Just upgraded ISA2000 to ISA 2004 and I am have some access issues that I wasn't having with ISA2000.
We are using ISA as a web proxy server with Surfcontrol configured as a firewall. I upgraded the operating system to Windows 2003 and upgraded ISA. The server is also hosting our Intranet site. I tried to migrate the ISA policies but didn't work so I went back and did a fresh install of ISA2004.
Setup: 1. Network: Single NIC , firewall client unchecked, Web Proxy- enabled web proxy checked, Authentication - 'Integrated' and 'Require all users to authenticate" unchecked. Web Browser - all is checked. 2. Firewall policy: allow all protocols from 'Internal, local host' to 'all networks'. Users: All Authenticated Users, All Users; Internet Access(domain Users group)
These are the issues I am having since upgrading. I believe they are just rights issues.
1. Right now all users have Internet access. I have to have 'All Users' in access policy to get any Internet access. Use to control Internet access by using 'Internet Access" domian group. Tried playing with 'Authenticated Users' but still can't get Internet Access. 2. Need to have 'Require all users to authenticate' checked in the Web Proxy to resolve user names in Surfcontrol, however when I check it I lose access to the Intranet web page.
I am sure that there is a mixture of access rights that I am missing between IIS, web folders and ISA 2004 that werren't an issue before. Not sure if I have to publish a web server or not.
The server is not being used as a firewall. It is used as our Proxy, Surfcontrol Web filter and hosting our Intranet site. This is our Intranet site therefore is only used internally. I have a firewall appliance on our perimeter. Our Internet page is hosted and maintained by another company.
It worked fine under ISA 2000, is this a problem under ISA 2004? Even though this is not being used as a firewall do I need to still move the web site? Is this why I am having the access problems? Even though this is not being used as a firewall persay do I still need to move the web site?
< Message edited by dljones10 -- 21.Nov.2006 10:31:55 AM >
From: Little Rock, Ark
Just something to try out, if you havent fixed the problem yet, but add a rule allowing internal traffic to local host for all users. That may be your fix. And like Tom said, nix hosting a web server on your firewall. Very bad juju mon ami!!