isa question (Full Version)

All Forums >> [ISA Server 2004 General ] >> General



Message


dlee12 -> isa question (29.Jan.2008 9:07:48 AM)

hi! i;m new to isa.

i would like to find out, how do i enable all out going traffic from internal to external, but bypassing proxy for internal/external server address (eg. *.abc.com), so that the user will be able to access the internal/external servers without going through the proxy?

I'm using ISA 2006.
internal private network--->ISA2006-->(corporate network)-->proxy-->internet
(internal)                                                        (External)    

Thanks.




abqtech -> RE: isa question (29.Jan.2008 10:33:07 AM)

Let's speak within the context of external servers first:

What type of clients do you have configured in your environment?
SecureNAT
WebProxy
Firewall Client

Do you want the traffic to the external servers to bypass the web proxy filter but still go through ISA? Or do want ISA completely out of the picture for the certain external servers?

**based upon what type of clients you have the solution will vary**




Rotorblade -> RE: isa question (29.Jan.2008 10:34:10 AM)

Hi,

Below are a few articles to help you configure direct access. They are for ISA 2004 but the principles are the same.

http://isaserver.org/articles/2004directaccessp1.html
http://www.isaserver.org/articles/2004directaccessp2.html
http://support.microsoft.com/kb/920715/en-us

HTH

RB




abqtech -> RE: isa question (29.Jan.2008 10:40:12 AM)

Speaking of the internal web servers/sites on your network.

If you want to have all web traffic from your internal clients going directly to your internal web server farms, WPAD is a good option:

Please read the following article on configured WPAD:
http://www.isaserver.org/tutorials/Configuring-WPAD-Support-ISA-Firewall-Web-Proxy-Firewall-Clients.html

If your internal clients are configured as Web Proxy clients or Firewall Clients this scenario will work.

Alternatively you could set a GPO that set's the clients Internet Explorer proxy settings to utilized the automatic configuration script on your ISA Server:
http://yourisaserver.domain.com:8080/array.dll?Get.Routing.Script

And by properly acconting for your internal IP address space and internal domain(s) within ISA you can also achieve a direct access for your internal web traffic.




dlee12 -> RE: isa question (29.Jan.2008 12:26:59 PM)

hi! I think i will most probably be using webproxy. The ultimate objective is to enable internet access for the clients behind the isa server and enable them to access the internal webserver on the other side of the ISA server.

So, can i conclude that no additional access rule is required  on the firewall policy except enable all outbound traffic to the "external" network"?

Thanks.




abqtech -> RE: isa question (29.Jan.2008 12:48:47 PM)

To speak about your internet access requirements.

It's better to create an Access Rule in ISA that only includes the necessary protocols and networks.

Such as creating the following rule:
Name: Internet Web Proxy
Action: Allow
Protocols: HTTP, HTTPS (as well as any ther protocols you may require, NNTP, FTP, etc..)
From: Internet
To: External
Users: All Users = anonymous proxy access or you can use the All authenticated Users User Set, or you could create a User set based upon a group in your AD (such as domain\InternetUsers or domain\Domain users) and apply your custom User Set to the Access Rule.




abqtech -> RE: isa question (29.Jan.2008 12:52:57 PM)

quote:

ORIGINAL: dlee12
and enable them to access the internal webserver on the other side of the ISA server.


Can you explain where your internal (intranet) web server is located in regards to your ISA Servers location?  Does web access to this server, need to go through ISA in order for it to be reachable, by the client?  If so what interface will the ISA server use to connect to it?




Rotorblade -> RE: isa question (29.Jan.2008 7:10:04 PM)

quote:


If you want to have all web traffic from your internal clients going directly to your internal web server farms, WPAD is a good option:

Please read the following article on configured WPAD:
http://www.isaserver.org/tutorials/Configuring-WPAD-Support-ISA-Firewall-Web-Proxy-Firewall-Clients.html

If your internal clients are configured as Web Proxy clients or Firewall Clients this scenario will work.


Huh?
R U sure about that? Using the above configures "auto client discovery" not direct access!

Dlee12,

Is this a Single NIC ISA?

RB




dlee12 -> RE: isa question (30.Jan.2008 10:18:11 AM)

The internal webserver is on the "external" interface side.(2 NIC one internal connected to the private network, another one connected to the corporate network) The internal webserver is actually located in the corporate network.

I do not require access to the internal (intranet) web server located in the corporate network to go through the ISA if that can be done.

Actually the idea of setting up this isa server is to seperate the private network from the corporate network, which is using seperate range of ip + whatever we do in the private proxy will not interfere with the corporate infrastructure.

btw, i do have additional firewal rule configured.

1) local host to external (to enable internet access from the isa server.)
2) internal to local host (for assigning ip address to the private network's client)

currently, i'm still troubleshooting the internet connection from the isa server (local host to internet). There's this error that says "
ISA Server detected a proxy server    loop. There may be a problem in the configuration of the ISA Server Web    chaining  policy." I've not even started doing web chaining. The internet connection is intermittent.

Thanks for the help.




dlee12 -> RE: isa question (30.Jan.2008 10:20:53 AM)

hi! no, it's not. There's one interface connected to the private network and another one connected to the corporate network. The corporate network itself  has a internet proxy that we use it for connection to the internet.

Thanks!




abqtech -> RE: isa question (30.Jan.2008 10:47:42 AM)

quote:


Huh?
R U sure about that? Using the above configures "auto client discovery" not direct access!


I also mentioned at the bottom of my post that:
quote:


And by properly accounting for your internal IP address space and internal domain(s) within ISA you can also achieve a direct access for your internal web traffic

And while I did not necessarily state that this is required to achieve direct access for local web resources (my apologies for not being clear on this, because it's a crucial part of your Internal Network configuration) it was in my post on the topic.   Whether you deploy WPAD or the automatic configuration script the domains and IP's added to the quoted list above, is the information that the browser uses to learn about what local web resources are on a given network, so that it does not attempt to make a connection to the proxy for those resources.




abqtech -> RE: isa question (30.Jan.2008 10:52:53 AM)

dlee12

Please confirm whether you want the traffic to the webserver on the corporate network to bypass the web proxy filter but still go through ISA (as a firewall client)? Or if you have an alternate path (around ISA) that want the requests to traverse while accessing the corporate webserver?




dlee12 -> RE: isa question (30.Jan.2008 11:13:43 AM)

hi! yes, i would want the traffic to the webserver on the corporate network to bypass the web proxy filter but still go through isa (as a firewall client).

Please advise what need to be done.
Thanks.




abqtech -> RE: isa question (30.Jan.2008 11:42:00 AM)

Assuming you have ISA 2004 with at least SP2 applied and have your web browser aquiring WPAD from your ISA Server, or your web browser is using ISA's automatic configuration script goto:
configuration -> networks -> internal -> web browser <tab>
check the following boxes:
Bypass proxy for Web servers in this network
Directly access computers specified in the Domains tab

In the Directly access these servers or domains: (area)
Click "add" and in the "Domain or computer" (field) type in the web server or domain as follows:
webserver.domain.com/* (if you want to add just one host called webserver.domain.com)
-OR-
*.domain.com/* assuming you want to add all hosts in domain.com

Create a custom Protocol: (assuming that the corporate web server is serving HTTP on TCPPort 80)
Name: TCP-80 with Parameters Outbound TCP Port 80, and do NOT apply the web proxy or any other filter to this custom protocol

Create a custom destination including the corporate web server (i.e. as a Domain Name Set)


Create a rule in ISA as follows:
General: Firewall_client_web_rule
Action: Allow
Protcols: TCP-80
From: Internal
To: the custom Domain name Set previosly created
Users: All authenticated Users (or what ever you want to use should be fine.)

Carefully place this rule above any rules in your Firewall Policy that would has the web proxy filter applied to the HTTP protocol & that would match flow of the traffic.
On your client machine delete all your browser cache (or selectivley delete the wpad.dat  and/or array.dll?Get.Routing.Script files)

close and re-open your web browser and ensure that your MS Firewall client is enabled.

and repeat the web request, the Firewall client should intercept the request, and the Firewall_client_web_rule on your ISA Firewall should be applied to the request.

HTH




dlee12 -> RE: isa question (12.Feb.2008 9:39:36 AM)

hi!

I'm still having problem to get the ISA2006 to work. The internal client is able to access the internet if i set the client's pc internet proxy to the corporate proxy(it can also access the intranet but not https). If i set it to ISA2006 address, the internal clients are not able to go to the internet or the intranet. I've set the firewall policy to enable all outgoing traffic and the firewall rule as per your advise.

I've tried redirect and direct access. It doesn't make any different when the clients proxy are set as the ISA2006 server. It doesn't seems to be able to route to internet. The client's browser will only  show the isa2006 screen whenever i'm trying to access the internet.

Please advise. Thanks.




abqtech -> RE: isa question (19.Feb.2008 4:21:38 PM)

Is the firewall client installed / enabled on your workstation?

What does the ISA Server Monitoring & Logging reveal while the client recieves the "isa2006 screen" ?




dlee12 -> RE: isa question (20.Feb.2008 10:25:06 AM)

hi! I managed to enable the internal client to go through the internet by using web chaining (rule 1 from internal to external use upstream server which is the corporate internet proxy, rule 2 All network to have direct access - by adding another network with the webserver range in the network tab which will later be part of the "All" network) and i'm able to access my intranet web server. Of course i enabled http, https protocols in the fiewall policy for internet access and accessing the intranet webserver. What i set in the firewall rule does has the effect and it's working.

However, I noticed that whatever configuration i set in the Internal Network's web proxy or domain eg. by the webserver domain name eg *.abc.com or by IP range, it will never take effect. In order to use this web proxy client and firewall client, do i need to have a local installation of a web proxy client and firewall client on the local PCs to use this feature? I do not manually install any firewall or web proxy client on my PCs. What i did is just set the proxy server in the browser on my internal clients to my isa server name.

It's working fine now, but i'm still quite confuse why the settings in the domain tab and web proxy tab of the Internal Network isn't working. If i interpret it correctly, the domain i cannot be setting abc.com as the domain to filter because my internal network's domain (the one behind my ISA) and the corporate domain name are different, but the IP range should at least work right?

Not too sure....can explain? Thanks.




Page: [1]