• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA2006 SP1 - HTTP traffic not connecting

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> ISA2006 SP1 - HTTP traffic not connecting Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA2006 SP1 - HTTP traffic not connecting - 29.Apr.2009 5:24:55 AM   
blue

 

Posts: 7
Joined: 29.Apr.2009
Status: offline
Hi,

I have an ISA 2006 server which is a fresh install onto Windows 2003 Server SP2 32bit. The server is not in production because it is not able to connect normal windows clients (XP) to the internet via HTTP.

I can see on the Logging tab that other protocols are working fine including HTTPS - when I type https://mail.yahoo.com into the browser on a client machine it connects without any issue, but whenever I try ANY standard http connection it fails.

I am able to successfully perform nslookup commands on any external (and internal) address so it's not a name resolution issue. I am also able to run the "telnet www.google.com 80" command successfully on the ISA server.

The clients are configured to use the standard port 8080 to connect to the ISA server; it just seems that the ISA server is not able to translate the HTTP traffic correctly.

Any suggestions would be greatly appreciated as we are currently running on ISA 2000 and desperately want to migrate to the newer version.

Cheers,
Blue (seriously frustrated)
Post #: 1
RE: ISA2006 SP1 - HTTP traffic not connecting - 29.Apr.2009 7:50:43 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Blue,

how is configured your access rule?

Regards,
Paulo Oliveira.

(in reply to blue)
Post #: 2
RE: ISA2006 SP1 - HTTP traffic not connecting - 29.Apr.2009 8:25:19 AM   
blue

 

Posts: 7
Joined: 29.Apr.2009
Status: offline
Hi Paulo,
Thanks for the response.

There are two rules on the ISA server - the first rule is to Allow > All Outbound traffic > from Local Host and Internal (which includes all internal IP addresses) > to External > all content types > Always > All Users. The second rule is the default deny all.

I've tried a specific host rule from my test PC which just allows HTTP to External and I still cannot get access.

The server has two NIC's; one external and one internal.

(in reply to paulo.oliveira)
Post #: 3
RE: ISA2006 SP1 - HTTP traffic not connecting - 29.Apr.2009 8:29:43 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

is your ISA NICs configured like this: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Regards,
Paulo Oliveira.

(in reply to blue)
Post #: 4
RE: ISA2006 SP1 - HTTP traffic not connecting - 29.Apr.2009 8:47:29 AM   
blue

 

Posts: 7
Joined: 29.Apr.2009
Status: offline
Hi Paulo,

The NIC's are configured like the article except for two things - I've put DNS entries on both the interfaces and I've not disabled NetBIOS over the External interface. These two settings can easily be changed and I'll be able to test when I have an outage window this evening.

Thanks.

(in reply to paulo.oliveira)
Post #: 5
RE: ISA2006 SP1 - HTTP traffic not connecting - 29.Apr.2009 9:07:00 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
DNS should only exist on the internal adater and your internal DNS should be configured with forwarders. The NetBIOS disable is just part of the recommended NIC hardening and shouldn't affect anything outbound.

Can you check to ensure you http protocol has not had the Web Proxy filter unbound?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to blue)
Post #: 6
RE: ISA2006 SP1 - HTTP traffic not connecting - 29.Apr.2009 9:50:35 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
OK, let me know.

(in reply to blue)
Post #: 7
RE: ISA2006 SP1 - HTTP traffic not connecting - 30.Apr.2009 4:51:45 AM   
blue

 

Posts: 7
Joined: 29.Apr.2009
Status: offline
Thanks Paulo and Jason,

Unfortunately we didn't have an opportunity to test last night but are looking to do the testing tonight instead.

Regards, Blue

(in reply to paulo.oliveira)
Post #: 8
RE: ISA2006 SP1 - HTTP traffic not connecting - 5.May2009 4:15:04 AM   
blue

 

Posts: 7
Joined: 29.Apr.2009
Status: offline
Hi Paulo,

I'v made the changes but it's still not allowing out http traffic, all other protocols are still fine. Any other suggestions? Thanks.

Regards,
Blue

(in reply to paulo.oliveira)
Post #: 9
RE: ISA2006 SP1 - HTTP traffic not connecting - 5.May2009 2:13:33 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

what does ISA log tells you? Also, run ISABPA to check if there´s misconfigured settings.

Regards,
Paulo Oliveira.

(in reply to blue)
Post #: 10
RE: ISA2006 SP1 - HTTP traffic not connecting - 6.May2009 12:53:51 PM   
emills@lvccul.org

 

Posts: 5
Joined: 30.Apr.2009
Status: offline
The ISABPA is a great tool to find certain issues in the setup. Did you add the DNS protocol to the Array access rule for your Internet connection?
    I had a similar issue in my first attempt at the live configuration. Adding DNS, HTTP(s),FTP, to the internet access array rule allowed local DNS to interpret web traffic

(in reply to paulo.oliveira)
Post #: 11
RE: ISA2006 SP1 - HTTP traffic not connecting - 11.May2009 6:23:16 AM   
blue

 

Posts: 7
Joined: 29.Apr.2009
Status: offline
Thanks for the advice - yes I did allow DNS, in fact I became so frustrated that I changed to rule to allow all protocols and I was able to see the DNS requests on port 53 going to external destinations. 

(in reply to emills@lvccul.org)
Post #: 12
RE: ISA2006 SP1 - HTTP traffic not connecting - 13.May2009 11:57:55 AM   
blue

 

Posts: 7
Joined: 29.Apr.2009
Status: offline
Hi Paulo, the ISA server is now working. The issue was that the ISP have an upstream proxy and our HTTP traffic was being blocked by them. I phoned them on a number of occasions and only today did they mention that they had the upstream proxy was in place.

Thanks for all the assistance.

(in reply to paulo.oliveira)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> ISA2006 SP1 - HTTP traffic not connecting Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts