Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Simple Proxy and Access Rules
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Simple Proxy and Access Rules - 14.Aug.2007 10:00:13 AM
|
|
|
justinblat
Posts: 1
Joined: 14.Aug.2007
Status: offline
|
I have a fairly simple network set up in VMWare, with an ISA 2006 box running DHCP/DNS, and a couple of clients. The ISA box has two nics, with one facing the outside world, and the other serving the internal clients via NAT. I would like the clients on this network to be forced to use ISA as a proxy server, meaning they cannot circumvent the proxy server to get out to the internet. Under the networks tab, I have "Enable Web Proxy client connections" checked, HTTP is enabled over 8080. This all makes sense to me, and appears to work. Where it all goes wrong is the configuration of the access rules in the firewall policy.
Do I need one rule that allows HTTP from the internal network to the external network? Or do I need two rules, one that allows for HTTP to the proxy (localhost) and one from proxy to the external network? I have tried both, with poor results. If I create a rule allowing HTTP from internal to external, the proxy works, but users can get around it. If I go with the two rule option, I get errors from the proxy server, giving me Access Denied for the URL.
Am I missing something?
|
|
|
|
|
RE: Simple Proxy and Access Rules - 14.Aug.2007 1:16:35 PM
|
|
|
p057080n
Posts: 26
Joined: 7.Jun.2007
Status: offline
|
quote:
ORIGINAL: justinblat
I have a fairly simple network set up in VMWare, with an ISA 2006 box running DHCP/DNS, and a couple of clients. The ISA box has two nics, with one facing the outside world, and the other serving the internal clients via NAT. I would like the clients on this network to be forced to use ISA as a proxy server, meaning they cannot circumvent the proxy server to get out to the internet. Under the networks tab, I have "Enable Web Proxy client connections" checked, HTTP is enabled over 8080. This all makes sense to me, and appears to work. Where it all goes wrong is the configuration of the access rules in the firewall policy.
Do I need one rule that allows HTTP from the internal network to the external network? Or do I need two rules, one that allows for HTTP to the proxy (localhost) and one from proxy to the external network? I have tried both, with poor results. If I create a rule allowing HTTP from internal to external, the proxy works, but users can get around it. If I go with the two rule option, I get errors from the proxy server, giving me Access Denied for the URL.
Am I missing something?
You only need one rule for HTTP access: from the internal network to the external.
If you'd like to add more networks, you do not need to make a seperate policy for each one, you just add on to the same one unless you want to change limitations.
If your users can get around the ISA box, then that means you do not have the networks seperate. For example, if you had a small office of 10 users and your connection to the internet was one DSL modem, and before all they were connected to was a 10 port basic DSL router connected straight to the DSL modem, you need to replace the router and put in the ISA box so it's ONLY connected to the ISA box in this manner:
Internet < DSL Modem < ISA box < Extra router if necessary < all your end users
Otherwise they'll find a way around the ISA box like they have been doing to get out to the net.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
