Automatic requests for upstream server information (Get.info.v2) do not succeed when authentication is required in ISA Server

If you use a routing rule on a downstream server computer that is running Microsoft Internet Security and Acceleration (ISA) Server to route requests to an upstream ISA Server server array (two or more nodes), some requests may not succeed if one of the upstream server array nodes is not available.

This problem occurs although you have configured failover between the downstream server and the upstream server array by turning on the Automatically poll upstream server for array configuration option in the upstream server settings of the routing rule on the downstream server. This setting implements failover because the downstream server automatically and continuously sends requests to the upstream server array for information about array membership (http://upstream_server/array.dll?get.info.v2) and for the status and the availability of the upstream array nodes.

Note Upstream_server is a placeholder for the name of the upstream server array.

This problem occurs because the automatic request (array.dll?get.info.v2) has no credentials to provide for authentication. (The automatic request has no credentials because no connection user is configured.) If you have turned on the Ask unauthenticated users for identification option on the upstream server array, every request must be authenticated. However, because the automatic request has no credentials to provide, the automatic request does not succeed.

• This problem occurs only if the upstream server array is configured for Ask unauthenticated users for identification in the Outgoing Web Requests settings. For more information about how to configure this setting, see the "More Information" section.
• This problem does not occur if you have set a connection user in the upstream server settings of the routing rule on the downstream computer to authenticate to the upstream server array. For information about how to configure these settings, see the "More Information" section.

To work around this problem, we recommend that you do the following:

1. Turn off the Ask unauthenticated users for identification option on the upstream ISA Server array. For information about how to configure this setting, see the "More Information" section.
2. Configure your site rules and your content rules to make sure that every user must authenticate.

If you turn off the Ask unauthenticated users for identification option, the automatic request for information succeeds because it does not have to authenticate. Therefore, the request is never verified against the Rule Set. However, every HTTP user request is still authenticated because this kind of request must be verified against the site rules and against the content rules.

This behavior is by design.

How to configure outgoing Web requests

1. Start ISA Management.
2. Right-click your server name or your array name, and then click Properties.
3. Click the Outgoing Web Requests tab.
4. Click to select or click to clear the Ask unauthenticated users for identification check box.

How to configure the automatic request for information (Get.Info.V2) on the routing rule of the downstream server

1. Start ISA Management.
2. Under Network Configuration, click Routing.
3. Double-click the routing rule that is appropriate for routing to the upstream server (or to the upstream array).
4. Click the Action tab.
5. Click Routing them to a specified upstream proxy server, and then click Settings.
6. Click to select or click to clear the Automatically poll upstream server for array configuration check box.

How to configure a connection user in the routing rule of the downstream server

1. Start ISA Management.
2. Under Network Configuration, click Routing.
3. Double-click the routing rule that is appropriate for routing to the upstream server (or to the upstream array).
4. Click the Action tab.
5. Click Routing them to a specified upstream proxy server, and then click Settings.
6. Click to select the Use this account check box, and then type the account name that you want to use to authenticate with the upstream proxy server.
7. Under Authentication, click to select the check box for the authentication method that you want to use.