Local Connection only on Vista machine on SBS server w/ ISA 04

Hello,

I have a Vista Ultiumate desktop on a SBS 03 domain with ISA 04 running. I
have installed the Vista ISA Client.

When I log unto the Vista machine, it claims that I do not have full
internet connectivity, that I only have a local connection. I find this
strange, because I get to any web page through IE without any problems.

I followed the Troubleshooting Assistant that is part of Vista and I found
that the "Internet Connectivity test" involves pinging www.microsoft.com as
the test.

When I open a command prompt and run ping myself, I do not get a response
from any external web address.

Can someone help me figure out what I have done wrong in my install / setup
/ config of ISA on the server and of the local Vista machine?

Thanks in advance,
-Christopher DeMars
--
-Christopher DeMars

On Fri, 8 Feb 2008 10:21:01 -0800, ChristopherDeMars
<ChristopherDeMars@discussions.microsoft.com> wrote:

Not sure if this will solve your problem. But we'll give it a try:

>I have a Vista Ultiumate desktop on a SBS 03 domain with ISA 04 running. I
>have installed the Vista ISA Client.

A bit confusing, but with the ISA Firewall client, you're actually
running a super client that consists of:

* Firewall client
* Web Proxy
* SecureNAT

The Firewall client takes care of all types of tcp and udp, except:

>When I log unto the Vista machine, it claims that I do not have full
>internet connectivity, that I only have a local connection. I find this
>strange, because I get to any web page through IE without any problems.

web access (and web-based ftp)

>I followed the Troubleshooting Assistant that is part of Vista and I found
>that the "Internet Connectivity test" involves pinging www.microsoft.com as
>the test.

This is neither tcp/udp nor web. It's icmp, and that's handled by
SecureNAT.

>When I open a command prompt and run ping myself, I do not get a response
>from any external web address.

My guess is you're missing a rule for outbound SecureNAT.
You'll need to create an access rule in ISA for that.

>Can someone help me figure out what I have done wrong in my install / setup
>/ config of ISA on the server and of the local Vista machine?

1) Open ISA Management
2) Firewall Policy
3) Tasks, Create New Access Rule
4) Name: Secure NAT, click Next
5) Allow, Next
6) Applies to All outbound traffic, Next
7) Rule applies to Click Add, Networks, Internal, Add, Close Next
8) Click Add, Networks, External, Add, Close, Next
9) Leave All Users, Next
10) Finish
11) Apply

Now you have an access rule for SecureNAT. At least you'll be able to
ping the Internet.

jas

Thank you for your suggestion. This seem to have helped, but not solved the
problem. I am even more confused now than ever!!!

New problem: I can now ping SOME web sites. For instance when I ping
google.com, everything works fine. But when I ping microsoft.com, it doesn't
work!! Very strange. I have never seen a problem like this before!

ANy other suggestions?
--
-Christopher DeMars


"Jon-Alfred Smith" wrote:

> On Fri, 8 Feb 2008 10:21:01 -0800, ChristopherDeMars
> <ChristopherDeMars@discussions.microsoft.com> wrote:
>
> Not sure if this will solve your problem. But we'll give it a try:
>
> >I have a Vista Ultiumate desktop on a SBS 03 domain with ISA 04 running. I
> >have installed the Vista ISA Client.
>
> A bit confusing, but with the ISA Firewall client, you're actually
> running a super client that consists of:
>
> * Firewall client
> * Web Proxy
> * SecureNAT
>
> The Firewall client takes care of all types of tcp and udp, except:
>
> >When I log unto the Vista machine, it claims that I do not have full
> >internet connectivity, that I only have a local connection. I find this
> >strange, because I get to any web page through IE without any problems.
>
> web access (and web-based ftp)
>
> >I followed the Troubleshooting Assistant that is part of Vista and I found
> >that the "Internet Connectivity test" involves pinging www.microsoft.com as
> >the test.
>
> This is neither tcp/udp nor web. It's icmp, and that's handled by
> SecureNAT.
>
> >When I open a command prompt and run ping myself, I do not get a response
> >from any external web address.
>
> My guess is you're missing a rule for outbound SecureNAT.
> You'll need to create an access rule in ISA for that.
>
> >Can someone help me figure out what I have done wrong in my install / setup
> >/ config of ISA on the server and of the local Vista machine?
>
> 1) Open ISA Management
> 2) Firewall Policy
> 3) Tasks, Create New Access Rule
> 4) Name: Secure NAT, click Next
> 5) Allow, Next
> 6) Applies to All outbound traffic, Next
> 7) Rule applies to Click Add, Networks, Internal, Add, Close Next
> 8) Click Add, Networks, External, Add, Close, Next
> 9) Leave All Users, Next
> 10) Finish
> 11) Apply
>
> Now you have an access rule for SecureNAT. At least you'll be able to
> ping the Internet.
>
> jas
>

That is because some Firewalls deny pings and others don't. Google allows
ping, MS does not. Yahoo.com and Foxnews.com ping cnn.com doesn't

--
Frank McCallister SBS MVP
MCP Microsoft Small Business Specialist
COMPUMAC

"ChristopherDeMars" <ChristopherDeMars@discussions.microsoft.com> wrote in
message news:412B1371-705E-4E83-B149-891CF6D8A0A7@microsoft.com...
> Thank you for your suggestion. This seem to have helped, but not solved
> the
> problem. I am even more confused now than ever!!!
>
> New problem: I can now ping SOME web sites. For instance when I ping
> google.com, everything works fine. But when I ping microsoft.com, it
> doesn't
> work!! Very strange. I have never seen a problem like this before!
>
> ANy other suggestions?
> --
> -Christopher DeMars
>
>
> "Jon-Alfred Smith" wrote:
>
>> On Fri, 8 Feb 2008 10:21:01 -0800, ChristopherDeMars
>> <ChristopherDeMars@discussions.microsoft.com> wrote:
>>
>> Not sure if this will solve your problem. But we'll give it a try:
>>
>> >I have a Vista Ultiumate desktop on a SBS 03 domain with ISA 04 running.
>> >I
>> >have installed the Vista ISA Client.
>>
>> A bit confusing, but with the ISA Firewall client, you're actually
>> running a super client that consists of:
>>
>> * Firewall client
>> * Web Proxy
>> * SecureNAT
>>
>> The Firewall client takes care of all types of tcp and udp, except:
>>
>> >When I log unto the Vista machine, it claims that I do not have full
>> >internet connectivity, that I only have a local connection. I find this
>> >strange, because I get to any web page through IE without any problems.
>>
>> web access (and web-based ftp)
>>
>> >I followed the Troubleshooting Assistant that is part of Vista and I
>> >found
>> >that the "Internet Connectivity test" involves pinging www.microsoft.com
>> >as
>> >the test.
>>
>> This is neither tcp/udp nor web. It's icmp, and that's handled by
>> SecureNAT.
>>
>> >When I open a command prompt and run ping myself, I do not get a
>> >response
>> >from any external web address.
>>
>> My guess is you're missing a rule for outbound SecureNAT.
>> You'll need to create an access rule in ISA for that.
>>
>> >Can someone help me figure out what I have done wrong in my install /
>> >setup
>> >/ config of ISA on the server and of the local Vista machine?
>>
>> 1) Open ISA Management
>> 2) Firewall Policy
>> 3) Tasks, Create New Access Rule
>> 4) Name: Secure NAT, click Next
>> 5) Allow, Next
>> 6) Applies to All outbound traffic, Next
>> 7) Rule applies to Click Add, Networks, Internal, Add, Close Next
>> 8) Click Add, Networks, External, Add, Close, Next
>> 9) Leave All Users, Next
>> 10) Finish
>> 11) Apply
>>
>> Now you have an access rule for SecureNAT. At least you'll be able to
>> ping the Internet.
>>
>> jas
>>

On Fri, 8 Feb 2008 11:55:00 -0800, ChristopherDeMars
<ChristopherDeMars@discussions.microsoft.com> wrote:

>Thank you for your suggestion. This seem to have helped, but not solved the
>problem. I am even more confused now than ever!!!

>New problem: I can now ping SOME web sites. For instance when I ping
>google.com, everything works fine. But when I ping microsoft.com, it doesn't
>work!! Very strange. I have never seen a problem like this before!

If you can ping google and not MS, the problem is at MS, and so it
seems from here (Norway). Below some notes on my investigations. A
preliminary conclusion is to wait until the lines to MS are less busy
and / or see if there is a registry value that could be changed from
www.microsoft.com to for instance www.google.com for the Windows Vista
network diagnostics.

-----------------------------------------
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\jonsmi>ping www.microsoft.com

Pinging lb1.www.ms.akadns.net [207.46.192.254] with 32 bytes of data:
Request timed out.
-----------------------------------------

One of my machines is also Vista Ultimate, and I have no network
problems for the time being. But Vista Network Diagnostics says:

Cannot communicate with www.microsoft.com(207.46.192.254).

It doesn't help to increase the timeout to wait for each reply.
Default is 4000 milliseconds (4 seconds). Here I have tried with 64:
ping -w 64000 www.microsoft.com

Don't know what's going on. New security guidelines, disable icmp?
Windows 2008 out at MSDN and TechNet? Vista SP1 from WU with a
registry hack? All in all: Connections to Microsoft are slow these
days.

jas

On Fri, 8 Feb 2008 14:46:43 -0600, "Frank McCallister SBS MVP"
<anonymous> wrote:

>That is because some Firewalls deny pings and others don't. Google allows
>ping, MS does not. Yahoo.com and Foxnews.com ping cnn.com doesn't

Then Windows Vista Network Diagnostics is quite brain-damaged:

Cannot communicate with www.microsoft.com(207.46.192.254)
Network diagnostics pinged the remote host but did not receive a
response.
Reset the network adapter "Local Area Connection 3"

Perhaps someone should inform The Windows Vista Development Team.

jas

On Fri, 8 Feb 2008 10:21:01 -0800, ChristopherDeMars
<ChristopherDeMars@discussions.microsoft.com> wrote:

Back to your initial problem:

>I have a Vista Ultiumate desktop on a SBS 03 domain with ISA 04 running. I
>have installed the Vista ISA Client.

Is your Vista machine part of your domain?
Have you joined it the SBS way: http://<sbs server>/ConnectComputer?
Have you heeded all the advices in this KB?
http://support.microsoft.com/kb/926505

DNS, WINS, default gateway pointing to the internal NIC of your SBS
server?

Applied all updates through Windows Update?

Is the user who logs onto the machine member of the local
administrators group?

No blocking third-party firewall software, such as Symantec or
F-Secure?

If all this is the case, you have a similar setup as one of my
machines and three Vista clients at two customer's sites.

>When I log unto the Vista machine, it claims that I do not have full
>internet connectivity, that I only have a local connection.

Is this a pop-up message? Do you log onto the domain or locally?

The problem is that I have installed six or seven Vista clients to SBS
networks, and I have never seen the problem you describe. Installing
and joining them to the domain has been very smooth. No issues with
Vista as a network client.

>I followed the Troubleshooting Assistant that is part of Vista and I found
>that the "Internet Connectivity test" involves pinging www.microsoft.com as
>the test.

When initiated from the Network System Icon, this URL is used. And
this is supposed to be the only case, according to an MS white-paper,
"Network Diagnostics Technologies in Windows Vista."

Otherwise, the URL or UNC path the computer is attempting to reach is
used as a target location when diagnostics are performed.

jas