DHCP (yes it's on the ISA machine) is setting the clients IP,Default Gateway, and DNS (to the IP of the internal adaptor of the ISA machine).

I can get to the internet from the ISA machine. The clients can ping the ISA machine. The problem is that I can not get the clients to browse the internet unless I set the proxy settings in the browser. Mail through Outlook/Outlook Express does not work either. How do I make this work? Do I have to install the Firewall Client software on each client. IF so, this seems crazy to me.

What were you using before ISA? Was it MS Proxy? If so, remove or disable the old proxy client first and reboot the machines.

When you are trying from the internal clients, is ISA already dialed in? If not, is it trying?

isafan

The wierd thing is that on some 9x clients (95 mostly) we did have to set up the proxy at first, but after loading a page or 2 and a reboot, it will now work with or without anything at all in the proxy settings area. Both IE and Communicator.

isafan

I agree, but correct me if I'm wrong. If the SNAT client is not loaded on the workstations, then the proxy settings need to be set up for the web listening port (other than the default IE port of 80). We use a different port and ISA uses a default of 8080, doesn't it?

cstephany

Try putting your ISPs DNS server setting on the external interface of the ISA Server.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

[This message has been edited by DBH (edited 15 April 2001).]

SNAT does not use a client per se. SNAT clients are machines that are simply configured with thier default gateway as the internal NIC on ISA. Doing that should allow all allowed traffice to pass, FTP, HTTP, the whole deal. The port (like 8080) should only come into play when config'ing the proxy settings manually in the browser. At least, that's been our experience.

DBH,

As long as you have the protocols allowed, the ISA accessing the net, and the client(s) set up with thier default gateway as the internal NIC of the ISA server. There is no reason that it should not work that I can see. On Win2K have you tried FTP? If not, try a commandline FTP session to ftp.microsoft.com.

isafan

I have the client set up with the default gateway and DNS pointing to the ISA internal adaptor IP.

I have added a protocol rule to allow all.
Response to client request = Allow, Apply this rule to = All IP traffic, Use this schedule = Always, Apply the rule to requests from = Any request.

I really need to get this online and have only installed ISA OH, maybe a dozen times. Any suggestions are appreciated!

Thanks, DBH

What proxy settings do you put in the browser to get it to work? What message are you getting in the browser when it fails? Does the LAT have the correct entries for the internal network?

cstephany

Thanks, DBH

I'm a newbie at ISA myself and not sure what you haven't got covered in the rules you've set up for the ISA server. You said you set up a Site and Content rule, Protocol Rule, and Packet for all IP traffic. If I were able to get to my server right now I might be of more help.

cstephany

Out of curiosity, why do you not want to use the web cache on ISA? It's good, and fast. In general I'd say that it's best to have it on (using the web proxy settings in the browser).

I did experiment on a 2K Pro machine to make sure it works and it does.

I wonder if port 80 TCP is being blocked somehow. It should not be though with your protocol filter.

The really odd thing is that you said it worked when you set up the proxy settings in the browser, but FTP would not work.

Just for kicks, try disabling that protocol filter and making a new one. Set that up for "selected protocols" and select all the HTTP and FTP protocols listed, apply it, and make sure it's running. Stop and start the ISA services (cache, firewall, and download I believe), then try connecting again. First from ISA itself, then from the client.

I'm curious to see what happens after that.

isafan.

Are you saying that if the browser setting is not set to manual on port 8080 that the client is not using the web caching functionality of ISA?

Clients can browse with proxy setting, but trying SNAT, nothing works ok.

I put the ISA server IP in the default gateway. With this, I supouse that I can ping Internet IPs from the clients, use ICQ, mail, etc. But the only can work is browsing and only using proxy settings.

Making a tracert from the clients, shows that the ISA server is not responsing to SNAT. It fails in the first step, that will be the ISA server reply.

There is any special task to configure ISA to allow SNAT?

P.S.: Sorry for my bad english.

quote:

---

Originally posted by Juanjo:
I put the ISA server IP in the default gateway. With this, I supouse that I can ping Internet IPs from the clients

---

If your clients can ping out to the internet, you are doing better than I am. But it is encouraging to hear that I'm not the only one with this problem.

-DBH

Yes, it is my understanding that when using a full blown SNAT connection you are bypassing the web cacheing functionality of ISA. This makes sense to since ISA's web proxy is ster up to handle web req.'s on port 8080, but the browser makes them on 80 by default unless you tell it otherwise, which w/o the web proxy settings in the browser, you are not. ISA is simply allowing all traffic that you configured it to allow to get out from SNAT clients.

I could be wrong about this, but I'm pretty sure I'm not. Perhaps Tom or somebody could chime in here.

DBH,

Have you tried my suggestions at all?

As to the question about doing anything to allow SNAT clients, I'm pretty sure there is not, but I will look into it now.

isafan

But, I want not configure proxy, I want to do SNAT to reduce client configuration. Yes, I really know that I loose the web cache, but this is not a problem for me.

The internal NIC has a internal IP with no defaut gateway and the external NIC has a external internet IP (ADSL) with default gateway. The ISA server has full Internet access, but SNAT still not working.