We have ISA 2000 running on Win 2000 with SurfControl 5.0.
The standard user has a default gateway of 10.97.4.100 which forwards all internet traffic to our ISA server which is 10.99.61.52 where traffic is routed and filtered by SurfControl. The users have the proxy server ISASRV set in Internet Explorer.
Now the 4 people in tech support we have our default gateway set to 10.99.61.52 and with no proxy server setup in Internet Explorer, this allows us to bypass the proxy and Surfcontrol meaning we are not blocked on anything.
New Setup
However we are now needing to migrate over to ISA 2006 on Windows 2003 server.
As the previous setup the standard user has the same setup, just the ISA server is now on 10.99.61.53 not 10.99.61.52. This has been tested and now working quite happily.
The problem we are now having is with the tech support section. We need to somehow get routed through the ISA server but bypassing the proxy, now I can sort of get that to work, but it still filters us
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
First: It is impossible to "bypass" the proxy when the proxy is physically in the way
In the old system the users who set the DFG to the ISA (10.99.61.52) were still using the ISA,...they just weren't using the Web Proxy Service which is where SurfControl interacts.
Moral of the story,....SecureNAT cannot authenticate and must use anonymous Rule,...lessons,...don't have anonymous rules on the ISA and you won't have SecureNAT Clients.
On the new setup. ISA2006 is not as loose with the SecureNAT Clients and passes them through the Web Proxy Service where Surfcontrol is probably getting in the way. For the Tech Supp People have a different device used for a Default Gateway that does not involve the ISA.
The other option is to configure SurfControl to properly handle the situation and just run the Tech People through it like everyone else.
I have a computer group set up for the IT computers that have a different rule set to allow an unrestricted and unlogged connection on port 80. I also have another ruleset for common network protocols for that same group.
All other computers run through another rule that allows internet access but restricts sites and downloads.
I see no reason to be using seperate gateways. I also assume that you are on a single subnet network.
Could you tell me the details of the rule you have created just for future reference, as we have found an old Cisco 2600 router which now does the Tech Support and our server :)
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> ISA 2006 as a router and firewall/proxy 
ISA 2006 as a router and firewall/proxy - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread