Microsoft KB Archive/920715

= Web Proxy clients do not directly access a Web site that you enter in the &quot;Directly access these servers or domains&quot; list in ISA Server 2004 SP2 =

Article ID: 920715

Article Last Modified on 12/4/2007

-

APPLIES TO

 Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 2, when used with:  Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition

 Microsoft Internet Security and Acceleration Server 2004 Standard Edition 

-





SYMPTOMS
After you enter domain names in the Directly access these servers or domains list of the ISA Server Management tool on a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004 Service Pack 2 (SP2), you experience the following symptoms:
 * If the domain name is specified and if the list does not contain any IP address range, Web Proxy clients directly access the destination Web site.
 * If the domain name is specified and if the list contains an IP address range that does not include the IP address of the specified domain, Web Proxy client requests are proxied to the destination Web site.

You expect Web Proxy clients to directly access the domains that you specify in this list.

You experience this problem if the following conditions are true:
 * The Web Proxy client that accesses theURL is configured to use Windows Proxy Automatic Discovery (WPAD). By default, this script is obtained by using an http://wpad. . /wpad.dat request. For more information about the WPAD mechanism, see ISA Server Help.
 * The Web Proxy client that accesses the URL is configured to use an automatic configuration script. By default, this script is named /array.dll?Get.Routing.Script.
 * The Directly access these servers or domains list contains an IP address range.



CAUSE
This problem occurs because of a problem in the ISA Server 2004 SP2 routing script functionality.

The following behavior occurs:
 * If you add a domain to the Directly access these servers or domains list in ISA Server 2004 Service Pack 1 (SP1), the routing script returns a DIRECT result when you visit this URL. This behavior occurs regardless of whether an IP address range is listed in the Directly access these servers or domains list.
 * If you add a domain to the Directly access these servers or domains list in ISA Server 2004 SP2, and if the following conditions are true, the routing script returns a PROXY result when you visit this URL:
 * An IP address range is listed in the Directly access these servers or domains list.
 * The IP address of the domain that you added is not in this IP address range.
 * If you add a domain together with the IP address range of the domain to the Directly access these servers or domains list in ISA Server 2004 SP2, the routing script returns a DIRECT result when you visit this URL.



RESOLUTION
To resolve this problem, install the hotfix package that is mentioned in the following Microsoft Knowledge Base article:

920716 Description of the ISA Server 2004 hotfix package: June 6, 2006

After you install this hotfix, add the domains for which you want to specify direct access to the Directly access these servers or domains list. To do this, follow these steps:
 * 1) Start the ISA Server Management tool.
 * 2) Locate and then expand the Configuration node, and then click Networks.
 * 3) Click the Networks tab, right-click the network that you want to modify, and then click Properties. For example, right-click Internal, and then click Properties.
 * 4) Click the Web Browser tab, and then click Add to add the URL to the Directly access these servers or domains list.

Important You must specify the directly-accessed domain by using a specific syntax. When you add a URL to the Directly access these servers or domains list, you must append a forward slash character together with an asterisk (/*) to the URL. For example, to enable Web Proxy clients to directly access www.example.com, add the following URL to the Directly access these servers or domains list:

*.example.com/*

<div class="workaround_section">

WORKAROUND
To work around this problem, perform one of the following actions:
 * If you know the IP address of the destination domain, add the IP address range to the Directly access these servers or domains list.
 * Remove all the IP address ranges from the Directly access these servers or domains list.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

903746 Changes that are made to the Cache Array Routing Protocol (CARP) in ISA Server 2004 Service Pack 2

Keywords: kbinfo kbbug kbfix kbqfe kbfirewall kbpubtypekc KB920715

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.