Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Websurfing from the ISA-server 2004 on the DMZ?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Websurfing from the ISA-server 2004 on the DMZ? - 5.May2007 6:23:00 AM
|
|
|
skalman
Posts: 3
Joined: 5.May2007
Status: offline
|
We have an ISA 2004 (Windows 2003 Server, Std) on one of our DMZ that we need to open sometimes for surfing (Windows Update etc).
We have a rule that allows all outbound traffic with these parameters:
Action: Allow
Protocols: All Outbound Traffic
From/Listener: Local Host
To: External
Condition: All Users
We always receive this error:
Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
What could be Wrong and how do we solve this?
PS.
Our Internal Network is configured with this address range:
0.0.0.1-126.255.255.255 and 128.0.0.0-255.255.255.254
And we have only ONE (1) single NIC.
< Message edited by skalman -- 5.May2007 6:27:22 AM >
|
|
|
|
|
RE: Websurfing from the ISA-server 2004 on the DMZ? - 14.May2007 8:46:34 AM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
I have to wholeheartedly agree with you. This company is a great risk when the "gurus" are so poorly informed about network security. It might be good to consider getting some new "gurus" who used fact-based analysis and decision making -- the company will benefit and the hackers and attackers won't have such an easy time compromising your network.
Right now, I suspect the "hardware" firewalls have already been breached.
Good luck!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Websurfing from the ISA-server 2004 on the DMZ? - 23.May2007 6:08:56 PM
|
|
|
adabicee
Posts: 30
Joined: 20.Aug.2004
Status: offline
|
Don't you hate it when you have a serious problem and you keep getting posts about irrelevant things. ISA is a great product and it seems like it gets better with every release. But if someone doesn't want to make it an edge firewall I totally understand. At the end of the day it is still running on a server that you, or some dude "hardened" that is a Microsoft OS. The occasional expoit is pointed out to Microsoft....
Anyways, I think you might have some luck if you look under your Firewall rules and check the System Policy. I think there is something there that will allow or deny access from Local Host to the Internet. Good Luck. :)
|
|
|
|
|
RE: Websurfing from the ISA-server 2004 on the DMZ? - 25.May2007 8:34:24 AM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
In fact, there have been NO occasions where anyone got to tell MS about an exploit in the 2004 or 2006 ISA Firewall. Compare that to the dreaded PIX/ASA -- the ASA is a security nightmare and I would't touch it with a ten-foot pole (or barge pole for you brits) :)
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Websurfing from the ISA-server 2004 on the DMZ? - 25.May2007 9:54:52 AM
|
|
|
skalman
Posts: 3
Joined: 5.May2007
Status: offline
|
Thanks adabicee,
I've checked the System Policies and found that all the Microsoft Windows Updates sites where allowed - but it still doesn't work
When i use Windowsupdate I get the following result after approx 1 minute:
----------------------------------------------------------------------------------
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
For self-help options:
- Frequently Asked Questions
- Find Solutions
- Windows Update Newsgroup
For assisted support options:
- Microsoft Online Assisted Support (no-cost for Windows Update issues)
Read more about steps you can take to resolve this problem (error number 0x80072EFD) yourself.
----------------------------------------------------------------------------------
Any more ideas???
|
|
|
|
|
RE: Websurfing from the ISA-server 2004 on the DMZ? - 25.May2007 1:03:12 PM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
quote:
Don't you hate it when you have a serious problem and you keep getting posts about irrelevant things
Please forgive me but I can't stop posting another irrelevant one.
The irrelevant posts started from an irrelevant comment:
quote:
our network guru's do not trust Microsoft for this 
It does not matter when you make a wrong statement as long as you give an argument for it. We learn all the time from mistakes.
I did not have seen any such argument but only an opinion and since this is an open forum and if someone makes an afirmations then is open to everybody to disscuss it .
quote:
At the end of the day it is still running on a server that you, or some dude "hardened" that is a Microsoft OS. The occasional expoit is pointed out to Microsoft....
It is something usual these days to come and hit Microsoft even without a reason.
But please take a look at the rest. The trust it is something achieved by fact. Just look at how Cisco secured VPN Access and Wireless Lans using proprietary protocols. At this chapter Microsoft is an angel and his fault is that is "too RFC compliant". Maybe some updated chipers will be useful to be trully honest.
ISA 2004 has no exploits which is a huge achievement which cannot be contested with "feelings" and "opinions".
Please read this to understand ISA's arhitecture.
One of my favourite comments was made by Radia Perlman some time ago: quote:
people are “large, expensive to maintain, difficult to manage, and they pollute environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.” (Network Security: Private Communication in a Public World)
At the end of the day how secure is your Windows it is more a matter of education and knowledge and less a Microsoft matter.
Windows by default, like ISA too, has numerous security features. Is up to you to use it properly and not letting some "dude" or "guru" to do the job. If so then don't blame the product.
now regarding using ISA with one Nic. My comment and I guess Tom had the same intention, was related in order to get the maximum of protection for your network.
This means that if the Risk Management was the job of the same "guru" and was not based on Asset Identification and Valuation, Threat Assesment(quantitative assesment and qualitative assesment) and penetration tests also taking in consideration the uncertainty factor and rather on "feelings" you might have a "little" problem.
At the end after doing all these the "guru" which also handles the Residual Risk Management concludes that the residual risk is only he knows how and that the network only needs ISA as a proxy device, well, if he actually completed all this steps, then he is right.
But I have doubts that he actually did all these. Maybe I am wrong. If so please excuse me and ignore me.
Best regards!
|
|
|
|
|
RE: Websurfing from the ISA-server 2004 on the DMZ? - 25.May2007 5:18:59 PM
|
|
|
adabicee
Posts: 30
Joined: 20.Aug.2004
Status: offline
|
It's great that everyone knows so much about how secure or insecure ISA is, except no one knows how to fix this guys problem? I only made a statement that ISA sits on a Microsoft OS that you have to harden and maintain. Your ability to do this will determine how effective your firewall is. ( I agree with the amount of NICs and the effectiveness of ISA)
Anyways, I would forget windows update for a second (they require quite a few sites to be allowed, a list can be found here). Go into your System Policy and your allowed destination sets and test out some other random site (maybe??)and see if that will work for you, or if you get the same error.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: Websurfing from the ISA-server 2004 on the DMZ? - 
mentality that ISA 2006 should not be trusted? 
: 