I still haven’t found any decent solution to the compression, but I did find a solution to publishing NTLM websites. Basically, ISA 2004 didn’t have any pre-authentication, where ISA 2006 does. Why I wasn’t experiencing any of this on my websites was because the ISA machine is on the same domain. In order to fix this, I had to use LDAP pre-authentication. I used part of an article posted on isaserver.org. It got me working to a certain extent, but then I had to play with it a little bit more. No big deal, it’s all working now.
Now just to fix the compression part…
As I noted over at aaron spruit (.com), I had a few problems with the (new) ISA server. Last weekend I finally got around to upgrading to ISA 2006. I’ve had the bits for awhile, but I never actually took the time to install it.
Anyways, there were problems right off the bat. I successfully backed up all of the ISA 2004 configurations, however, going from ISA 2004 EE to ISA 2006 EE (single box setup) isn’t possible in a nice upgrade path. The configuration store for ISA has to be completely uninstalled and then reinstalled, but the rest can be simply upgraded. So a complete uninstall and reinstall was required. No big deal, as I had the export.
Install ISA 2006, not a problem, and then attempt to import the settings from ISA 2004, no luck. Well, not a big deal, it’s not like the configuration is that complex. I get everything setup minus Aaron’s OWA because it’s not cooperating, and then leave it at that.
On Tuesday it appeared as if the internet had gone out at the compound as neither of us were able to access any hosted websites. When I finally get home, I make sure that our IP address hadn’t changed or anything, and I was able to get out just fine. It seemed odd, so I logged into the ISA box to find that it was denying people. I attempt to stop the firewall service, but it hangs in the stopping state, so I just restart the machine. It comes back online, and all is fine. Later I look into the event logs and see the following two events repeated whenever someone hit a website starting at around 1PM CST.
Event Type: Warning
Event Source: Microsoft ISA Server Web Proxy
Event Category: None
Event ID: 23001
Date: 11/7/2006
Time: 8:27:02 PM
User: N/A
Computer: RBLPN-ISA
Description:
ISA Server was unable to compress a response body from http://www.rebelpeon.com because the following error occurred: Unspecified error
. This error generally occurs because the available memory is insufficient for completing the compression process.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: Microsoft ISA Server Web Proxy
Event Category: None
Event ID: 23006
Date: 11/7/2006
Time: 8:27:02 PM
User: N/A
Computer: RBLPN-ISA
Description:
The Compression filter cannot handle a response because the allocated memory currently used for compression reached its limit. The memory allocated for compression is specified by the following registry values under the HKLM\Software\Microsoft\RAT\Stingray\Debug\W3Filter key: COMPRESS_MEMORY_ALLOC_MBYTES (by default, 256) and COMPRESS_MEMORY_POOL_BLOCKS (by default, 200).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Does anyone have any idea why this would be happening? Obviously I could go in and change the default settings, but wouldn’t that just stand to reason it would extend the window that ISA serves website requests? When creating a web publishing rule, the default is to have compression enabled. Heck, I want it enabled, since it works with OWA now too. But why isn’t it releasing any of this memory? It’s not as though the four or five websites hosted here receive that much traffic.
As of now, compression has been disabled, but there’s still one other problem that remains, Aaron’s OWA. I can’t get ISA 2006 to function the same as 2004 with respect to his OWA site. Before, I set up a simple web publishing rule that forwarded requests that hit his OWA external site to the internal one. He uses Windows Auth on it, and 2004 handled this fine. Now, with 2006, I can’t get it to do NTLM pass-through. I can either get it to deny the website because it requires authentication, or I can get it to prompt you with the challenge, but the challenge is for credentials used on the ISA box, not on his OWA box (different domain). All I want is for it to allow the authentication challenge to pass through. How else are you supposed to have Windows Auth secured websites sit behind the ISA 2006 box when they’re on a different domain, or a standalone machine?