This past Tuesday, I installed ISA 2004 Service Pack 3. I’ve got a recent configuration backup from the last time I had some SSL certificate issues (that was fun enough I think I’ve blocked it out too much to blog about it!), so I figured trying it out couldn’t hurt, and it had a lot of fixes. So I start the install through Automatic Updates before I go home for the evening, since if something happens fewer will notice after hours. As I pull into my driveway, my phone alerts me that Exchange ActiveSync failed, and I get an SMS notification from our monitoring service saying that ISA could not be pinged. I hope the system is just restarting the Firewall service and it will come back up. Two hours later, it hasn’t. I drive back in, hit Restart After Automatic Updates (you know what I mean), and let it reboot. I am very, very happy to report that it worked! After the reboot, internet access worked my Treo was able to sync again!
Something interesting to note is that while inbound traffic from the internet appeared to be blocked before the restart, I was able to use Remote Desktop from another server on the internal network to remotely instruct ISA to reboot. So it had not locked down all network access, just external. Good to know if you administer the box primarily via remote control! In fact, due to a lack of KVM switch ports, I have to manually plug the keyboard/monitor/mouse back in to ISA physically if I want to work on the console.
Although everything appeared to be functioning normally, today I got a report from a user who was getting a network error when attempting to connect to the iTunes Store from within iTunes. I tried it on my desktop, and got the same error. Fortunately, I remembered that back when I installed a prior ISA service pack (I don’t recall if it was 1 or 2), I had a similar problem and was able to track down the issue to the Compression Filter in ISA. If you go in the ISA Management Console to Configuration->Add-ins and check the Web Filters tab, by default there is a “Compression Filter” enabled (the description: “Enables HTTP/HTTPS compression”). Disabling this filter allowed iTunes Store to work just fine!
However, the reverse is true in ISA 2004 Service Pack 3. If you have disabled the Compression Filter, you must re-enable it for the iTunes Store to work in Service Pack 3! This is very useful information, so I thought I’d share! If you don’t know why iTunes Store doesn’t work, it can take a bit of Googling to determine the problem, at least it did for me originally. Perhaps the issue is more widely known by now.
Hi David,
This piece of information has been very helpful to me. I was going through the same problem after upgrading to ISA Enterprice 2004 SP4.
Thanks
Glad I could help you out Jimmy! It was a frustrating problem…not many clues to figure out the problem!
Thanks! I am running GFIWebmonitor as well and was allowing *.apple.com and *.itunes.com. Still nothing! Started to allow all internal to external with no positive results. Also was monitoring live http requests and saw ‘failed connection attempt’. Couldnt figure this one out. Then I remembered I recently updated service packs but couldnt pinpoint the problem. Anyway, thanks, very helpful!