP properties.

Inability of Clients to Connect to External SSL Sites

If a client attempts to connect to a secure site via the Web Proxy Service, the data must be encrypted end to end. This means that ISA Server must create an SSL tunnel for the traffic to pass through. Because ISA Server only allows tunnel connections on ports 443 and 563 by default, if a client tries to connect to a secure site using a different port, the connection attempt will fail.

The solution is to modify the ISA Administration COM object to allow tunneling on additional ports. The correct object to be modified is FPCTunnelPortRange. A sample VBScript for adding ports to the tunnel port range is available in the ISA SDK.

Instructions on how to modify the COM objects are available in the ISA Server SDK Help files. To access the Help files, run help.cmd in the sdk folder on the ISA Server CD-ROM.

Component Object Model (COM) is an object-oriented programming architecture and includes a set of operating system services. COM is intended by Microsoft to allow developers to create applications in a modular, building-block process. New programs can be built by reusing existing components. Distributed COM (DCOM) adds interfaces to distribute various components of an application to different computers in a network.

The Administration COM objects in ISA Server can be used by developers working with any programming language that supports COM. Some of the objects are used for programmatic monitoring of currently running services; most are used for programmatic configuration of internal ISA settings.

Developers can extend ISA's functionality by using scripting to access and control ISA via the administration COM objects. The ISA Server SDK contains instructions on using the administration objects with Visual Basic and with C++.

Inability of SecureNAT Clients to Connect Using Computer Names

If an S-NAT client can connect to Internet sites using the IP address but is not able to connect using the "friendly" computer name, this is likely due to the fact that the client is configured to use an internal DNS server, which cannot resolve external Internet domain names.

The best solution is to configure the DNS server to forward requests to an external DNS server on the Internet. Another solution is to configure the clients to use a different DNS server that forwards name resolution requests to an external DNS server.

Inability of SecureNAT Clients to Connect to Specific Port Due to a Timeout

S-NAT clients could experience an inability to connect to specific ports because the connection times out, even though protocol rules are set to allow "any IP traffic."

This problem can occur if the application that is attempting to connect uses multiple ports. The solution in this case, if some of the ports are determined dynamically, is to use an application filter that specifies and defines the ports.

If the application does not use multiple ports, the problem might be that the protocol is not listed in the protocol definitions. In this case, you need to define a protocol in which the specific port is the primary port.

To create a new protocol definition, right-click Protocol Definitions in the left console pane of the ISA Management MMC, under the Policy Elements object for either the array or the enterprise. Select New and Protocol Definition. This invokes the Protocol Definition Wizard, which walks you through the steps. Specify the port (along with the protocol type and direction) for the primary connection on the Primary Connection Information page of the wizard.