Welcome to ISAserver.org

ISA 2006 as a router and firewall/proxy

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> General >> ISA 2006 as a router and firewall/proxy

Page: [1]

Message

<< Older Topic Newer Topic >>

ISA 2006 as a router and firewall/proxy - 28.Aug.2008 5:09:56 AM

DaveMorfee

Posts: 11
Joined: 24.Jun.2008
Status: offline

Current Setup

We have ISA 2000 running on Win 2000 with SurfControl 5.0.

The standard user has a default gateway of 10.97.4.100 which forwards all internet traffic to our ISA server which is 10.99.61.52 where traffic is routed and filtered by SurfControl. The users have the proxy server ISASRV set in Internet Explorer.

Now the 4 people in tech support we have our default gateway set to 10.99.61.52 and with no proxy server setup in Internet Explorer, this allows us to bypass the proxy and Surfcontrol meaning we are not blocked on anything.

New Setup

However we are now needing to migrate over to ISA 2006 on Windows 2003 server.

As the previous setup the standard user has the same setup, just the ISA server is now on 10.99.61.53 not 10.99.61.52. This has been tested and now working quite happily.

The problem we are now having is with the tech support section. We need to somehow get routed through the ISA server but bypassing the proxy, now I can sort of get that to work, but it still filters us

Any options to get round this?

Thanks

Dave

Post #: 1

Featured Links*

RE: ISA 2006 as a router and firewall/proxy - 28.Aug.2008 11:24:40 AM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

First:
It is impossible to "bypass" the proxy when the proxy is physically in the way

In the old system the users who set the DFG to the ISA (10.99.61.52) were still using the ISA,...they just weren't using the Web Proxy Service which is where SurfControl interacts.

Moral of the story,....SecureNAT cannot authenticate and must use anonymous Rule,...lessons,...don't have anonymous rules on the ISA and you won't have SecureNAT Clients.

On the new setup. ISA2006 is not as loose with the SecureNAT Clients and passes them through the Web Proxy Service where Surfcontrol is probably getting in the way. For the Tech Supp People have a different device used for a Default Gateway that does not involve the ISA.

The other option is to configure SurfControl to properly handle the situation and just run the Tech People through it like everyone else.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to DaveMorfee)

Post #: 2

RE: ISA 2006 as a router and firewall/proxy - 3.Sep.2008 4:23:44 PM

poiuy

Posts: 50
Joined: 20.Oct.2005
Status: offline

I have a computer group set up for the IT computers that have a different rule set to allow an unrestricted and unlogged connection on port 80. I also have another ruleset for common network protocols for that same group.

All other computers run through another rule that allows internet access but restricts sites and downloads.

I see no reason to be using seperate gateways. I also assume that you are on a single subnet network.

_____________________________

poiuy the Nemisis of qwerty

(in reply to pwindell)

Post #: 3

RE: ISA 2006 as a router and firewall/proxy - 3.Sep.2008 5:04:49 PM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Sounds good to me.
Having that rule "unlogged" should keep it out of Sufcontrols "view".

_____________________________

Phillip Windell
www.wandtv.com

(in reply to poiuy)

Post #: 4

RE: ISA 2006 as a router and firewall/proxy - 4.Sep.2008 4:01:29 AM

DaveMorfee

Posts: 11
Joined: 24.Jun.2008
Status: offline

Hi,

Thanks for your advice.

Could you tell me the details of the rule you have created just for future reference, as we have found an old Cisco 2600 router which now does the Tech Support and our server :)

Cheers

Dave

(in reply to pwindell)

Post #: 5