I just set up a new ISA 2006 Std server running on Server 2003 Enterprise. Everything is working well except for the ability to browse the web while connected to the VPN. I've already been through the steps in http://www.isaserver.org/tutorials/Solving_the_Mystery_of_the_VPNRASWeb_Proxy_Client.html with no success. I've set the proxy settings on both the VPN connection and the browser as well. It appears to me to be a routing issue. With my current configuration, I can see an HTTP Proxy/Initiated Connection entry in the ISA logs (closely followed by a Closed Connection entry) when I try to go to a web site, but the browser stops almost immediately and doesn't display anything. Intranet pages work fine. Client is getting correct DNS settings through DHCP when connecting. Similar scenario works on our ISA 2000 server's RAS setup. Any help would be appreciated; the 2000 box is on its last legs. Thanks!
< Message edited by JW -- 12.Feb.2008 11:13:30 AM >
Additional info - web browsing over the VPN does work IF I turn off the proxy settings on the VPN connection. The browser proxy settings have no effect at all. I would expect the proxy settings on the connection to work the way they do on our 2000 box...
< Message edited by JW -- 13.Feb.2008 12:20:22 PM >
Thank you, Tarek. That does work, although very slowly (the one thing I was missing from that was the network rule to NAT from the VPN clients to the web). Just before I read this I came up with a rule structure that proxies the VPN user's web connection, regardless of how their browser or VPN connection is configured, and it is quite a bit faster (and also subject to my lists of allowed/denied sites).
Here's how I did mine. With this setup, the client's proxy settings are irrelevant (if I set it on the VPN connection, it works but very slowly; the browser setting makes no difference).
Add a firewall rule as follows: Action: Allow Protocols: HTTP,HTTPS,FTP (and whatever else) From: VPN Clients To: External Condition: All (or whatever groups you want).
Put this after any rule that allows/denies specific sites. In my setup it's one of the last rules. If the requested site makes it past the allowed/denied site lists, then this rule passes it through. This way, the client requests get processed through the firewall rule set as opposed to a proxy request (or at least that's how it seems to be working; I can't really articulate why it does what it does, all I can say is that it does what it does).
You may also need a rule like so, to fix the internal issue:
Action: Allow Protocols: HTTP,HTTPS,FTP (and whatever else; mine is wide open but subject to authentication) From: VPN Clients To: Internal Condition: Authenticated Users (or whatever groups you want).
Actually, I found the error. apparently, when our "expert" installed ISA2006, he hard-coded the DNS server instead of pulling it from DHCP. The DNS server is was pointing to no longer exists on our network. Once I found this error and corrected it, everything works fine.