IE7 on XP in Windows Domain Behind ISA Server 2004 - unable to access certain websites correctly

Question

Windows XP client machines running IE7 in a domain behind an ISA Server 2004 on Win2k3. The ISA Firewall Client is installed on all clients. Machines are managed via group policy. IE7 is configured to use the ISA server as a proxy. Using NOD32 antivirus on the clients with all network protection disabled. Windows firewall is enabled on all clients using default settings.

There are a couple of sites that users have trouble connecting to. They are both service portals, but from two different companies. One is used to manage healthcare benefits, the other 401k benefits. Connections use SSL on the standard port.

What happens is that the sites will not completely load. Only some of the resources (images, etc) will come down, and then IE sits there waiting. Clicking on any link then results in "Internet Explorer cannot display this web page"...the standard connection error page. When this happens at one of the sites, other tabs in the same browser instance start producing the same error message, even though they are open to completely different websites. At this point IE7 has to be restarted (it doesn't crash, it just won't load anything).

I've tried adding the sites to IE7's trusted zone, have excluded them from ISA server's cache, and even tried bypassing the proxy.

Here's what's interesting: the sites have always worked fine in Firefox without any special configuration on the client or the ISA server.

I'm not sure what to look into next?

Update:

I've tried disabling the ISA HTTP cache completely. Nothing. I tried Firefox configured with and without the proxy. Works either way.

It seems to get stuck on the Phishing Filter...or the Phishing Filter just happens to be running when it gets stuck. This is enabled via GPO so I haven't had time to experiment more with it.

Update 2:

I upgraded to IE8. This time it doesn't get stuck on the Phishing Filter, of course, but the problem looks the same. It just sits there saying it's waiting for X more items to load. At this point the entire browser has to be restarted because no pages will load.

Answer 1

Figured it out.

I setup a monitor in ISA to watch what was going on. Should have done this right from the start. Anyhow, started seeing a lot of the following result codes for the https session:

0x80074e23 WSA_E_RULE_QUOTA_EXCEEDED_DROPPED
0x80074e21 FWX_E_ABORTIVE_SHUTDOWN

and also a bunch of errors for other protocols like VPN/PPT occuring at the same time.

Some digging turned up the following article from Microsoft: http://technet.microsoft.com/en-us/library/cc302445.aspx

It turns out that too many connections from the client were being opened in too short a period of time...specifically > 60 in one second per my configuration. I raised this limit to 160 and the problems have disappeared. (from ISA Server, expand SERVERNAME->Configuration->General and then open up Define Connection Limits. Raise "Connection limit per client".).

I don't understand the details here, at least not why this was happening only with IE, but I'm comfortable enough with the fix and am not going to pursue further.

Answer 2

download fiddler and see what is coming to the browser, you might be getting errors that IE isn't telling you about

http://www.fiddler2.com/fiddler2/

Answer 3

Check if you have the ISA cache enabled. Disable and try again, atleast the you will be able to rule out a corrupt or misconfigured cache.(you will have to restart the firewall service if i remember correctly)

Here's what's interesting: the sites have always worked fine in Firefox without any special configuration on the client or the ISA server.

Does it still work when firefox connects to internetz trough the ISA proxy?