Configuring direct access in SP2

Ori Yosefi - MSFT

27 Feb 2006 8:27 AM

Comments 12

ISA Server 2004 SP2 makes some changes to the way that destinations specified for direct access are handled.

The piece of UI in question is the direct access list in the Web Browser tab of the network properties. Under the heading Directly access these servers or domains.

Prior to SP2, if a requested destination name was in the list, it was accessed directly. With SP2 - a requested name in the list is accessed directly, unless IP addresses are included in the list. In that case, an attempt is made to resolve the site name to an IP address. Access is direct only if the resolved IP address is found in the list.

The bottom line recommendation is to add entries to the list as follows:

Either specify both the IP address and FQDN of the destination, or the FQDN only. If there are only FQDNs on the list, behavior remains as it was prior to SP2.
If you add any IP address to the list, then you should add all IP address ranges that you want the client computer to access directly. Otherwise, destinations that are not in the list will be routed through the ISA Server.
If other IP addresses are added to the list, the address range of 127.0.0.0-127.255.255.255 (127/8) are automatically added to the list.
If no IP addresses are in the list and you want to prevent requests from IP address 127.0.9.1 from being routed, add 127.0.0.1 as an FQDN to the list.

Comments

Tom Shinder

3 Mar 2006 8:54 AM

Are there plans to provide a fix for the Direct Access functionality so that it works for creating Internet FQDNs in the Direct access list? Thanks! --Tom.
Shadow

10 Apr 2006 2:00 PM

go to
Mike Malter

8 May 2006 6:13 PM

Do you mind if I ask why you guys did it this way? Now I have to list every internal web site I want accessed. This has raised my administrative overhead in my consulting business because I have a lot of sites coming and going all of the time.
ISA User

3 Jun 2006 6:04 AM

It has been several months since this problem with ISA has been posted, is there an update? This literally makes ISA useless to anyone wanting to use automatic configuration on it. I have several internal and external sites that I need to configure for direct access. Thanks.
Ori Yosefi - MSFT

18 Jun 2006 3:56 AM

Sorry for the delayed response. There is a fix for this, which you can get by calling Product Support and requesting the fix for KB 920716. The KB will be published in the near future.

Thank you for your patience.
Stefaan Pouseele

8 Jul 2006 10:15 AM

I've looked at http://support.microsoft.com/default.aspx?scid=kb;en-us;920716 (revision 1.0) but I don't find any reference to the Direct Access issue.

What has changed to solve the Direct Access issue? Are we back to pre-SP2 behavior and if so, how? Do we need to specify URL's (e.g. '*.microsoft.com/*') instead of FQDN's (e.g. '*.microsoft.com') to get back the pre-SP2 behavior?

Thanks,
Stefaan
Stefaan Pouseele

19 Jul 2006 3:21 PM

Never mind! The new KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;920715 explains it all.

Stefaan
Will

20 Jul 2006 10:30 PM

I have applied this fix and it sort of works however not as described. Also my plain hostnames are no longer bypassed automatically, though this might have stopped working as soon as I added the first IP address tom the domains list.
Stefaan Pouseele

21 Jul 2006 1:36 PM

Hi Will,

I have no problems with this fix. It works as advertised. Check out http://blogs.isaserver.org/pouseele/2006/07/21/solving-the-directly-access-these-servers-or-domains-issue-in-isa-server-2004-sp2/ for full details.

HTH,
Stefaan
Direct Access ISA Server 2004 | hilpers

20 Jan 2009 2:22 PM

PingBack from http://www.hilpers-esp.com/621788-direct-access-isa-server-2004-a
Bypass Proxy Not Working - help! | keyongtech

22 Jan 2009 12:40 AM

PingBack from http://www.keyongtech.com/1227655-bypass-proxy-not-working-help
HD Video Converter

26 May 2009 2:18 AM

I think it was recognized that this would create confusion, but it was too late to change the model. Maybe in an upcoming version anonymous connections will only match anonymous rules? --Tom

Forefront TMG Product Team Blog

Configuring direct access in SP2

Configuring direct access in SP2

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?