• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Controlling Web Access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> Controlling Web Access Page: [1]
Login
Message << Older Topic   Newer Topic >>
Controlling Web Access - 6.Nov.2009 2:56:55 AM   
bobmorris

 

Posts: 9
Joined: 17.Oct.2009
Status: offline
I have set up an ISA server 2006(ISA) on Win2003 Sp1 with the Web Proxy (single network card) template. The sole purpose of this is to control Internet access times for different user groups. The edge of the LAN is protected by a PIX. Another server(XS) hoste Exchange Server 2003. This is dual homed and has one NIC connecting to the PIX and the other connected to the LAN. At present this server also runs NAT for the rest of the LAN. This works fine and I don't want to mess with it.

The ISA server has been given its default gateway as the internal IP address of XS. Logged in locally one can ping external networks and browse the web from ISA.

I have setup the default firewall rule denying all access from Internal to External. As a start I have configured a firewall rule which allows all users from Internal to access all networks in External at all times.

On a client browser (IE) I tick Automatically detect settings and point the proxy server to the address of ISA.

Nothing doing, the client wont connect. Once I can get this step OK I can configure more sensible rules then disable NAT on XS, but until I can I cant go any further. Grateful for
ideas what's wrong.

Regards Bob
Post #: 1
RE: Controlling Web Access - 6.Nov.2009 11:55:28 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Bob,

when you install ISA as a single NIC, it does not have the concept of External Network, but Internal and LocalHost.

In your access rule you should specify Internal as source and destination. Also, you have to leave the IP ranges that ISA provided by ISA when choosing Single-NIC template.

For more info: http://technet.microsoft.com/pt-br/library/cc302586(en-us).aspx

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to bobmorris)
Post #: 2
RE: Controlling Web Access - 6.Nov.2009 11:25:44 PM   
bobmorris

 

Posts: 9
Joined: 17.Oct.2009
Status: offline
Paolo,

Thanks for your reply. Yes I saw this Technet article and tried it, (though the concept of internal to internal didn't make much sense to me). Unfortunately I got exactly the same results-no throughput.

Any other ideas?

Best Regards
Bob

(in reply to paulo.oliveira)
Post #: 3
RE: Controlling Web Access - 7.Nov.2009 7:58:39 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Bob,

have you configured your ISA Internal Network definition as this:

  • 0.0.0.0
  • 255.255.255.255
  • 224.0.0.0-254.255.255.255 (multicast)
  • 127.0.0.0-127.255.255.255

    Regards,
    Paulo Oliveira.

    _____________________________

    Microsoft Premier Field Engineer (PFE)
    Blog: http://poliveirasilva.wordpress.com/
    Twitter: https://twitter.com/poliveirasilva

    (in reply to bobmorris)
  • Post #: 4
    RE: Controlling Web Access - 7.Nov.2009 9:23:55 AM   
    bobmorris

     

    Posts: 9
    Joined: 17.Oct.2009
    Status: offline
    I think so but I'll look again Monday and post further.Thanks.
    Bob

    (in reply to paulo.oliveira)
    Post #: 5
    RE: Controlling Web Access - 7.Nov.2009 9:36:01 AM   
    paulo.oliveira

     

    Posts: 3472
    Joined: 3.Jan.2008
    From: Amazon, Brazil
    Status: offline
    Hi Bob,

    it worth to mention when you select ISA Single-NIC template, ISA populates the Internal Network definition with these networks.

    Regards,
    Paulo Oliveira.

    _____________________________

    Microsoft Premier Field Engineer (PFE)
    Blog: http://poliveirasilva.wordpress.com/
    Twitter: https://twitter.com/poliveirasilva

    (in reply to bobmorris)
    Post #: 6
    RE: Controlling Web Access - 9.Nov.2009 3:47:54 AM   
    bobmorris

     

    Posts: 9
    Joined: 17.Oct.2009
    Status: offline
    It's working now, I was pointing IE on the test client at port 80 not 8080. Fixing this made it work.

    I've configured the firewall access rule as source Internal and destination Internal and yes it works. I just wish I could understand why!

    Thanks very much for your help.

    Bob

    (in reply to paulo.oliveira)
    Post #: 7
    RE: Controlling Web Access - 9.Nov.2009 2:57:23 PM   
    paulo.oliveira

     

    Posts: 3472
    Joined: 3.Jan.2008
    From: Amazon, Brazil
    Status: offline
    Hi Bob,

    glad it worked.

    About ISA Networks model:

    quote:

    Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer itself.

    Source: http://technet.microsoft.com/pt-br/library/cc302586(en-us).aspx#UnsupportedScenarios


    You can also read this article: http://www.isaserver.org/articles/2004isafirewallnetworks.html

    Regards,
    Paulo Oliveira.

    _____________________________

    Microsoft Premier Field Engineer (PFE)
    Blog: http://poliveirasilva.wordpress.com/
    Twitter: https://twitter.com/poliveirasilva

    (in reply to bobmorris)
    Post #: 8

    Page:   [1] << Older Topic    Newer Topic >>
    All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> Controlling Web Access Page: [1]
    Jump to:

    New Messages No New Messages
    Hot Topic w/ New Messages Hot Topic w/o New Messages
    Locked w/ New Messages Locked w/o New Messages
     Post New Thread
     Reply to Message
     Post New Poll
     Submit Vote
     Delete My Own Post
     Delete My Own Thread
     Rate Posts