I know it's not the best solution to run single nic but for the intent of the message please help.
I have installed the product. Isa server 2006 / win2k r2 sp2 in a domain as a member server Single nic setting IP: 192.168.133.123 SUB: 255.255.255.0 GATE: 192.168.178.41 ( upstream proxy permiter firewall )
Networks Internal 192.168.133.0 - 192.168.133.255 ( isa server + int dns are on this subnet ) 192.168.178.0 - 192.168.178.255 ( upstream proxy is on another subnet )
RULES ------- Create ISA network object Allow ISA Server all protocols outbound to Internal Network - all users
RESULTS ----------- Technical Information (for support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
CHANGE RULE ---------------------- Allow ISA server all protocols outside to EXTERNAL + INTERNAL
RESULT: Error Code 10060: Connection timeout Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
NSlookup shows resolution of external address by contacting internal DNS - GOOD Query shows default rule blocking access
NOTES -------- I've adjusted the rules many times it just keeps blocking it.
QUERY RESULT ------------------ I see the "GET" command and it says source network: Local HOST Destination NETWORK: EXTERNAL!!!!
I dunno guys, I got this working at home when a simple linksys router as the upstream firewall, but all clients were on the same subnet.
If you have an idea let me know .. p.s. -> all of the setup from scratch is via RDP
< Message edited by kyle_Blake -- 23.Jul.2007 6:31:42 PM >
From: Lebanese in Kuwait
Be informed that with a Single NIC ISA Server, there is nothing called External Network !!
Your rules should be From : Internal , To : Internal
Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer. This has implications for running applications located on the ISA Server computer.
ISA is good at being a web proxy with one nic.. I just don't understand how your upstream firewall is supposed to work so I can't offer a specific suggestion. I'm not saying they need to change it, I just don't understand yet.
For instance.. how do you get to the web now if they block outbound access to :80? How is your browser configured, where does your default gateway point, etc?
Am I misunderstanding what you are asking or are you asking that ISA send requests out on port 8080? If that's the case, then it won't work unless the hosts you are connecting to on the other end are accepting connections on that port. If you want to restrict users to only having Internet access via the proxy server then configure the firewall to only allow port 80 access from the IP address of your ISA server. That will control the outbound flow for internet web access.
If I have misunderstood your request and you want ISA to listen on port 8080, that configuration can easily be made via the snap-in.
Well I used some tcpip tools to help determine how many hops. tracert 192.168.178.41 Tracing route to 192.168.178.41 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 192.168.133.254 [ branch router ] 2 5 ms 3 ms 3 ms 192.168.229.253 3 16 ms 15 ms 13 ms 192.168.178.41
So it appears the traffic is getting routed just fine with the default gateway of the isa box set for the upstream proxy instead of branch router.
I'm back to thinking it's a rule on their firewall/proxy.