Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
how is SecureNAT client bypassing ISA to reach Internet?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
how is SecureNAT client bypassing ISA to reach Internet? - 11.Dec.2003 10:41:00 PM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
Our network crashed on Monday. Before the crash, ISA was working correctly. All SecureNAT and Firewall clients had to use ISA to get to Internet. Those without proxy server setup in the LAN settings in IE were denied access to the Internet.
After building a new router, implementing a brand new domain, and having to rejoin every computer on the network to the new domain, the ISA server doesn't have to be accessed for client computers to access the Internet. There doesn't have to be a proxy server (ISA server) entered in the LAN settings within Internet Options of IE for the clients to access the Internet.
Because of our crash and recreation of the network, is there a setting on the ISA that must be changed? Any help appreciated!
[ December 12, 2003, 06:47 PM: Message edited by: asuh ]
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 12.Dec.2003 6:39:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Hi asuh,
Without knowing your internal network setup, my guess is that your router is performing NAPT. For ISA access control, you'd want to disable NAPT in the router, give the ISA Server's external interface a public IP address, and configure your clients to use the ISA Server's internal interface as their default gateway.
HTH,
Bill
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 12.Dec.2003 6:45:00 PM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
hi and thanks for your reply, bill. Our clients are setup as secureNAT and web proxy.
Our router is a Linsys and I don't see where NAPT can be enabled in the router.
I wanted to verify that there wasn't a way to bypass the ISA server for Internet connection so I shut the server down to try to access the Internet with IE and my verification was right, there's no way unless the ISA server is running.
So the problem still exists that clients are able to access the Internet without any proxy configurations in the LAN settings.
[ December 12, 2003, 10:20 PM: Message edited by: asuh ]
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 12.Dec.2003 10:20:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi asuh,
how is the HTTP Redirector set?
HTH,
Stefaan
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 12.Dec.2003 10:21:00 PM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
It is set to redirect to local web proxy service.
and hello again! I'm just a bowl full of trouble these days!
[ December 12, 2003, 10:22 PM: Message edited by: asuh ]
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 13.Dec.2003 4:08:00 AM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
Is this bad for a network? Are you saying that if I uncheck the redirect to local web proxy service that only web proxy and secureNAT clients can get out?
How do I setup a network where only clients who are web proxy, secureNAT, and firewall clients access the Internet? Is there a way to block off the PCs which aren't pointing to the ISA as the gateway or configured to use the ISA as a proxy?
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 13.Dec.2003 11:08:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi asuh,
two ISA services can handle outbound requests: the Web Proxy service and the Firewall service. To better understand how a client decides to send a request to which service, check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html , section '4. Configuring ISA Clients'.
Now, if the HTTP Redirector is set to 'redirect to local web proxy service', then the HTTP Redirector acts like a bridge between the Firewall and Web Proxy service. In other words, HTTP requests hitting the Firewall service will be sent by the Firewall service to the Web Proxy service. However, keep in mind that all authentication is lost in that case.
Which HTTP setting is appropriate for your environment depends on what you want to achieve. But, in general I do NOT recommend the HTTP Redirector setting 'Send to requested Web server'. In that case you are better of to disable the HTTP Redirector.
HTH,
Stefaan
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 15.Dec.2003 3:46:00 PM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
How do I setup a network where only clients who are web proxy, secureNAT, and firewall clients access the Internet? Is there a way to block off the PCs which aren't pointing to the ISA as the gateway or configured to use the ISA as a proxy?
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 15.Dec.2003 4:14:00 PM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
I should also note something else I recently noticed. If I open the ISA Management console and look at the Alerts section, there's two error messages one of which is "An error occured while reading configuration information."
In the last post I found about this, found here, states that we probably need to once again rebuild the PC.
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 15.Dec.2003 9:30:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi asuh,
if your ISA server is your *only* exit point to the external world, then no internal client can bypass ISA server if properly configured.
HTH,
Stefaan
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 18.Dec.2003 6:21:00 AM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
quote:
if your ISA server is your *only* exit point to the external world, then no internal client can bypass ISA server if properly configured.
Okay, this is what I initially thought. So is there a way to block off the PCs which aren't pointing to the ISA as the gateway or configured to use the ISA as a proxy?
[ December 18, 2003, 06:24 AM: Message edited by: asuh ]
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 18.Dec.2003 11:02:00 AM
|
|
|
ptwilliams
Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline
|
quote:
quote:
-------------------------------------------------
if your ISA server is your *only* exit point to the external world, then no internal client can bypass ISA server if properly configured.
-------------------------------------------------
Okay, this is what I initially thought. So is there a way to block off the PCs which aren't pointing to the ISA as the gateway or configured to use the ISA as a proxy?
What may be happening here is that PC's with their default gateway pointing to your router (as opposed to ISA) are being sent to the ISA server by your router. Is this the case? Some time ago, I was assisted by Stefaan, regarding setting up this issue.
Paul.
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 18.Dec.2003 5:35:00 PM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
Here's what I'm going to do. All clients on the network are DHCP clients. I'm going to set the DHCP up so that any client workstation who gets on the network must have the ISA server as the gateway by default.
This being said, I want to restrict SecureNAT clients from accessing the Internet. I only want to allow Web Proxy clients to access the Internet.
What's really throwing me off right now is the fact that when we originally implemented the ISA server for the very first time to the network, all clients initally were SecureNAT not Web Proxy clients. The SecureNAT clients were not able to access the Internet even though we had an open all protocol definition. That's exactly what we wanted. Now, having reinstalled and reimplemented the ISA on this newest domain, it seems that all SecureNAT clients are able to access the Internet and we want to limit Internet access to Web Proxy and Firewall clients only.
All clients in the network use the internal DNS server and don't have the ability to use the external DNS. I have setup a forwarder but don't know if this is the reason all SecureNAT clients are able to reach the Internet.
I hope I've cleared up confusion and maybe I'll figure this out today.
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 19.Dec.2003 6:35:00 PM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
As of now, yes, ISA is the only exit point to the Internet.
Now I gotta figure out how to force Web Proxy and Firewall clients only to access the Internet.
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 19.Dec.2003 8:43:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi asuh,
just make sure you select 'User and groups' in the Applies To tab of your rules.
HTH,
Stefaan
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 19.Dec.2003 9:09:00 PM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
Thanks Stefaan,
Maybe I am just not thinking about this in the right way, but am I supposed to be applying the protocol rules to a specific group? If so, how do I create a group that is for Web Proxy clients only? I am not sure I know how to create such a group.
Micah
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 19.Dec.2003 10:04:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Micah,
ISA supports 3 client types: Web Proxy, Firewall and SecureNAT. Only a Web Proxy and Firewall client can be used if the rules are applied to user/group based membership. Therefore, a SecureNAT client will not work.
HTH,
Stefaan
|
|
|
|
|
RE: how is SecureNAT client bypassing ISA to reach Inte... - 19.Dec.2003 10:31:00 PM
|
|
|
asuh
Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline
|
Thank you much--problem solved! I don't know what I'd do without you and your replies. I swear, I sometimes think I know how to get things going but this ISA server has been such a challenge for me these past few months.
Our next task is to get a VPN going from a home network to here and that's gonna be a challenge. As long as I figure out how to get the RRAS started without crashing the Internet and then figuring out how to get the NAT disabled for the RRAS... I guess. I'm sure you'll be hearing from me soon again.
But once again, thank you for all your posts and help. You're a life-saver!
Micah
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Confused]](/image/smiles/confused.gif)
