Unable to watch a video stream behind ISA Server 2006 using Web Proxy Client


1. Introduction


 


Two weeks ago I worked in a case where customer was not able to watch a video stream behind ISA Server 2006 using Web Proxy Client. The interesting part was that he could watch it using the same workstation by enabling Firewall Client. I reproduced the issue in lab and the result was quiet interesting.


 


2. Is it pure HTTP? Really?


 


When we deal with an outbound scenario like this and the tests shown that only Firewall Client is capable to access the external resource the first question that comes up is: is this really a HTTP or HTTPs only type of traffic? Sometimes you inherit an environment that has third party application that you have no idea how it works internally, if it is Web Proxy or Winsock capable. Hopefully this was not the case and later on you will understand why.


 


3. Gathering Data


 


To better understand what was happening when the client was trying to establish a connection with the destination web site I used Netmon 3.2 and for my surprise, TCP port 80 was not the only port in as you can see below:


 



Figure 1 – Netmon Trace


 


Legend:

















Color


Meaning


 


Real destination IP Address


 


Real destination URL


 


SYN attempt to a port other than TCP 80


 


Notice the following in this picture:


·         Frame 73: Client sends the HTTP GET Request to the destination web site, a SWF (Adobe Shockwave Flash file).


·         Frame 77: A HTTP 304 response from the destination server through ISA Server (10.20.20.2)


·         Frame 79: A HTTP GET request for the playlist (playlist.xml)


·         Frame 84: A HTTP 200 response from the destination server through ISA Server (10.20.20.2)


·         Frame 93: Out of nothing client sends the TCP SYN to the destination server (real IP in red) on port 1935. Since ISA Server does not have this protocol created and the rule was only allowing HTTP/HTTPs the answer for TCP SYN never arrived (three SYN requests without answer  – frames 93, 102 and 122).


 


Based on this I had enough information to understand that this was not a simple HTTP request and that port 1935 was required for this communication. But why this was happening? This answer is on the KB below from Adobe:


http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16499


 


4. Adjusting ISA Server


 


To comply with this request I created three protocols as shown below:


 


 


Figure 2 – TCP Port 1935.


 



Figure 3 – TCP Port 1626


 



Figure 4 – TCP Port 7070


 


After that I added those protocols as part of the web access policy to allow web proxy clients to successfully access this video.