Controlling Web Access (Full Version)

All Forums >> [ISA 2006 Web Proxy] >> Unihomed



Message


bobmorris -> Controlling Web Access (6.Nov.2009 2:56:55 AM)

I have set up an ISA server 2006(ISA) on Win2003 Sp1 with the Web Proxy (single network card) template. The sole purpose of this is to control Internet access times for different user groups. The edge of the LAN is protected by a PIX. Another server(XS) hoste Exchange Server 2003. This is dual homed and has one NIC connecting to the PIX and the other connected to the LAN. At present this server also runs NAT for the rest of the LAN. This works fine and I don't want to mess with it.

The ISA server has been given its default gateway as the internal IP address of XS. Logged in locally one can ping external networks and browse the web from ISA.

I have setup the default firewall rule denying all access from Internal to External. As a start I have configured a firewall rule which allows all users from Internal to access all networks in External at all times.

On a client browser (IE) I tick Automatically detect settings and point the proxy server to the address of ISA.

Nothing doing, the client wont connect. Once I can get this step OK I can configure more sensible rules then disable NAT on XS, but until I can I cant go any further. Grateful for
ideas what's wrong.

Regards Bob




paulo.oliveira -> RE: Controlling Web Access (6.Nov.2009 11:55:28 AM)

Hi Bob,

when you install ISA as a single NIC, it does not have the concept of External Network, but Internal and LocalHost.

In your access rule you should specify Internal as source and destination. Also, you have to leave the IP ranges that ISA provided by ISA when choosing Single-NIC template.

For more info: http://technet.microsoft.com/pt-br/library/cc302586(en-us).aspx

Regards,
Paulo Oliveira.




bobmorris -> RE: Controlling Web Access (6.Nov.2009 11:25:44 PM)

Paolo,

Thanks for your reply. Yes I saw this Technet article and tried it, (though the concept of internal to internal didn't make much sense to me). Unfortunately I got exactly the same results-no throughput.

Any other ideas?

Best Regards
Bob




paulo.oliveira -> RE: Controlling Web Access (7.Nov.2009 7:58:39 AM)

Hi Bob,

have you configured your ISA Internal Network definition as this:

  • 0.0.0.0
  • 255.255.255.255
  • 224.0.0.0-254.255.255.255 (multicast)
  • 127.0.0.0-127.255.255.255

    Regards,
    Paulo Oliveira.




  • bobmorris -> RE: Controlling Web Access (7.Nov.2009 9:23:55 AM)

    I think so but I'll look again Monday and post further.Thanks.
    Bob




    paulo.oliveira -> RE: Controlling Web Access (7.Nov.2009 9:36:01 AM)

    Hi Bob,

    it worth to mention when you select ISA Single-NIC template, ISA populates the Internal Network definition with these networks.

    Regards,
    Paulo Oliveira.




    bobmorris -> RE: Controlling Web Access (9.Nov.2009 3:47:54 AM)

    It's working now, I was pointing IE on the test client at port 80 not 8080. Fixing this made it work.

    I've configured the firewall access rule as source Internal and destination Internal and yes it works. I just wish I could understand why!

    Thanks very much for your help.

    Bob




    paulo.oliveira -> RE: Controlling Web Access (9.Nov.2009 2:57:23 PM)

    Hi Bob,

    glad it worked.

    About ISA Networks model:

    quote:

    Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer itself.

    Source: http://technet.microsoft.com/pt-br/library/cc302586(en-us).aspx#UnsupportedScenarios


    You can also read this article: http://www.isaserver.org/articles/2004isafirewallnetworks.html

    Regards,
    Paulo Oliveira.




    Page: [1]