We are using a 1 NIC isa 2004 server, purly as proxy for all offices (internal ip segements / ranges). 1. if I setup only firewall client on the PCs, no web proxy in IE, then everyone can go to internet and intranet, as well as outlook, some inhouse-made ftp / email apps. However I found some website has to use web proxy, such as Windows update - it failed for FWC without WebProxy. - is it true? 2. with only FWC and no webproxy settings, we can not find the detailed websites the user has browsed in ISA server's FWLog and Webproxy Log. In Webproxy Log, it only showed: http://220.127.116.11/subdir/pages which is called as URI. How can I get correct URL? or has to use some 3rd party utility? 3. if I setup FWS as well as Webproxy in IE: use automatic config script -- http://myproxy:8080/array.dll?Get.Routing.Script use a proxy server: myproxy 8080, bypass proxy server for local addresses, then I found all intranet web sites go via myproxy, unless we browse http://hostname only as mentioned in Windows help. I would say that we got our internal network ip ranges defined in ISA server, why webproxy does not consult the ISA server for "Local/internet network"? Anything we can take advantage with the auto-script? http://myproxy:8080/array.dll?Get.Routing.Script
From: Lebanese in Kuwait
Hi , check what you are loosing with using ISA Server with a single NIC !!!
Configuring ISA Server with a Single Network Adapter Configuration Problem: There are a number of issues associated with the configuration of ISA Server on a computer with a single network adapter. Cause: The causes include:
•Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer. This has implications for running applications located on the ISA Server computer.
•Application layer inspection. Application level filtering does not function, except for Web Proxy Filter for Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), and File Transfer Protocol (FTP) over HTTP.
•Server publishing. Server publishing is not supported. Because there is no separation of Internal and External networks, ISA Server cannot provide the NAT functionality required in a server publishing scenario.
•Firewall clients. The Firewall Client application handles requests from Winsock applications that use the Firewall service. This service is not available in a single network adapter environment.
•SecureNAT clients. SecureNAT clients use ISA Server as a router to the Internet, and SecureNAT client requests are handled by the Firewall service. Because the Firewall service is not available in a single network adapter configuration, such requests are not supported.
•Virtual private networking. Site-to-site virtual private networks (VPNs), and remote access VPNs are not supported in a single network adapter scenario.
Hi, Tarek, Thanks for your reply. I know one NIC isa server has a lot of limitations. But this is case in our env. and we have other box as the edge server/dmz etc. And this isa server currently works ok for most of our requirement - ie. proxy.
< Message edited by gping -- 3.May2007 12:27:25 AM >