• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Single NIC SETUP ISA 2006 on Win2k3 R2 SP2

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 23.Jul.2007 6:22:33 PM   
kyle_Blake

 

Posts: 10
Joined: 23.Jul.2007
Status: offline
Hi guys

I know it's not the best solution to run single nic but for the intent of the message please help.

I have installed the product.
Isa server 2006  / win2k r2 sp2 in a domain as a member server
Single nic setting
IP:      192.168.133.123
SUB:   255.255.255.0
GATE: 192.168.178.41 ( upstream proxy permiter firewall )

Networks Internal
192.168.133.0 - 192.168.133.255 ( isa server + int dns are on this subnet )
192.168.178.0 - 192.168.178.255 ( upstream proxy is on another subnet )

          RULES
          -------
Create ISA network object
Allow ISA Server all protocols outbound to Internal Network - all users

              RESULTS
              -----------
Technical Information (for support personnel)

Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)


    CHANGE RULE
    ----------------------
    Allow ISA server all protocols outside to EXTERNAL + INTERNAL

    RESULT:
    Error Code 10060: Connection timeout
    Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.



                 TESTS
             --------

    NSlookup shows resolution of external address by contacting internal DNS -
    GOOD
    Query shows default rule blocking access

              NOTES
              --------
               I've adjusted the rules many times it just keeps blocking it.

             QUERY RESULT
              ------------------
    I see the "GET" command and it says source network: Local HOST
    Destination NETWORK: EXTERNAL!!!!

    I dunno guys, I got this working at home when a simple linksys router as the upstream firewall, but all clients were on the same subnet.

    If you have an idea let me know ..
    p.s. -> all of the setup from scratch is via RDP

    < Message edited by kyle_Blake -- 23.Jul.2007 6:31:42 PM >
    Post #: 1
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 11:45:06 AM   
    kyle_Blake

     

    Posts: 10
    Joined: 23.Jul.2007
    Status: offline
    Ok the timed out gateway error appears to be authentication.

    Out of the box this thing should be able to use "AD" to authentication.

    1 4519 573  12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  0x0 0x0 Web Proxy Filter  7/24/2007 8:38:17 AM 192.168.133.162 192.168.133.123 8080 http Denied Connection KYLE Internal anonymous Internal GET http://store.summitracing.com/egnsearch.asp?N=700+115+304554&D=304554

    (in reply to kyle_Blake)
    Post #: 2
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 11:50:08 AM   
    elmajdal

     

    Posts: 6022
    Joined: 16.Sep.2004
    From: Lebanese in Kuwait
    Status: offline
    Be informed that with a Single NIC ISA Server, there is nothing called External Network !!

    Your rules should be From : Internal , To : Internal
     
    quote:

      
    Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer. This has implications for running applications located on the ISA Server computer.


    source : http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx

    HTH,
    Tarek

    _____________________________

    Tarek Majdalani

    Windows Expert - IT Pro MVP
    Facebook : https://www.facebook.com/ElMajdal.Net

    (in reply to kyle_Blake)
    Post #: 3
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 11:56:46 AM   
    kyle_Blake

     

    Posts: 10
    Joined: 23.Jul.2007
    Status: offline
    I know.

    I read that all over the place, no external.
    I agree

    So what is with the authentication credentials not being passed on?
    Integrated is check marked.



    (in reply to elmajdal)
    Post #: 4
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 12:08:11 PM   
    kyle_Blake

     

    Posts: 10
    Joined: 23.Jul.2007
    Status: offline
    I changed the authentication to BASIC.
    This prompted me for credentials.
    I checked the rule and the destination port of the GET command is PORT 80.

    Our upstream firewall does not ACCEPT traffic on PORT 80

    Can anyone tell me how to CHANGE ALL outgoing traffic HTTP + HTTPS from ISA TO PORT 8080?

    Thank you!

    (in reply to kyle_Blake)
    Post #: 5
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 4:37:19 PM   
    ferrix

     

    Posts: 547
    Joined: 16.Mar.2005
    Status: offline
    It sounds to me like you want to use ISA's web chaining feature, to forward the proxied traffic to another proxy afterwards.

    Or have I not understood your needs?

    (in reply to kyle_Blake)
    Post #: 6
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 4:45:58 PM   
    kyle_Blake

     

    Posts: 10
    Joined: 23.Jul.2007
    Status: offline
    Yes you are 1/2 right.

    I'd like a defence in depth approach.

    ISA in this install is not perimeter firewall, just a web proxy.

    I found out some more information today.

    The upstream firwall is not a proxy but a firewall, it is not another ISA SERVER and is not controlled by me.

    I won't be able to configure any ISA arrays or change the upstream at this time.

    I've contacted the upstream firewall group regarding this issue and perhaps they have to make an exception for incoming proxy traffic from my specific IP.

    Do you think I'm on the right track here?!



    (in reply to ferrix)
    Post #: 7
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 4:48:05 PM   
    ferrix

     

    Posts: 547
    Joined: 16.Mar.2005
    Status: offline
    If the upstream fw is not a proxy, then "changing connections" to 8080 won't do you any good; there will be nothing upstream to "change" them back.

    You need to find out what the correct way is to pass web traffic to/around/through the upstream, and then configure your ISA accordingly.

    (in reply to kyle_Blake)
    Post #: 8
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 4:59:01 PM   
    kyle_Blake

     

    Posts: 10
    Joined: 23.Jul.2007
    Status: offline
    This better not involve another nic in ISA or changing network infrasture I hope.

    Ok thanks for you help. 

    I'll let you know but I get a feeling that unless the upstream fw gets changed to or configured to be a true proxy then ISA in the way I need it to work downstream , will not work.

    Ok thanks


    (in reply to ferrix)
    Post #: 9
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Jul.2007 5:00:57 PM   
    ferrix

     

    Posts: 547
    Joined: 16.Mar.2005
    Status: offline
    It "better not" huh? ;)

    ISA is good at being a web proxy with one nic.. I just don't understand how your upstream firewall is supposed to work so I can't offer a specific suggestion.  I'm not saying they need to change it, I just don't understand yet.

    For instance.. how do you get to the web now if they block outbound access to :80?  How is your browser configured, where does your default gateway point, etc?

    (in reply to kyle_Blake)
    Post #: 10
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 25.Jul.2007 8:36:16 AM   
    bill7746

     

    Posts: 3
    Joined: 22.Jul.2007
    Status: offline
    Am I misunderstanding what you are asking or are you asking that ISA send requests out on port 8080?  If that's the case, then it won't work unless the hosts you are connecting to on the other end are accepting connections on that port.  If you want to restrict users to only having Internet access via the proxy server then configure the firewall to only allow port 80 access from the IP address of your ISA server.  That will control the outbound flow for internet web access.

    If I have misunderstood your request and you want ISA to listen on port 8080, that configuration can easily be made via the snap-in.

    (in reply to kyle_Blake)
    Post #: 11
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 25.Jul.2007 11:55:57 AM   
    kyle_Blake

     

    Posts: 10
    Joined: 23.Jul.2007
    Status: offline
    Hi.

    I think you hit the nail on the HEAD : DEFAULT GATEWAY / INFRASTURE
    We have a class "C" network. 255.255.255.0 ( no dhcp )

    The nomal way to access the internet is for the client to be configured as:
    (we have 13 network id's)

    a)for the upstream firewall 192.168.178.41:8080
    b)each client is set to use the default gateway for the subnet

    I think the problem may lie in the fact that my isa server is not in the same network ID as the upstream firewall.

    All other clients in our subnet have the default gateway set to the router of the branch.

    Thats why internet works without isa...client looks at i.e. proxy settings, says "oh this isn't on my local subnet" so it sends it to the normal router at the branch.

    The branch router says..."oh.... 178 network send to this router " and then in that subnet with the ip address of 192.168.178.41 resides the internal facing firewall IP.

    So how the heck is ISA in 192.168.133.123 suppose to route traffic to 192.168.178.41 when ISA server's default gateway is hard coded to 192.168.178.41. 

    The gateway should be configured for ISA as follows 192.168.133.254!

    I think the only way is to move ISA server into the 192.168.178.x network and then it isn't a problem for tcp/ip to talk.

    This could answer my time out question.


    (in reply to bill7746)
    Post #: 12
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 25.Jul.2007 11:59:42 AM   
    ferrix

     

    Posts: 547
    Joined: 16.Mar.2005
    Status: offline
    Well um.. you can't route traffic to a router that isn't on your submet.  Sounds like you have some basic network connectivity issues to work out and then you'll be all set.

    (in reply to kyle_Blake)
    Post #: 13
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 25.Jul.2007 12:42:26 PM   
    kyle_Blake

     

    Posts: 10
    Joined: 23.Jul.2007
    Status: offline
    It struck me last night.

    I'm going to confirm my theory today.

    (in reply to ferrix)
    Post #: 14
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 26.Jul.2007 12:04:13 PM   
    kyle_Blake

     

    Posts: 10
    Joined: 23.Jul.2007
    Status: offline
    Well I used some tcpip tools to help determine how many hops.
    tracert 192.168.178.41
    Tracing route to 192.168.178.41 over a maximum of 30 hops
    1     1 ms     1 ms     1 ms  192.168.133.254 [ branch router ]
    2     5 ms     3 ms     3 ms  192.168.229.253
    3    16 ms    15 ms    13 ms  192.168.178.41

    So it appears the traffic is getting routed just fine with the default gateway of the isa box set for the upstream proxy instead of branch router.

    I'm back to thinking it's a rule on their firewall/proxy.




    (in reply to kyle_Blake)
    Post #: 15
    RE: Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 - 24.Sep.2007 4:27:55 PM   
    kyle_Blake

     

    Posts: 10
    Joined: 23.Jul.2007
    Status: offline
    Just to finish this topic off.

    I was correct that a single nic proxy can only reside in one subnet.

    Making it routable through different subnet's requires a DMZ setup.

    In my case two network cards.

    Thanks everyone.

    (in reply to kyle_Blake)
    Post #: 16

    Page:   [1] << Older Topic    Newer Topic >>
    All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> Single NIC SETUP ISA 2006 on Win2k3 R2 SP2 Page: [1]
    Jump to:

    New Messages No New Messages
    Hot Topic w/ New Messages Hot Topic w/o New Messages
    Locked w/ New Messages Locked w/o New Messages
     Post New Thread
     Reply to Message
     Post New Poll
     Submit Vote
     Delete My Own Post
     Delete My Own Thread
     Rate Posts