Article ID: 288734 - View products that this article applies to.
This article was previously published under Q288734
In environments where you are using Microsoft Internet Security and Acceleration (ISA) Server 2000 to protect the network, and you configure it to allow only User ID-based access for outgoing Hypertext Transfer Protocol (HTTP) requests, Real Networks Real Player may not be able to connect to any channels to receive audio or video streams. Real Player attempts to connect but it is unable to and only displays a status of "connecting" in the status bar. You may also see this behavior with any client that does not use Web proxy for all HTTP requests.
Real Player first uses HTTP to gather channel information and information about the resource from which it will get the media stream, it then uses RTSP, PNA, or HTTP for the media streams. Generally, to solve this problem you would configure Real Player to use HTTP proxy and specify the Internal IP address of the ISA Server as well as its default port 8080 in the Real Player proxy settings (to locate these proxy settings, on the View menu, click Preferences, and then click the Proxy tab). However, this method does not always work.
If Real Player were actually using Web proxy as you have configured it, the request would go directly to the Web Proxy service, it would expect the prompt for authentication, and then use one of the available methods to perform the authentication.
This problem occurs because even though you configure Real Player 8.0 to use HTTP proxy under Proxy settings it does not always use Web proxy when connecting to the Real Player Web site for channel update information. When this occurs, the direct HTTP request is intercepted by the HTTP application filter and passed on to the Web proxy service. When the Web proxy receives a request from the HTTP application filter it is only allowed if anonymous access ("Any Request") to HTTP is permitted in the rules. If there is no such rule, the request is denied.
When a request is intercepted by the application filter, which is treated like an S-NAT request, and passed to the Web proxy service, there is no accompanying authentication and no means by which to transparently authenticate the user. By design, ISA Server does not support User ID-based access control rules for S-NAT because it is not technically possible. Only Client Set-based access control is possible.
In addition, even if the you install the Firewall client on the client and the Firewall client successfully authenticates with ISA Server, when the HTTP redirect occurs, the user credentials are not passed from the Firewall service to the Web proxy service.
WorkaroundYou can use either of the following methods to work around this problem:
Method 1Create Client Set-based protocol rules (or Site and Content rules if applicable) to allow HTTP for clients that are using Real Player. This nullifies the User ID-based authentication for requests coming from IP addresses that belong to the Client Set that you use.
Method 2In the ISA Manager:
Go to the "Application Filters" under the "Extensions" container and select the HTTP Redirector Filter.On the Options tab select the Send to requested Web server radio button and select the OK button. On the client:
Install the ISA Firewall client from the Server.Open Real Player 8.Select Preferences from the View menu.On the "Proxy" tab only select the No HTTP Proxy radio button and select OK.
Note In some cases, you may also have to specify no proxy for PNA and RTSP.The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Article ID: 288734 - Last Review: January 15, 2006 - Revision: 1.2
Contact us for more help