Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

No internet without proxy configuration

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> No internet without proxy configuration Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
No internet without proxy configuration - 11.May2007 1:50:48 PM   
Gnash

 

Posts: 1
Joined: 11.May2007
Status: offline 		I'm new at ISA this is my first install. I already searched the forums but no luck :(
I made a clean install of ISA 2006.  Everything is configured, http/https access, DNS and so on.  But my clients do not have internet by default.  If I configure the clients browser to use ISA as proxy, internet works.  But my boss doesn't want this type of configuration.  All the nics have fixed IPs and the the default gateway of each points to the  IP of the internal ISA nic.  The ISA has internet but it only worked when I added a rule from host to external.  I've read through a bunch of articles that seemed similar but no luck on the solution.  Also, the clients can't ping the ISA for some reason.  And they did before the installation.  ISA can ping them though.  It's driving me crazy since every article I read says that this is automatic on installation, and that the proxy config you have to add. But it seems the total opposite in my case.  Thanks for your help
Post #: 1
RE: No internet without proxy configuration - 11.May2007 3:38:49 PM   
elmajdal

 

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

ORIGINAL: Gnash

I'm new at ISA this is my first install. I already searched the forums but no luck :(
I made a clean install of ISA 2006.  Everything is configured, http/https access, DNS and so on.  But my clients do not have internet by default. 

By Default, Nothing is allowed to pass through ISA Server , everything is denied by the default rule !! you then have to open rules and protocols u need.

quote:

If I configure the clients browser to use ISA as proxy, internet works.

This type of clients is called Web Proxy Client.
There are three types of clients:
  1. Firewall CLients
  2. Web Proxy CLients
  3. SecureNat CLients


quote:

 But my boss doesn't want this type of configuration.  All the nics have fixed IPs and the the default gateway of each points to the  IP of the internal ISA nic. 


So your boss wants the 3rd type, SecureNat Clients ( clients having ISA Server their default gateway )

quote:

The ISA has internet but it only worked when I added a rule from host to external. 

The ISA Server machine is considered a Network by itself, thats why its called LocalHost

quote:

I've read through a bunch of articles that seemed similar but no luck on the solution.  Also, the clients can't ping the ISA for some reason.  And they did before the installation.  ISA can ping them though. 


ISA Server is a Firewall, you expect a firewall would allow other machines to ping it  ??
This is a natural behaviour !! There is Something called, System Policy , read this to have a clear idea : http://www.isaserver.org/tutorials/Editing-ISA-2004-system-policy-Part1.html


If you have any question after this , i 'll be around

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to Gnash)
Post #: 2
RE: No internet without proxy configuration - 12.May2007 9:36:51 AM   
AdamB2K4

 

Posts: 26
Joined: 9.Jan.2004
From: New York
Status: offline 		Tarek,
You seem to have addressed every issue except the SecureNAT problem he is having.  Coincidentally, I am having the exact same issue. After a fresh installation of ISA 2006, my clients are unable to access the internet without proxy configuration.  Their default gateway is the internal NIC of ISA server.   With proxy information entered, they are able to access the internet, same as the above poster.  So we both obviously have access rules in place.  Any ideas? Thanks in advance for your assistance.  You and Tom are great resources for information on ISA server.
Adam

< Message edited by AdamB2K4 -- 12.May2007 9:40:14 AM >

(in reply to elmajdal)
Post #: 3
RE: No internet without proxy configuration - 12.May2007 11:21:03 AM   
elmajdal

 

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hi Adam,

Thanks.

Do you have an internal DNS Serve ?? does it forward requested to external DNS Severs ? ( ISP DNS ) , read this for more info : http://elmajdal.net/isaserver/Internal_DNS_Forwarding.aspx

What about your rules on ISA ? and the NICs settings ?

Tarek

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to AdamB2K4)
Post #: 4
RE: No internet without proxy configuration - 12.May2007 8:37:46 PM   
AdamB2K4

 

Posts: 26
Joined: 9.Jan.2004
From: New York
Status: offline 		During my test, the internal (Active Directory) DNS server was set to forward external requests to the ISA server, and I allowed the ISA server to resolve those requests on behalf of it.  The SecureNAT client was resolving DNS correctly.  However, the page would not ever be displayed unless I configured the proxy information.  I used the default rule that allowed unlimited access to all users. So there were only 2 firewall rules.  First one to allow unlimited access to all users.  Second rule deny all.  NIC configurations were all correct.  For ISA: Internal NIC had no gateway.  External NIC was configured with a gateway.  For client: Gateway was ISA.

< Message edited by AdamB2K4 -- 12.May2007 8:39:14 PM >

(in reply to elmajdal)
Post #: 5
RE: No internet without proxy configuration - 13.May2007 3:40:42 AM   
elmajdal

 

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hi,

quote:

  During my test, the internal (Active Directory) DNS server was set to forward external requests to the ISA server, and I allowed the ISA server to resolve those requests on behalf of it.

how did u do that ??


quote:

For ISA: Internal NIC had no gateway.  External NIC was configured with a gateway.  For client: Gateway was ISA.

an ipconfig /all will give us more info

< Message edited by elmajdal -- 13.May2007 3:41:43 AM >

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to AdamB2K4)
Post #: 6
RE: No internet without proxy configuration - 13.May2007 12:35:12 PM   
AdamB2K4

 

Posts: 26
Joined: 9.Jan.2004
From: New York
Status: offline 		When the forwarder is set to the IP of the ISA server, and the ISA server policy allows DNS from local host to all networks, then the ISA server resolvs the forwarded requests from the AD DNS server without an issue.  Nslookup on the client verifies this functionality works.  

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WORKSTATION1
Primary Dns Suffix  . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connecti
on
    Physical Address. . . . . . . . . : 00-08-02-BD-FA-24
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 10.16.11.50
    Subnet Mask . . . . . . . . . . . : 255.255.254.0
    Default Gateway . . . . . . . . . : 10.16.10.3
    DHCP Server . . . . . . . . . . . : 10.16.10.2
    DNS Servers . . . . . . . . . . . : 10.16.10.2
    Primary WINS Server . . . . . . . : 10.16.10.2
    Lease Obtained. . . . . . . . . . : Thursday, May 10, 2007 8:20:32 PM
    Lease Expires . . . . . . . . . . : Friday, May 18, 2007 8:20:32 PM

AD DNS is 10.16.10.2 and ISA Server is 10.16.10.3

Maybe the DNS forwarding configuration is the issue.  Even though the securenat clients are successfully able to resolve dns, maybe ISA server just simply doesn't like this configuration. I will configure it as indicated in your instructions and let you know if there is any change.

Thanks for your time,
Adam

< Message edited by AdamB2K4 -- 13.May2007 12:55:38 PM >

(in reply to elmajdal)
Post #: 7
RE: No internet without proxy configuration - 13.May2007 12:46:53 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Can internal clients resolve Internet host names?

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to AdamB2K4)
Post #: 8
RE: No internet without proxy configuration - 13.May2007 12:49:51 PM   
elmajdal

 

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

When the forwarder is set to the IP of the ISA server, and the ISA server policy allows DNS from local host to all networks, then the ISA server resolvs the forwarded requests from the AD DNS server without an issue

Does your ISA Server have a Cache DNS Installed on it ??
NO... Then why your are forwarding requests from your Internal DNS to it ?

Your Internal DNS should forward requests to your ISP DNS Server, for the 2nd time , read this : http://elmajdal.net/isaserver/Internal_DNS_Forwarding.aspx

and regarding the IPConfig /all , i need it on your ISA, to see the NICs config

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to AdamB2K4)
Post #: 9
RE: No internet without proxy configuration - 13.May2007 12:56:15 PM   
AdamB2K4

 

Posts: 26
Joined: 9.Jan.2004
From: New York
Status: offline
quote:

ORIGINAL: tshinder

Can internal clients resolve Internet host names?

Tom


Yes

(in reply to tshinder)
Post #: 10
RE: No internet without proxy configuration - 14.May2007 8:32:34 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Adam,

I noticed that you're using a /23 mask instead of /24.

There's nothing wrong with that, but I notice you also use the dreaded .local TLD, which indicates a pretty unsophisticated approach to networking. So, I'm wondering if you should be using a /24 mask instead.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to AdamB2K4)
Post #: 11
RE: No internet without proxy configuration - 15.May2007 8:04:47 AM   
AdamB2K4

 

Posts: 26
Joined: 9.Jan.2004
From: New York
Status: offline 		In my organization, new users don't have the ability to send/receive outside e-mail by default.  The .local domain makes this configuration much easier to administer. Additionally, domain names and subnet masks have absolutely nothing to do with one another.  I found your comment to be quite insulting.  My approach to networking happens to be very sophisticated, and I had a lot more respect for you until you said that. 

< Message edited by AdamB2K4 -- 15.May2007 8:31:18 AM >

(in reply to tshinder)
Post #: 12
RE: No internet without proxy configuration - 15.May2007 9:53:02 AM   
AdamB2K4

 

Posts: 26
Joined: 9.Jan.2004
From: New York
Status: offline 		I'm curious, though, what is supposedly so "dreaded" about using .local? 

(in reply to AdamB2K4)
Post #: 13
RE: No internet without proxy configuration - 16.May2007 10:39:40 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Because sophisticated networks using a split DNS infrastructure. I've written extensively on this topic. I never use illegal TLDs for this reason. Makes life easier for the admins and provides a superior expereince for users.

The intent was not to be insulting, but is the result of observing network designs over the last ten years.

The ISA Firewall should be configured to use a single DNS server, and that DNS server should be listed on the internal interface. The internal interface should be placed on the top of the list of the interface in the Advanced configuration dialog box in the Network Connections window.

A rule allowing outbound DNS from the DNS server to External is required.

The DNS server must use the ISA Firewall's internal IP address as its default gateway.

Use the diagnostics tab on your DNS server to see if it can successfully perform recursive queries. It should fail when you're using forwarders, as you should disable recursion when forwarders are being used.

Use nslookup on the DNS server to see if it can resolve Internet host names. If that fails, remove the forwarders and configure the DNS server to use recursion.

Check the ISA Firewall's log file to see what is happening when the DNS server sends outbound DNS queries.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to AdamB2K4)
Post #: 14
RE: No internet without proxy configuration - 20.May2007 11:42:23 AM   
AdamB2K4

 

Posts: 26
Joined: 9.Jan.2004
From: New York
Status: offline
quote:

Because sophisticated networks using a split DNS infrastructure. I've written extensively on this topic. I never use illegal TLDs for this reason. Makes life easier for the admins and provides a superior expereince for users.  The intent was not to be insulting, but is the result of observing network designs over the last ten years.


Nonetheless it WAS insulting.  I've never read your articles on this subject, and to be honest I don't care.  I have my own reasons for using a 23 bit mask and a .local domain extension.  I've been designing and administering entire network infrastructures from the ground up for 15+ years.   I don't need to explain why I use either of them, since they are both irrelevant to the situation.  And you shouldn't assume that I am "unsophisticated" based on the little information you know about my network.   And I do use a split DNS infrastructure.  I don't see how you came to the conclusion that I did not.  In fact, to assume that one is unsophisticated in networking based on a subnet mask and a domain name, kind of makes YOU look unsophisticated.

quote:

The ISA Firewall should be configured to use a single DNS server, and that DNS server should be listed on the internal interface. The internal interface should be placed on the top of the list of the interface in the Advanced configuration dialog box in the Network Connections window.


The internal interface on my ISA server is configured to point to my Active Directory DNS server.  My ISP is dynamic, and so my external interface must be set for automatically obtain.  There is no way to remove the DNS server address from the WAN interface unless I specify a different one.  I don't suspect that this has anything to do with why SecureNAT isn't working.  If I configure the client as a web proxy client, there is no problems.  This same configuration worked on ISA 2000 without any issues.

quote:

A rule allowing outbound DNS from the DNS server to External is required.


I have 2 rules.  1) Allow all access, all protocols, all users, from internal to external.  2) Deny all.  This is only to test SecureNAT in my environment.  I do not plan on leaving the access rule like this.  I say this so you don't assume I am unsophisticated again.  As previously noted, when configured as web proxy, the client can access the internet.  As a securenat client, it cannot.

quote:

The DNS server must use the ISA Firewall's internal IP address as its default gateway.


It does, as does every other computer and server on the network. 

quote:

Use the diagnostics tab on your DNS server to see if it can successfully perform recursive queries. It should fail when you're using forwarders, as you should disable recursion when forwarders are being used.


I am using forwarders, and recursion is disabled, but the DNS server still passes the recursion test.  FYI there is no diagnsotic tab in Windows DNS Server management.  There is a monitoring tab and this is what I used to perform the test.

quote:

Use nslookup on the DNS server to see if it can resolve Internet host names. If that fails, remove the forwarders and configure the DNS server to use recursion.


The DNS server is able to resolve all internet host names.

quote:

Check the ISA Firewall's log file to see what is happening when the DNS server sends outbound DNS queries.


The firewall log shows the securenat client initiating a connection, but that is it.  The client receives a "Page cannot be displayed" error. However, I have verified the client is able to resolve DNS using nslookup on the client.  Also pinging any internet address from the client resolves the address correctly.  Even after ipconfig flushdns.

Some useful information maybe: When configured as a web proxy client, the session is listed as "securenat" in the monitoring window of ISA 2006.

NEW PROBLEMS: I am also unable to create a user set.  I have edited the system policy to allow active directory authentication between ISA server and my AD servers.  However, when I attempt to add a user or group to a user set, it fails with an error "RPC Server is Unavailable". What is unusual about this is that the ISA server is able to enumerate a list of users and groups from active directory using the advanced/find buttons.  But when I select a user or group, it fails with the RPC error.

I am also seeing Event 1053 in the system log every time I try to do this. The error says that the windows cannot determine the computer or user name. 

I would appreciate some constructive suggestions as to what might be causing these issues, rather than an analysis of my networking skills.  Is it at all possible that there is a bug in ISA 2006 where securenat does not function properly after installing on top of Windows 2003 Standard R2 SP2? 

< Message edited by AdamB2K4 -- 20.May2007 3:08:08 PM >

(in reply to tshinder)
Post #: 15
RE: No internet without proxy configuration - 21.May2007 4:22:07 PM   
cbuechler

 

Posts: 23
Joined: 20.Feb.2006
Status: offline 		Tom really needs to get off his high horse with the "don't use .local" stuff. It's been recommended on Microsoft's site in the past (may still be), and if you Google you'll find where multiple other Microsoft MVP's have recommended it. It's not "technically" reserved, but it was proposed in a RFC that expired before getting approved, and will never actually be used on the public Internet. Apple uses .local for Bonjour, which is enough to guarantee it'll never be a valid Internet domain because no OS X machine would be able to resolve those names. I've passed 17 MCP exams and I believe a number of those depicted .local TLD's in some questions.

If I recall, MS SBS even uses a .local TLD by default. *gasp* Obviously Microsoft doesn't feel it's nearly as terrible an idea as Tom does, nor do numerous other MVP's.

Personally I'd rather not use .local, but I've seen a ton of networks running that way (most also having split DNS for their Internet domain) and it's absolutely not any indication of the competency of the admins. I've also seen plenty of AD networks using domains registered in public DNS that were a complete disaster, to put it nicely.

Adam: I'll actually try to answer your question (at least the part I've run into) rather than question your competence. The AD-related errors you're getting, watch your firewall logs at the same time you get those messages. I've had to open some additional ports from ISA to DC's that the system policy does not open out of the box. It's been a while since I've done that, and it was on ISA 2004, so I don't recall the specific details, but just make sure the traffic from ISA to your DC's isn't getting blocked.

(in reply to AdamB2K4)
Post #: 16
RE: No internet without proxy configuration - 21.May2007 7:50:29 PM   
AdamB2K4

 

Posts: 26
Joined: 9.Jan.2004
From: New York
Status: offline 		Thanks Chris for explaining that. I appreciate it very much. I did check the logs and low and behold the ISA server was trying to communicate with DC over port TCP port 1026.  It turns out this is what was causing the RPC failure. Everything seems to be working good now.  I came from ISA 2000 and, to say the least, I am extremely happy with the ability to remap ports with ISA 2006.  While I've solved my problem with authentication, I still am unable to get securenat to work with a web browser.  Though it seems to work with any other application.  For example, on my DNS server, there is no problem resolving DNS with securenat. But if I try to open a web browser, it's no go unless I plug the proxy address in.

< Message edited by AdamB2K4 -- 21.May2007 7:52:43 PM >

(in reply to cbuechler)
Post #: 17
RE: No internet without proxy configuration - 22.May2007 9:29:55 PM   
cbuechler

 

Posts: 23
Joined: 20.Feb.2006
Status: offline 		Yeah, now that I look back at the system I was speaking of earlier, TCP 1026 was indeed the port in question. I believe that became a requirement in 2003 SP1.

As to your secure NAT issue, I don't use secure NAT on any of my ISA installs so I have no idea what the problem there may be.

(in reply to AdamB2K4)
Post #: 18
RE: No internet without proxy configuration - 30.May2007 10:21:35 PM   
ma77smith

 

Posts: 8
Joined: 24.May2007
Status: offline 		 
Hi Folks, did anyone get to a solution for this problem - I'm having exac the thing happening. ISA 2006 setup fine (or appears so), rules and NICs look ok, clients can nslookup any internet domain fine but get a page cannot be displayed when trying to connect to a website. I put the proxy info in IE (isaserver:8080) and I can browse fine, I have noticed though it doesn't follow any of the rules then - for example I can ftp, msn messenger and anything else.

The firewall is W2K3 std in workgroup as an edge firewall (soon to be joined to domain after reading article on this site) , two NICs

I would appreciate a quick response on this as I need to get is working ASAP

Thanks ppl


(in reply to cbuechler)
Post #: 19
RE: No internet without proxy configuration - 31.May2007 10:29:02 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Smith,

When Web proxy clients work (and Firewall clients too) and SecureNAT clients don't, it most likely indicates a DNS issue on the SecureNAT client. The SecureNAT client needs to resolve names itself, in contrast to Firewall and Web Proxy clients, where the ISA Firewall resolves the names for them.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ma77smith)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> No internet without proxy configuration Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts