Hi there would it be possible for anyone to help me sort out a problem i am having.
I have upgraded isa server 2000 to 2004 by using a clean install and re importing the rules etc.
I am able to ping external web addresses and the exchange server sends emails externally and recieves them. Only problem is i can not connect to a web page through internet explorer either on a computer on the network or the isa its self.
When trying to connect I get this error message
Error Code 10060: Connection timeout Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties. Date: 24/10/2006 12:41:12 Server: rut-isa01-servername.com Source: Firewall
I have applied unrestricted access rule to allow all access outbound,
herei s a screenshot of the rules i have setup, imported
Also, In event viewer it picks up this warning message like every other second or so
ISA Server detected a spoof attack from Internet Protocol (IP) address 192.168.32.20. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.
Though on the dhcp server I have anything below 192.168.32.60 reserved for printers wireless access points etc.
it also has other random ips on the network with the same message
< Message edited by Chris.Small -- 24.Oct.2006 8:47:25 AM >
RE: No Internet Connection Through HTTP - 25.Oct.2006 5:12:32 AM
Hi Chris, are you trying to access Internet from ISA ? if so, on your allow unrestricted access rule you should add localhost in the "from/listener" tab. also:
It is set from 192.168.32.0-192.168.35.255
this is strange, don't you think? by the way: too many allow all outbound rules. it looks to me that your rules are all messed up. would't be a nice exercise to delete all and create some fresh new ones?
Also We have DNS setup on our domain controller, I setup dns on the isa and had it forward to the dc, but still no diffrent, same error
how exactly have you set your ip addresses, gw, dns on ISA interfaces ? I suggest you take the basics step on configuring your ISA interfaces, networks, networks rules and configure your clients. then create a basic rule that allow all from internal to external. access Internet from one computer on your internal network. if you can't, you've messed things.
You are right, re importing the rules from isa server 2000 did mess things up, I started a clean install, re setup publishing rules and setup unrestricted access rule, Was still the same problem, I forgot that we go through a proxy server from our ISP, I set this as the upstream proxy and we now have internet access, Just need to start applying them block rules and set up VPN and I'm done.
Not to sure on how to stop the IP Spoofing though? any ideas?
I have a super scope setup on the DHCP server, As we have alot of clients and other devices with IP addresses, We currently have about 4 computers in the 192.168.34. range,
This seems the best solution, setting up a scope of just 192.168.32.1 - 192.168.32.255, no way gives me enough IP Addresses.
If you know any better alternative to this please advise me.
Another quick question, ok not quick, Our dns server is on the domain controller, always has been and works really well. Since installing isa server 2004, suggests the isa should be the dns server is this the case? would it be better?
RE: No Internet Connection Through HTTP - 26.Oct.2006 4:41:25 AM
Chris, the DNS server should not be on ISA. it is very good on DC. do you use a split dns or do you want do use one? or you need dns for internal domain and for rest you are using ISP DNS servers? for that spoofing issues from what I understand you have more network behind ISA: 192.168.32.0, 192.168.34.0 .... if so how many adapters do you have on ISA ? you might take a look at this to see if you are using this scenario: http://www.isaserver.org/articles/2004netinnet.html :
For the DNS: I have setup a forwarder rule to pass to the ISA and a forward rule on the ISA to forward to our ISP IP. THE DC Handles the DNS for the internal network.
I only have 1 internal and 1 external adapter on the ISA.
192.168.32.20 is our UPS Unit? Any ideas why this would be picked upas a spoof
and another problem sorry mate,
Isa picks up a configuration error:
Description: ISA Server detected routes through adapter Internal that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.32.0-192.168.32.0;. <br>ISA Server detected routes through adapter External that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.32.0-192.168.32.0;.
< Message edited by Chris.Small -- 26.Oct.2006 5:28:21 AM >
RE: No Internet Connection Through HTTP - 26.Oct.2006 5:39:55 AM
ok. but you said you have another network 192.168.34.0 ISA build its Internal network based on ip on adapters. search the ips on adapters and define networks. if you have 192.168.34.0 also you are in a scenario of network behind a network. read this article and do what is state there: http://www.isaserver.org/articles/2004netinnet.html do this first and will see about 192.168.32.20 later.