sheldondsouza
Posts: 8
Joined: 7.Sep.2007
Status: offline
|
Hi,
This is my very first post here and i hope my problem will be resolved. Not sure where to put this under which category.
My company had recently installed ISA 2006 and created rules for internet access. Have 2 network cards for internal and external. Everyone connectes to ISA
and then pass to the internet. However despite a putting a good firewall the download far exceeded and our bill has come a lot for a couple of months.
Recently my friend told me about webmarshall and its ability to monitor and restrict traffic.
There were 2 options:
When WebMarshal is installed on the same server as Microsoft's Internet Security and Acceleration (ISA) Server 2004, it can be installed either as a Web
Filter plugin on ISA Server or with its own proxy server, chained to ISA Server.
I followed with the ISa plugin one with Windows NT Authentication. But which method is better the plugin or using web marshal proxy chained to ISA server.?
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Configuring ISA Server 2004
ISA Server 2004 must be installed before you install WebMarshal. Confirm ISA is working correctly with the default configuration before making any changes.
For use with WebMarshal it is necessary to ensure that ISA Server is configured as follows:
Create a New User Set that contains all of the domain users or groups that will be permitted to access the internet through WebMarshal.
In the ISA Management Console under Firewall Policy select the 'Toolbox' tab located on the right hand side and select 'Users' to see the default User Sets
already created.
Click 'New' and give your New User Set a name. (For this example we will use 'Internet Users').
For Users click 'Add - Windows users and groups'.
Type the name of the Active Directory Users Group you want to add to the New User Set and then click 'Next'. (For this example we will use 'Domain Users').
Complete the New User Set Wizard by clicking 'Finish'.
Create a New Access Rule that permits the new User Set you created above (Internet Users) to browse the Internet. The rule must specifically refer to the
'Internet Users' user set - do not use the 'All Users' user set. The following steps explain how to create the appropriate New Access Rule.
In the ISA Management Console under Firewall Policy select the 'Task' tab located on the right hand side.
Select 'Create New Access Rule'.
Give the rule a name and then click 'Next'.
Select 'Allow' for Rule Action and then click 'Next'.
For Protocols, on the menu change selection from 'All outbound traffic' to 'Selected Protocol'.
Click 'Add', expand the 'Web' folder and add 'FTP', 'HTTP 'and 'HTTPS' then click 'Close' and then 'Next'.
For Access Rule Sources click 'Add', expand the 'Networks' folder and add the 'Internal' network then click 'Close' and then 'Next'.
For Access Rule Destinations click 'Add', expand the 'Networks' folder and add the 'External' network then click 'Close' and then 'Next'.
For User Sets, remove the 'All Users' user set and then click 'Add', add the User Set 'Internet Users', and click 'Next'.
Complete the New Access Rule Wizard by clicking 'Finish'.
Configure ISA Server for remote SQL Database access
If you want WebMarshal to use a SQL database server on the internal network, enable the ISA System Policy rule "Allow remote SQL logging from ISA Server to
selected servers."
Configuring ISA Server 2004 for updates
By default ISA server does not allow Web access from the local host. If you are using any additional modules that require internet updates, you must set up
ISA server firewall policy to allow the updates. These modules include the MarshalFilter and SmartFilter URL lists, as well as McAfee for Marshal, PestPatrol
for Marshal, CounterSpy for Marshal, and other supported virus scanning software.
These instructions document a firewall policy that allows local users to browse through ISA.
Enable Web Proxy access from the Local Host
########
In the ISA Management Console under Configuration > Networks select the 'Network' tab located on the right hand side.
In the list, double-click 'Local Host'.
On the Web Proxy tab, select 'Enable WebProxy Clients'.
Click 'Authentication'. Ensure that 'Basic' is selected and select 'Require all users to authenticate'
########
Create a New Access Rule that permits the new User Set you created above (Internet Users) to browse through the ISA proxy from the Local Host.
In the ISA Management Console under Firewall Policy select the 'Task' tab located on the right hand side.
Select 'Create New Access Rule'.
Give the rule a name and click 'Next'.
Select 'Allow' for Rule Action and click 'Next'.
For Protocols, on the menu change selection from 'All outbound traffic' to 'Selected Protocol'.
Click 'Add', expand the 'Web' folder and add 'FTP', 'HTTP 'and 'HTTPS' then click on 'Close' and then 'Next'.
For Access Rule Sources click 'Add', expand the 'Networks' folder and add the 'Local Host' network, then click 'Close' and then 'Next'.
For the Access Rule Destinations click 'Add', expand the 'Network Sets' folder and add the 'All Networks' set, then click 'Close' and then 'Next'.
For User Sets, remove the 'All Users' user set and then click 'Add', add the User Set 'Internet Users' and click 'Next'.
Complete the New Access Rule Wizard by clicking 'Finish'.
Apply changes to ISA policy.
Configure the proxy settings on the scanner updaters to use localhost port 8080 with an allowed user credential.
Installing WebMarshal
Run the WebMarshal installation program and follow the online instructions (for more information refer to the WebMarshal User Guide). During the setup, when
asked if running Microsoft ISA Server or whether to install the built-in WebMarshal proxy server, select the option 'I want to plug into Microsoft ISA Server
using Windows NT Authentication'.
When you run the WebMarshal console you will need to configure the NT Connector and import a NT user group(s) that include the same users as the User Set you
created above in the ISA Server 2004 configuration (Internet Users). The following steps explain how to do this.
In the WebMarshal Console under Policy Elements select 'Connectors' and double-click on the 'NT:' connector.
Provide the logon credentials to be able to browse the Active Directory and click 'Test' to test it. If successful click on 'OK'.
Under Policy Elements select 'User Groups' and click 'New User Group'.
Select 'Import a user group from a NT domain' and click 'Next'.
Type the name of the Active Directory User Group that you added in the 'Internet Users' user set in ISA Server 2004.
Click 'Finish' to complete the New User Group Wizard.
Note: WebMarshal must be installed on the same disk partition (drive letter) as ISA Server.
When WebMarshal is installed, the WebMarshal Filter will be installed in ISA Server. The WebMarshal Filter can be found in ISA Management under Configuration
> Add-Ins > Web Filters.
Configuring your Internet Browsers
Internet browsers should already be configured to point to ISA Server (note that the default port for outbound web requests on ISA Server is 8080). Because
WebMarshal is running as a Web Filter, there are no other configuration changes required on Internet browsers.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Did everything to the dot here and web access works for all the domain users and monitoring is web marshal takes place. We also have sharepoint portal and
some other intranet websites on other servers, the problem is that they are denied by the ISA server.
ISA server 2006 error "502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)"
In each browser had to enter proxy 192.168.0.250 and port 8080 for internet access. If i bypass the proxy then i can visit the intranet sites.
I noticed in the web marhsal configuration above in (###)area i commented, there has to be changes done in local host, which i did but there is no such
mention about the internal network web proxy what should i do here. Should i just clear the web proxy or giving basic authentication or allow all users to
authenticate, dont know!!!! Its now set to integrated.
Sharepoint works fine on the server it has install. Can see central administration and portal. I entered the proxy settings for the sharpoint too. But no
luck. What should i do, to get the intranet site unblocked. Dont want to ask the users for entering their credentials everytime
In Isa not sure what access rules to allow intranet sites. Did monitoring and noticed that access is deined shown when visiting intranet sites. The
monitoring on ISA shows the same error 12202, users is shown as anonymous
Please HELP.
Really desperate!!!
|
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
WEB MARSHAL - 
RE: WEB MARSHAL - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread