Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Single NIC SETUP ISA 2006 on Win2k3 R2 SP2
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 23.Jul.2007 6:22:33 PM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
Hi guys
I know it's not the best solution to run single nic but for the intent of the message please help.
I have installed the product.
Isa server 2006 / win2k r2 sp2 in a domain as a member server
Single nic setting
IP: 192.168.133.123
SUB: 255.255.255.0
GATE: 192.168.178.41 ( upstream proxy permiter firewall )
Networks Internal
192.168.133.0 - 192.168.133.255 ( isa server + int dns are on this subnet )
192.168.178.0 - 192.168.178.255 ( upstream proxy is on another subnet )
RULES
-------
Create ISA network object
Allow ISA Server all protocols outbound to Internal Network - all users
RESULTS
-----------
Technical Information (for support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
CHANGE RULE
----------------------
Allow ISA server all protocols outside to EXTERNAL + INTERNAL
RESULT:
Error Code 10060: Connection timeout
Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
TESTS
--------
NSlookup shows resolution of external address by contacting internal DNS -
GOOD
Query shows default rule blocking access
NOTES
--------
I've adjusted the rules many times it just keeps blocking it.
QUERY RESULT
------------------
I see the "GET" command and it says source network: Local HOST
Destination NETWORK: EXTERNAL!!!!
I dunno guys, I got this working at home when a simple linksys router as the upstream firewall, but all clients were on the same subnet.
If you have an idea let me know ..
p.s. -> all of the setup from scratch is via RDP
< Message edited by kyle_Blake -- 23.Jul.2007 6:31:42 PM >
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 11:45:06 AM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
Ok the timed out gateway error appears to be authentication.
Out of the box this thing should be able to use "AD" to authentication.
1 4519 573 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. 0x0 0x0 Web Proxy Filter 7/24/2007 8:38:17 AM 192.168.133.162 192.168.133.123 8080 http Denied Connection KYLE Internal anonymous Internal GET http://store.summitracing.com/egnsearch.asp?N=700+115+304554&D=304554
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 11:50:08 AM
|
|
|
elmajdal
Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Be informed that with a Single NIC ISA Server, there is nothing called External Network !!
Your rules should be From : Internal , To : Internal
quote:
Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer. This has implications for running applications located on the ISA Server computer.
source : http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx
HTH,
Tarek
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 11:56:46 AM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
I know.
I read that all over the place, no external.
I agree
So what is with the authentication credentials not being passed on?
Integrated is check marked.
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 12:08:11 PM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
I changed the authentication to BASIC.
This prompted me for credentials.
I checked the rule and the destination port of the GET command is PORT 80.
Our upstream firewall does not ACCEPT traffic on PORT 80
Can anyone tell me how to CHANGE ALL outgoing traffic HTTP + HTTPS from ISA TO PORT 8080?
Thank you!
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 4:37:19 PM
|
|
|
ferrix
Posts: 369
Joined: 16.Mar.2005
Status: offline
|
It sounds to me like you want to use ISA's web chaining feature, to forward the proxied traffic to another proxy afterwards.
Or have I not understood your needs?
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 4:45:58 PM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
Yes you are 1/2 right.
I'd like a defence in depth approach.
ISA in this install is not perimeter firewall, just a web proxy.
I found out some more information today.
The upstream firwall is not a proxy but a firewall, it is not another ISA SERVER and is not controlled by me.
I won't be able to configure any ISA arrays or change the upstream at this time.
I've contacted the upstream firewall group regarding this issue and perhaps they have to make an exception for incoming proxy traffic from my specific IP.
Do you think I'm on the right track here?!
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 4:48:05 PM
|
|
|
ferrix
Posts: 369
Joined: 16.Mar.2005
Status: offline
|
If the upstream fw is not a proxy, then "changing connections" to 8080 won't do you any good; there will be nothing upstream to "change" them back.
You need to find out what the correct way is to pass web traffic to/around/through the upstream, and then configure your ISA accordingly.
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 4:59:01 PM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
This better not involve another nic in ISA or changing network infrasture I hope.
Ok thanks for you help.
I'll let you know but I get a feeling that unless the upstream fw gets changed to or configured to be a true proxy then ISA in the way I need it to work downstream , will not work.
Ok thanks
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 5:00:57 PM
|
|
|
ferrix
Posts: 369
Joined: 16.Mar.2005
Status: offline
|
It "better not" huh? ;)
ISA is good at being a web proxy with one nic.. I just don't understand how your upstream firewall is supposed to work so I can't offer a specific suggestion. I'm not saying they need to change it, I just don't understand yet.
For instance.. how do you get to the web now if they block outbound access to :80? How is your browser configured, where does your default gateway point, etc?
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 25.Jul.2007 8:36:16 AM
|
|
|
bill7746
Posts: 3
Joined: 22.Jul.2007
Status: offline
|
Am I misunderstanding what you are asking or are you asking that ISA send requests out on port 8080? If that's the case, then it won't work unless the hosts you are connecting to on the other end are accepting connections on that port. If you want to restrict users to only having Internet access via the proxy server then configure the firewall to only allow port 80 access from the IP address of your ISA server. That will control the outbound flow for internet web access.
If I have misunderstood your request and you want ISA to listen on port 8080, that configuration can easily be made via the snap-in.
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 25.Jul.2007 11:55:57 AM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
Hi.
I think you hit the nail on the HEAD : DEFAULT GATEWAY / INFRASTURE
We have a class "C" network. 255.255.255.0 ( no dhcp )
The nomal way to access the internet is for the client to be configured as:
(we have 13 network id's)
a)for the upstream firewall 192.168.178.41:8080
b)each client is set to use the default gateway for the subnet
I think the problem may lie in the fact that my isa server is not in the same network ID as the upstream firewall.
All other clients in our subnet have the default gateway set to the router of the branch.
Thats why internet works without isa...client looks at i.e. proxy settings, says "oh this isn't on my local subnet" so it sends it to the normal router at the branch.
The branch router says..."oh.... 178 network send to this router " and then in that subnet with the ip address of 192.168.178.41 resides the internal facing firewall IP.
So how the heck is ISA in 192.168.133.123 suppose to route traffic to 192.168.178.41 when ISA server's default gateway is hard coded to 192.168.178.41.
The gateway should be configured for ISA as follows 192.168.133.254!
I think the only way is to move ISA server into the 192.168.178.x network and then it isn't a problem for tcp/ip to talk.
This could answer my time out question.
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 25.Jul.2007 11:59:42 AM
|
|
|
ferrix
Posts: 369
Joined: 16.Mar.2005
Status: offline
|
Well um.. you can't route traffic to a router that isn't on your submet. Sounds like you have some basic network connectivity issues to work out and then you'll be all set.
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 25.Jul.2007 12:42:26 PM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
It struck me last night.
I'm going to confirm my theory today.
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 26.Jul.2007 12:04:13 PM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
Well I used some tcpip tools to help determine how many hops.
tracert 192.168.178.41
Tracing route to 192.168.178.41 over a maximum of 30 hops
1 1 ms 1 ms 1 ms 192.168.133.254 [ branch router ]
2 5 ms 3 ms 3 ms 192.168.229.253
3 16 ms 15 ms 13 ms 192.168.178.41
So it appears the traffic is getting routed just fine with the default gateway of the isa box set for the upstream proxy instead of branch router.
I'm back to thinking it's a rule on their firewall/proxy.
|
|
|
|
|
RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Sep.2007 4:27:55 PM
|
|
|
kyle_Blake
Posts: 10
Joined: 23.Jul.2007
Status: offline
|
Just to finish this topic off.
I was correct that a single nic proxy can only reside in one subnet.
Making it routable through different subnet's requires a DMZ setup.
In my case two network cards.
Thanks everyone.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
