Welcome to ISAserver.org

Upgrade from 2000 to 2004 issues

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Installation >> Upgrade from 2000 to 2004 issues

Page: [1]

Message

<< Older Topic Newer Topic >>

Upgrade from 2000 to 2004 issues - 14.Dec.2006 11:20:37 AM

PatrickPinto

Posts: 57
Joined: 5.Oct.2005
Status: offline

Hello all,

I have a client who just upgraded from isa to 2004. Here is the scenario she sent me.

I already configured the New Server and Installed ISA 2004 on the box with all service packs. I thought I could just rename the new ISA box to the Old Isa and save me a lot of changing around. I would also keep the IP's the same as the old one. We tried the configuration yesterday. Dropped old proxy -deleted name from AD, then brought new Isa up with the exact same settings as it's predecessor. I was able to go out to the internet NOT using the Proxy (which you should not be able to do) and I could see all network computers and AD -but I could not ping the proxy and no one was able to go outside the internet. Any ideas on how to resolve this? P

Post #: 1

Featured Links*

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 12:33:40 PM

elmajdal

Posts: 5103
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

she said :

quote:

I was able to go out to the internet NOT using the Proxy (which you should not be able to do)

and then

quote:

and no one was able to go outside the internet

was she able to go to the internet or not?? and from where ?? on ISA server itself or from Internal Network ?

By default when ISA 2004 is installed, all terms of communications are blocked using the default deny rule.

We do not know anything about her clients type ( secure nat , web proxy , firewall ) and we dont know anything about ISA server configuration and Access Rules .

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to PatrickPinto)

Post #: 2

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 2:32:52 PM

PatrickPinto

Posts: 57
Joined: 5.Oct.2005
Status: offline

I am very sorry for not providing more info. Her clients are web proxy clients

she is saying they can get out to the internet without any proxy settings defined but when she does define them it does not work

she as also set a rule allow everything

(in reply to PatrickPinto)

Post #: 3

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 2:35:44 PM

PatrickPinto

Posts: 57
Joined: 5.Oct.2005
Status: offline

Also, she provided this as stated in my last post

clients are web proxy -everybody is pointed to the Proxy for internet access through port 80

(in reply to PatrickPinto)

Post #: 4

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 2:43:49 PM

elmajdal

Posts: 5103
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

quote:

she is saying they can get out to the internet without any proxy settings defined but when she does define them it does not work

This might be because she has a rule set as follows:

Allow > All Outbound > From Internal >To External > All Users

The ALL Users condition allows all clients behind ISA to surf the net.
her clients default gateway is set as ISA Internal NIC IP right ?

quote:

clients are web proxy -everybody is pointed to the Proxy for internet access through port 80

Default proxy port # in ISA is 8080, she can change it as wishes later, but for now let her configure the proxy with 8080 and try.

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to PatrickPinto)

Post #: 5

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 3:34:07 PM

PatrickPinto

Posts: 57
Joined: 5.Oct.2005
Status: offline

(in reply to elmajdal)

Post #: 6

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 3:37:51 PM

elmajdal

Posts: 5103
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

quote:

ORIGINAL: PatrickPinto

This might be because she has a rule set as follows:

Allow > All Outbound > From Internal >To External > All Users

The ALL Users condition allows all clients behind ISA to surf the net.
her clients default gateway is set as ISA Internal NIC IP right ?

What should she change it to then? instead of all users then??

please answer the following :

1- She needs only web proxy clients to be able to surf the internet ??

2- Does she have a Domain in her network , is ISA joined to the domain ??

3- Is the firewall client Installed on the clients?

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to PatrickPinto)

Post #: 7

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 3:48:33 PM

PatrickPinto

Posts: 57
Joined: 5.Oct.2005
Status: offline

just web proxy clients should be able to surf

they are not using the isa client

will find out about the workgroup

(in reply to elmajdal)

Post #: 8

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 3:51:32 PM

elmajdal

Posts: 5103
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

so she does not have a domain in her LAN .
let her read this : http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

so she finds out what she is loosing without joing ISA to a domain .

without a domain m
1- u will need to configure each machine one by one, in each machine, congifure the proxy to point to ISA internet NIC IP : port 8080

2- Then she has to clone the username and password on ISA server and on each client machine !!

< Message edited by elmajdal -- 14.Dec.2006 3:53:40 PM >

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to PatrickPinto)

Post #: 9

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 3:56:13 PM

PatrickPinto

Posts: 57
Joined: 5.Oct.2005
Status: offline

no im sorry I mistyped...I meant to say I will find out if she is on domain or workgroup...i am not sure yet...just started working with her today

i will find out and post back as soon as she fills me in

(in reply to elmajdal)

Post #: 10

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 3:58:36 PM

elmajdal

Posts: 5103
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

hope it will be a domain, her life will be easier ( and yours )

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to PatrickPinto)

Post #: 11

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 4:03:20 PM

PatrickPinto

Posts: 57
Joined: 5.Oct.2005
Status: offline

Assuming she is on a domain what steps would she need to take (i am almost 100% it is a domain...the company is a rather large one)

(in reply to elmajdal)

Post #: 12

RE: Upgrade from 2000 to 2004 issues - 14.Dec.2006 4:13:50 PM

elmajdal

Posts: 5103
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

i have an important question which needs to be answered before going further.

Her ISA server has 2 NICs ? ( 1 External & 1 Internal ) or else ??

this is an essential issue, ISA Server is a firewall, so ISA at least needs 2 Nics to have it fully functional.

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to PatrickPinto)

Post #: 13

RE: Upgrade from 2000 to 2004 issues - 15.Dec.2006 6:03:57 AM

PatrickPinto

Posts: 57
Joined: 5.Oct.2005
Status: offline

yup...two nics..one external and one internal...also here is some more info

DNS Server is running on Proxy -listens on both interfaces (external/internal)No forwardersBIND sedcondariesEnable round robinenable netmask orderingsecure cache against pollution -all these boxes are checked.

(in reply to PatrickPinto)

Post #: 14

RE: Upgrade from 2000 to 2004 issues - 15.Dec.2006 9:02:11 AM

elmajdal

Posts: 5103
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

quote:

DNS Server is running on Proxy -listens on both interfaces (external/internal)
No forwarders
BIND sedcondaries
Enable round robin
enable netmask ordering
secure cache against pollution -all these boxes are checked.

No no no , thats not how ISA Interfaces are set up, check this : http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html

and u need to have an internal DNS server that forwards to external DNS server : http://www.petri.co.il/configure_dns_forwarding.htm

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to PatrickPinto)

Post #: 15

RE: Upgrade from 2000 to 2004 issues - 18.Dec.2006 9:30:05 AM

PatrickPinto

Posts: 57
Joined: 5.Oct.2005
Status: offline

Elmajdal,

Angie posted in another topic but I thought I would post it here for you to review:

I'm in the process of upgrading the old 2000 standard isa/proxy to 2004. AD domain. New box was configured with the same settings as the old box (external nic-internal nic)-dropped old box from domain and brought new box up. With same name -same internal and external Ip address.

Problem:

I was able to surf the net WITHOUT using the Proxy settings-as soonest i checked Proxy settings in IE-no internet. I can see all internal computers and servers though.

I figured nothing had to be changed -since i basically brought up what already existed.

I chose the basic template . What am I missing here? (sorry-newbie to 2004)

(old box was setup to use the proxy as a gateway for all internal comunication to get out to the internet and it's using port 80)

(in reply to elmajdal)

Post #: 16