We've just had a big nightmare with Symantec Endpoint security 11 and to cut a long story short I had to uninstall SEP and reinstall ISA 2004 to get anything to work.
Unfortunately now none of the client web browsers can see the outside world unless the ISA firewall client is installed or the http proxy port is set on the client PCs. Before all clients could access the internet without setting anything up. Everything else seems to be working as it should. The error I'm getting with the web proxy turned on is...
Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 220.127.116.11 Date: 13/01/2009 16:49:25 Server: bxxx-sbs.bxxx-net.local Source: proxy
With the proxy turned of I just get the standard "can't find page" screen.
Does the default ISA 2004 settings allow for free access to http/https/ftp files without firewall client or web proxy port set up? If not, how can I make this happen? If yes, why can't I get access?
I realise it's safer to use the firewall client and/or web proxy but we have a lot of visitors for presentations and whatnot and I'm not always there to help them set things up.
I've tried using the internet connectivity wizard several times (apparently successfully) but it makes no difference. All the Firewall policy rules are currently enabled and seem fine.
I'm very new to ISA 2004 but have a little experience with ISA 2000. Perhaps I'm missing something. Any clues would be a great help.
< Message edited by dale303 -- 15.Jan.2009 11:38:11 AM >
Unfortunately now none of the client web browsers can see the outside world unless the ISA firewall client is installed or the http proxy port is set on the client PCs.
Well, the good news is that it sounds like ISA firewall is working! The bad news is that you will need to use one of the three ISA client access methods; Web Proxy, Firewall or SecureNAT client to gain access through the ISA firewall.
Based from what you shared, it does not sound like ISA was even functioning correctly before you reinstalled it. At minimum, you can configure your network clients and or routers as SecureNAT clients and then configure an Anonymous – all access rule to allow access. SecureNAT access requires anonymous access because it does not support authentication from the client.
notice you say your running sbs - did you add your users to the network using the add user wizard or just through ADUC, sbs by default will add rules to isa that are for specefic groups - not the all users group as mentioned above.
the sbs internet users group is what your users should be members of.
Sorry for the long delay in replying.
I would agree with youe assesment that ISA 2004 is now 'working'. Just too well now. It was an ISA 2000 -2004 upgrade and I think there were some differences in configuration thate were pulled over that are no longer there. The old setup was that *anyone could easily browse external sites or use ftp without the need of anything extra. Anything else required adding the firewall client.
This allowed the multitude of clients, visitors and club members the use of their own laptops without fuss when they visited. We did try beefier security for a while but gave up after we had too many members complaining that their laptops no longer worked when they got home/work due to firewall client/proxy setups messing with their home/work configurations.
itauthority> Yes, I used the wizards and all users are members of "sbs internet users". I've been configuring several SBS setups in various guises since SBS 4.0 and if there's one thing all that experience has taught me is 'Always use the wizard' if there is one.