Discussion:
Problems with Yahoo, Hotmail and AOL Access
(too old to reply)
BC
2004-02-20 16:00:21 UTC
Permalink
Hi

A public library client of mine with about 50
public access Internet PC's has been using
their town's system for connection. The town
uses Firewall 4.1, I believe. I assume this is
a good product when it's properly configured,
but it's mostly a nuisance when it's not. There
have been chronic problems for the library due
to the town techs not configuring it properly.
The latest is that when a library patron goes
into Yahoo Mail or Hotmail, everything looks
fine for the initial mail check, and maybe one
reply or composition, but then that's it -- any
further attempts at replying or checking folders
ends with either no response or subsequent
the mail program stops responding or else a "The
document contains no data" message pops up.

But it you exit out of the browser and go back
in, you can then check the next email. It's a
stupid nuisance.

I'm currently setting up a system to allow the
library to switch over all the public access PC's
to another, slower internet connection whenever
there are problems with the town system, but I'm
looking for some insight into what I can tell
the town techs about this latest issue (BTW, when
I switched over as a test to the other connection,
all the email flakiness disappeared.)

I'm assuming that they aren't deliberately trying
to mess up Yahoo and Hotmail access, so any ideas
I can relay to them would be most appreciated.

Thanks in advance.

-BC
BLH
2004-02-24 09:40:34 UTC
Permalink
Post by BC
Hi
A public library client of mine with about 50
public access Internet PC's has been using
their town's system for connection. The town
uses Firewall 4.1, I believe. I assume this is
a good product when it's properly configured,
but it's mostly a nuisance when it's not. There
have been chronic problems for the library due
to the town techs not configuring it properly.
The latest is that when a library patron goes
into Yahoo Mail or Hotmail, everything looks
fine for the initial mail check, and maybe one
reply or composition, but then that's it -- any
further attempts at replying or checking folders
ends with either no response or subsequent
the mail program stops responding or else a "The
document contains no data" message pops up.
But it you exit out of the browser and go back
in, you can then check the next email. It's a
stupid nuisance.
I'm currently setting up a system to allow the
library to switch over all the public access PC's
to another, slower internet connection whenever
there are problems with the town system, but I'm
looking for some insight into what I can tell
the town techs about this latest issue (BTW, when
I switched over as a test to the other connection,
all the email flakiness disappeared.)
I'm assuming that they aren't deliberately trying
to mess up Yahoo and Hotmail access, so any ideas
I can relay to them would be most appreciated.
Thanks in advance.
-BC
From what you are describing it does not sound like the firewall is
causing the problem. The firewall rule will either allow or deny the
session and as the user can connect and do something it seems OK.
Hotmail etc uses http so should not be any different to any other web
session.

The likely cause of your problem is some kind of web content filtering
system (websense, websweeper etc) which is getting confused or maybe
improperly configured.

The fact that it works when you change connection means that you are
bypassing the firewall and web content filter which, unless you are
providing some other form of internet protection, could pose other
dangers.

BH
BC
2004-02-25 06:32:14 UTC
Permalink
Post by BLH
From what you are describing it does not sound like the firewall is
causing the problem. The firewall rule will either allow or deny the
session and as the user can connect and do something it seems OK.
Hotmail etc uses http so should not be any different to any other web
session.
The likely cause of your problem is some kind of web content filtering
system (websense, websweeper etc) which is getting confused or maybe
improperly configured.
The fact that it works when you change connection means that you are
bypassing the firewall and web content filter which, unless you are
providing some other form of internet protection, could pose other
dangers.
BH
Hi

Thanks for the response.

They do have Websense, but that seemed to be misadjusted in a
way that causes a different set of problems. I was thinking
that this could be caused by a mix of products set incorrectly,
but this particular problem seems to coincide with them trying
to upgrade their security. But then again my experience with
cheaper firewalls has been to have them set to block/don't
block for certain programs, ports, and circumstances rather
than for block-after-they've-done-a-few-things. I'm not sure if
even Checkpoint can be deliberately adjusted this way. The delay
in response sounds like caching is somehow involved, which would
likely mean an ISA Server is in the loop somewhere, but most
times when an error message is generated, it's done so by their
Checkpoint system.

-BC
BLH
2004-02-27 09:28:10 UTC
Permalink
Post by BC
Post by BLH
From what you are describing it does not sound like the firewall is
causing the problem. The firewall rule will either allow or deny the
session and as the user can connect and do something it seems OK.
Hotmail etc uses http so should not be any different to any other web
session.
The likely cause of your problem is some kind of web content filtering
system (websense, websweeper etc) which is getting confused or maybe
improperly configured.
The fact that it works when you change connection means that you are
bypassing the firewall and web content filter which, unless you are
providing some other form of internet protection, could pose other
dangers.
BH
Hi
Thanks for the response.
They do have Websense, but that seemed to be misadjusted in a
way that causes a different set of problems. I was thinking
that this could be caused by a mix of products set incorrectly,
but this particular problem seems to coincide with them trying
to upgrade their security. But then again my experience with
cheaper firewalls has been to have them set to block/don't
block for certain programs, ports, and circumstances rather
than for block-after-they've-done-a-few-things. I'm not sure if
even Checkpoint can be deliberately adjusted this way. The delay
in response sounds like caching is somehow involved, which would
likely mean an ISA Server is in the loop somewhere, but most
times when an error message is generated, it's done so by their
Checkpoint system.
-BC
Checkpoint can be configured (or misconfigured) to timeout sessions
after a period of time but unless there is a specific rule for hotmail
etc it would happen to all http sessions so this is unlikely.

Another thing to look for particularly if this is a large organisation
is redundant pairs or load balancing of servers which if not
configured correctly can cause problems.

We used to have websense in this organisation (before my time) but it
was abandoned as it caused more problems than it solved (dont know
specific details but certainly performance was an issue). We do have
websweeper but rather than blocking specific sites we are more
concerned with checking content of downloaded files etc for virus and
for this websweeper in conjunction with checkpoint works well.

BH
BC
2004-03-01 03:48:42 UTC
Permalink
Post by BLH
Post by BC
Hi
Thanks for the response.
They do have Websense, but that seemed to be misadjusted in a
way that causes a different set of problems. I was thinking
that this could be caused by a mix of products set incorrectly,
but this particular problem seems to coincide with them trying
to upgrade their security. But then again my experience with
cheaper firewalls has been to have them set to block/don't
block for certain programs, ports, and circumstances rather
than for block-after-they've-done-a-few-things. I'm not sure if
even Checkpoint can be deliberately adjusted this way. The delay
in response sounds like caching is somehow involved, which would
likely mean an ISA Server is in the loop somewhere, but most
times when an error message is generated, it's done so by their
Checkpoint system.
-BC
Checkpoint can be configured (or misconfigured) to timeout sessions
after a period of time but unless there is a specific rule for hotmail
etc it would happen to all http sessions so this is unlikely.
Another thing to look for particularly if this is a large organisation
is redundant pairs or load balancing of servers which if not
configured correctly can cause problems.
We used to have websense in this organisation (before my time) but it
was abandoned as it caused more problems than it solved (dont know
specific details but certainly performance was an issue). We do have
websweeper but rather than blocking specific sites we are more
concerned with checking content of downloaded files etc for virus and
for this websweeper in conjunction with checkpoint works well.
BH
The delayed non-response seems to generically affect all web-based
email. I should try to test it on a non-webmail form or such to see
if it's actually affecting a type of input.

So there is a timeout function...hmmmm. The organization is a large
town, including the town offices, library, and most schools. The IT
staff at the town is unlikely to be knowledgeable enough to load-
balance correctly, to, um, say the very least. And they don't really
answer questions very well.

I'll try to look up how Checkpoint times out and maybe see if that
corresponds with what I'm seeing.

One issue with the internet switching thingy I set up, using the
Symantec (Axent) firewall appliance, was that while the fallover
from the default town connection to the backup is done very, very
smoothly, there is no content filtering at all on the backup
connection, which of course was found out pretty quickly. What a
nuisance....

But thanks again for the info.

-BC

Loading...