I have an old ISA 2000 on W2K and I'm trying to migrate its role to another ISA 2006 on W2K3. The ISA 2006 setting are the same working on the ISA 2000, I just try to unplug the connection from the old server and connect the new server. The traffic reach the new ISA 2006 but everything is rejected/denied. The "deny all" default rule is the last one, there are many web publishing and server publishing rules enabled in the firewall policy, including the rules related to the sites I'm trying to access.
In the log I see the request coming from an internet client, the destination is an IP of the ISA 2006. There is no indication of which rule denied the connection and the log entry content is: x.x.x.x PROXY01 - TCP - - 02/01/2007 16.55.23 44721 0 0 0 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED 0x0 0x0 Firewall - 02/01/2007 17.55.23 y.y.y.y 80 HTTP Denied Connection x.x.x.x External Local Host - -
I found no evident problem (to me) with network config/rules, this time I restarted the firewall service after connecting the cord to the adapter and the errors are completely different. I have another ISA 2004 server, connected to another line, that I use to access the internet, including the public sites I publish. These sites are currently published by another ISA 2000 server and I'm trying to move its role to a new ISA 2006 server.
Here this is what happens when I try to access a published site from the internet. 188.8.131.52 PROXY01 - TCP - - 03/01/2007 8.26.03 14351 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall - 03/01/2007 9.26.03 184.108.40.206 80 HTTP Initiated Connection 220.127.116.11 External Local Host - -
From this entry I understand the incoming request is evaluated. This is the subsequent error.
In this trace entry is present the address of the page (http://sharepoint/MySite/default.aspx) from which I followed the link to the external resource (www.history-online.com). Is it expected to appear in the trace?
10.10.10.32 port 80 is the correct address of the resource I would like to publish and I'm able to access it from the ISA server.
in the log entry I see 03/01/2007 8.26.23 0 63050 2155 917 10060 0x10 0x40 Web Proxy Filter .
The code '10060' looks very much like a Winsock error code and means Connection timed out. If that's true than check out the path of the default gateway on the published server (or on your internal network), or make sure your inbound connection appears to come from the ISA server in the publishing rule.