Welcome to ISAserver.org

Controlling Web Access

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> Controlling Web Access

Page: [1]

Message

<< Older Topic Newer Topic >>

Controlling Web Access - 6.Nov.2009 2:56:55 AM

bobmorris

Posts: 9
Joined: 17.Oct.2009
Status: offline

I have set up an ISA server 2006(ISA) on Win2003 Sp1 with the Web Proxy (single network card) template. The sole purpose of this is to control Internet access times for different user groups. The edge of the LAN is protected by a PIX. Another server(XS) hoste Exchange Server 2003. This is dual homed and has one NIC connecting to the PIX and the other connected to the LAN. At present this server also runs NAT for the rest of the LAN. This works fine and I don't want to mess with it.

The ISA server has been given its default gateway as the internal IP address of XS. Logged in locally one can ping external networks and browse the web from ISA.

I have setup the default firewall rule denying all access from Internal to External. As a start I have configured a firewall rule which allows all users from Internal to access all networks in External at all times.

On a client browser (IE) I tick Automatically detect settings and point the proxy server to the address of ISA.

Nothing doing, the client wont connect. Once I can get this step OK I can configure more sensible rules then disable NAT on XS, but until I can I cant go any further. Grateful for
ideas what's wrong.

Regards Bob

Post #: 1

Featured Links*

RE: Controlling Web Access - 6.Nov.2009 11:55:28 AM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi Bob,

when you install ISA as a single NIC, it does not have the concept of External Network, but Internal and LocalHost.

In your access rule you should specify Internal as source and destination. Also, you have to leave the IP ranges that ISA provided by ISA when choosing Single-NIC template.

For more info: http://technet.microsoft.com/pt-br/library/cc302586(en-us).aspx

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to bobmorris)

Post #: 2

RE: Controlling Web Access - 6.Nov.2009 11:25:44 PM

bobmorris

Posts: 9
Joined: 17.Oct.2009
Status: offline

Paolo,

Thanks for your reply. Yes I saw this Technet article and tried it, (though the concept of internal to internal didn't make much sense to me). Unfortunately I got exactly the same results-no throughput.

Any other ideas?

Best Regards
Bob

(in reply to paulo.oliveira)

Post #: 3

RE: Controlling Web Access - 7.Nov.2009 7:58:39 AM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi Bob,

have you configured your ISA Internal Network definition as this:

0.0.0.0

255.255.255.255

224.0.0.0-254.255.255.255 (multicast)

127.0.0.0-127.255.255.255

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to bobmorris)

Post #: 4

RE: Controlling Web Access - 7.Nov.2009 9:23:55 AM

bobmorris

Posts: 9
Joined: 17.Oct.2009
Status: offline

I think so but I'll look again Monday and post further.Thanks.
Bob

(in reply to paulo.oliveira)

Post #: 5

RE: Controlling Web Access - 7.Nov.2009 9:36:01 AM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi Bob,

it worth to mention when you select ISA Single-NIC template, ISA populates the Internal Network definition with these networks.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to bobmorris)

Post #: 6

RE: Controlling Web Access - 9.Nov.2009 3:47:54 AM

bobmorris

Posts: 9
Joined: 17.Oct.2009
Status: offline

It's working now, I was pointing IE on the test client at port 80 not 8080. Fixing this made it work.

I've configured the firewall access rule as source Internal and destination Internal and yes it works. I just wish I could understand why!

Thanks very much for your help.

Bob

(in reply to paulo.oliveira)

Post #: 7

RE: Controlling Web Access - 9.Nov.2009 2:57:23 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi Bob,

glad it worked.

About ISA Networks model:

quote:

Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer itself.

Source: http://technet.microsoft.com/pt-br/library/cc302586(en-us).aspx#UnsupportedScenarios

You can also read this article: http://www.isaserver.org/articles/2004isafirewallnetworks.html

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to bobmorris)

Post #: 8