• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Enterprise Default Rule Denied HTTP traffic

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Enterprise Default Rule Denied HTTP traffic Page: [1]
Login
Message << Older Topic   Newer Topic >>
Enterprise Default Rule Denied HTTP traffic - 10.Nov.2009 12:58:34 PM   
jtheboywonder

 

Posts: 21
Joined: 9.Mar.2009
Status: offline
This may be a silly question, since it seems to be telling me where to look, but when i look there there is no reason (I can see) that HTTP traffic from the server is being blocked.

I setup a new ISA 2006 server and new enterprise, I have added an array rule to allow HTTP and HTTPS traffic from internal to external, I have matched averything I can see from my old server aside from the server name, and still I get the following:

Denied Traffic
- destination URL host name could not be resolved
Rule Name: [Enterprise] Default rule
Rule Order:

Additional information
From: Internal
To: External
Network Rule Name: Internet Access
Network Relationship: NAT
Protocol: HTTP
Rule Application Filter:
Post #: 1
RE: Enterprise Default Rule Denied HTTP traffic - 10.Nov.2009 1:02:25 PM   
jtheboywonder

 

Posts: 21
Joined: 9.Mar.2009
Status: offline
Shouldnt the Array rule have applied before the Enterprise rule, and allowed traffic through? It was working like that in ISA 2004, so I am not sure what I am doing wrong. Here is my Array rule:

Web Access Array
Action: Allow
Protocol: HTTP, HTTPS
From: Array Servers
To: External, Internal
Users: All Users

I cant figure this for the life of me!

(in reply to jtheboywonder)
Post #: 2
RE: Enterprise Default Rule Denied HTTP traffic - 10.Nov.2009 5:26:01 PM   
srasool

 

Posts: 6
Joined: 29.Oct.2009
Status: offline
Hello jtheboywonder,

An ISA Server in enterprise setup would observe Enterprise rule overriding Array Rules. This is the rule of tumb. This is showed by ISA management snap-in. When creating Array level rules...the rsults pane divides the screen showing "Enterprise rules applied before Array level access rules".

So for example, you just have Default Enterprise Rule which will deny all traffic...

1. Remove all rules from Array.
2. Create and Enterprise Allow All Access Rule.
3. Right click on server name, click Properties....
Go to Enterprise rule Tab. and see what Enterprise level policy is applied. Set it to the one you created at Enterprise level, Allow All Access Rule.

I hope this will help.

Regards

(in reply to jtheboywonder)
Post #: 3
RE: Enterprise Default Rule Denied HTTP traffic - 10.Nov.2009 5:41:24 PM   
jtheboywonder

 

Posts: 21
Joined: 9.Mar.2009
Status: offline
Thanks for the reply.

If you look in the ISA management console, the only Enterprise rule that is applied says it is "applied after array firewall policy", and that does indeed deny all traffic as it should.

I have created the web access rule for HTTP/HTTPS in both the array and the enterprise level, and it does not change the communication.

Any other suggestions?

(in reply to srasool)
Post #: 4
RE: Enterprise Default Rule Denied HTTP traffic - 10.Nov.2009 6:07:25 PM   
jtheboywonder

 

Posts: 21
Joined: 9.Mar.2009
Status: offline
Could someone please explain this?

"When ISA Server processes an outgoing request, it checks network rules and firewall policy rules to determine if access is allowed. For Web Proxy client requests or Hypertext Transfer Protocol (HTTP), the network rule is ignored. Note that if the Web proxy is disabled, the network rule would be required."

What does it mean by "the network rule is ignored?"

Does this mean network rules outside of ISA? Because if this is the case, then why doesn't my ISA server go anywhere on the internet other than Microsoft.com (not even the microrosft updates site works without turing off the firewall)? It seems strange, like a setting I cant seem to find. Even with opening up HTTP/HTTPS, nothing seems to let traffic out. I can ping out, so I know it can communicate out fine, it is ISA that is blocking traffic for sure!

< Message edited by jtheboywonder -- 10.Nov.2009 6:11:35 PM >

(in reply to jtheboywonder)
Post #: 5
RE: Enterprise Default Rule Denied HTTP traffic - 10.Nov.2009 10:45:22 PM   
srasool

 

Posts: 6
Joined: 29.Oct.2009
Status: offline
Hi jtheboywonder,

According to following link:

http://technet.microsoft.com/en-au/library/bb794774(loband).aspx

"Network rules determine whether there is a relationship between two network entities, and define the type of relationship"

A network roule is either of bidirectional Route relationship or unidirectional NAT relationship.

Please read on..

Moreover..I was going to ask..did you happen to change the Enterprise Policy which gets applied by displaying the properties of server and going to Enterprise Firewall policy tab?

(in reply to jtheboywonder)
Post #: 6
RE: Enterprise Default Rule Denied HTTP traffic - 13.Nov.2009 3:25:48 PM   
jtheboywonder

 

Posts: 21
Joined: 9.Mar.2009
Status: offline
Well, it turns out the problem was in the Web access rule. Rather than allowing the localhost to communicate to the Internet, I created a policy that was supposed to allow all array servers to talk to the Internet. I am not sure why ISA did not like "array servers" to "External" but for some reason when I allowed "Localhost" to "External" it worked fine.

Does this signify a problem with the Array servers group? Or is it that you would have to add an array servers group with the external interfaces to allow traffic to go out? And I am not sure why Microsoft worked, but other sites did not.

I am connected now, but I could not find any documentation on why one would be different that the other.

Thanks for all the ideas and help. I am posting a new problem with CSS replication now.

Thanks again.

(in reply to srasool)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Enterprise Default Rule Denied HTTP traffic Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts