Having problems accessing certain webpages

[Texashiker]

My office is on a rather large intranet that is tied in with a couple of hundred other offices. The main office maintains a website that we use to enter information through internet explorer. The site will only work with internet explorer, no other browser is supported.

Some of the workstations can access the website, but when we click a link, the link times out. Finally an error comes up saying the website can not be displayed.

Here is the kicker, only the workstations that are on the active directory domain can not view the website.

If we take a laptop that has never been assigned to the active directory, it can access the website just fine.

If I remove a workstation from the directory, and assign it to a workgroup, it still can not access the website.

The website is designed in ASP, its been tested in internet explorer 7 and 8.

The developers do not understand why certain workstations are having issues.

Active directory domain controller - windows 2000 server

Problems are with windows 7, and windows xp systems

 

[THRiLL KiLL]

sounds like ipsec could be the source

http://www.petri.co.il/configuring_ipsec_policies_through_gpo.htm

 

[Texashiker]

sounds like ipsec could be the source

Thank you, your link led me in a direction that gave some clues.

I enabled security logging, and now event viewer is logging "windows filtering platform has blocked a packet" when I try to access the website.

The question now, how do I disable windows filtering platform, or at the very least stop it from blocking the site? I am searching through google trying to find out more about the windows filtering platform.

Windows firewall is turned off on the workstations. Stopping the windows firewall service does not allow the site through either.

 

[THRiLL KiLL]

http://blogs.technet.com/b/instan/a...tform-has-blocked-a-bind-to-a-local-port.aspx

To disable WFP auditing:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: disable

i think thats what you want

 

[Texashiker]

To disable WFP auditing:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: disable

i think thats what you want

I am not sure what you mean by that. I want logging enabled to see the messages.

A custom rule was created in windows firewall advanced security settings, the ip address of the webserver was set to be allowed, and windows filtering platform is still blocking the packets.

 

[THRiLL KiLL]

i was reading somewhere, that the auditing was accualy causing the block and they were waiting on a fix from ms. What they did as a workaround was to disable the audit and it worked.

to see if it works, just go to a command prompt (with admin privlages) and type:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: disable

if it fixes is then good if not just reverse it by typing:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: enable

 

[Texashiker]

i was reading somewhere, that the auditing was accualy causing the block and they were waiting on a fix from ms. What they did as a workaround was to disable the audit and it worked.

Windows xp does not have a windows filtering platform, so what would cause those workstations to block the same website as the windows 7 workstations?

 

[Fardringle]

Do the computers on the domain use a domain controller as their DHCP/DNS server? If so, the DC itself might be blocking the connections for some reason (possibly black-listed on the DNS server). If this is the case, try changing the DNS server address to the same address that the non-domain machines are using. If it resolves the problem, then have whoever manages the DC for your location check to see why it is blocking connections to the web site(s).

It's also possible that there is something in the group policy on the domain controller that is blocking the site, but DNS is (usually) easier to test so I'd try that first.

 

[THRiLL KiLL]

are you using just the windows firewall / or do you have another physical firewall?

if windows only, if you disable them, does it connect?

If its physical, do you have filtering enabled that blocks internal ip-ranges

are these websites internal or external?

Can the webserver be pinged?

 

[Texashiker]

I think its the time.

Changing the time of the workstations to the correct time makes the page load. Changing the time by 2 minutes makes the pages not load.

The time on the server was 2 minutes off.

that is why the laptops were loading and the workstations on the AD were not. The laptops updated their time through time.microsoft.com

 

[THRiLL KiLL]

I think its the time.

Changing the time of the workstations to the correct time makes the page load. Changing the time by 2 minutes makes the pages not load.

yes, having the time off would mess with the certifcates :biggrin:

 

[Texashiker]

For some reason the workstations are not syncing their time with the primary domain controller.

 

[THRiLL KiLL]

try resetting the sync

From a run line or command prompt:
Net time \\Servername /set /yes


servername = name of your domain controller


opps forgot the command to resync

w32tm -resync

 

[Texashiker]

try resetting the sync

From a run line or command prompt:
Net time \\Servername /set /yes

Thank you.

The XP workstations are syncing their time, but the windows 7 workstations are giving an error that I do not have permission to sync the time.

Also, does our time have to be synced with the webserver time?

If the timeout in the packet is set too low, and the webserver time is off, what then?

 

[gsaldivar]

Try elevating your command prompt (right-click cmd.exe and run as Administrator).