• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

direct internet access without proxy configuration

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> direct internet access without proxy configuration Page: [1]
Login
Message << Older Topic   Newer Topic >>
direct internet access without proxy configuration - 22.Dec.2009 5:29:55 AM   
firdavs_abc

 

Posts: 6
Joined: 6.Apr.2008
Status: offline
i am sorry if the same/similar thread already exists in the forum.

I just want to give direct access to internet for some of my network clients, because the applications running on their computers' does not support proxy.

Right now, on all of the browsers i manually set the proxy configuration (192.168.1.1:8080). The antivirus, messenger and etc. stuff work excellent. I can monitor and filter web traffic. But some essential apps cannot access internet through proxy, so i have to give direct access to those clients. How can i do? Can you please be descriptive in your replies. Thanks.

Server network configuration:
External NIC:
IP: 213.246.xxx.xxx
Subnet Mask: 255.255.248.0
Gateway: 213.246.xxx.xxx
DNS: 195.238.50.254

Internal NIC:
IP: 192.168.1.1
Subnet Mask: 255.255.255.0


Clients:
IP: 192.168.1.2-100
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.1
DNS: 195.238.50.254

Any app that needs internet is manually configued to proxy setting: 192.168.1.1:8080
Post #: 1
RE: direct internet access without proxy configuration - 22.Dec.2009 1:33:09 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,

quote:

ORIGINAL:
I just want to give direct access to internet for some of my network clients, because the applications running on their computers' does not support proxy.


You should use securenat client. Enable internal isa server interface as default gateway on the computers where special applications are running.
This article could help you:
http://technet.microsoft.com/en-us/library/cc759344(WS.10).aspx


quote:


Server network configuration:
External NIC:
IP: 213.246.xxx.xxx
Subnet Mask: 255.255.248.0
Gateway: 213.246.xxx.xxx
DNS: 195.238.50.254

Internal NIC:
IP: 192.168.1.1
Subnet Mask: 255.255.255.0



Only configure DNS servers in the internal interface of Isa server and install Dns servers with Dns forwarding to external Dns serves in the internal network.
Read this:
http://elmajdal.net/isaserver/Internal_DNS_Forwarding.aspx
regards,


.

_____________________________

Eng.Hector Sanchez
MCSE + Security 2000/2003
MCTS Isa 2004/Isa 2006

(in reply to firdavs_abc)
Post #: 2
RE: direct internet access without proxy configuration - 23.Dec.2009 1:41:13 AM   
firdavs_abc

 

Posts: 6
Joined: 6.Apr.2008
Status: offline
Thank you for your answer hrsanchez

quote:


You should use securenat client. Enable internal isa server interface as default gateway on the computers where special applications are running.


My clients' default gateway ip is already the isa's internet ip address, that is 192.168.1.1 (as i have written on my first post).
Or i am missing something, and did not understand you?

quote:


Only configure DNS servers in the internal interface of Isa server and install Dns servers with Dns forwarding to external Dns serves in the internal network.


The external nic of the isa has dynamic ip. The ISP assigs all the IPs to the nic. Is it OK if the isa will have 2 different dns servers, one from isp and another its internal dns?

< Message edited by firdavs_abc -- 23.Dec.2009 1:42:41 AM >

(in reply to hrsanchez)
Post #: 3
RE: direct internet access without proxy configuration - 23.Dec.2009 10:01:57 AM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,
quote:


Is it OK if the isa will have 2 different dns servers, one from isp and another its internal dns?



No, you have to configure dns servers only on isa internal nic.
Then internal Dns servers resolves external names asking external Dns ( forwarders) ( could be the Isp Dns servers ).
You will have to do an access rule to protocol 53 to your internal dns servers.
I recommend you to ask your ISP to give you a fix Ip. Maybe you have to pay more to ISP.
Another solution could be install another router in front of isa server , in order to receive dinamic ip from isp, with static ip in the inside interface, that will be the gateway of the isa server and will permit to you configure static ip in the external inerface of your isa server.

Internet <->( dinamic ip ) router <-> Isa server <-> internal LAN.

If it is imposible , and you obtain your public ip and dns from ISP's dhcp , then only work with dns servers in your public interface ( never configure dns servers on internal and external interfaces ) .
This article could help you:
http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html

quote:


My clients' default gateway ip is already the isa's internet ip address, that is 192.168.1.1 (as i have written on my first post).
Or i am missing something, and did not understand you?


So, in the computers running aplications that need direct access, only use securenat client, not proxy client. If you have to authenticate users access you will have to install firewall client in that computers.

< Message edited by hrsanchez -- 23.Dec.2009 12:59:57 PM >


_____________________________

Eng.Hector Sanchez
MCSE + Security 2000/2003
MCTS Isa 2004/Isa 2006

(in reply to firdavs_abc)
Post #: 4
RE: direct internet access without proxy configuration - 25.Dec.2009 9:44:36 AM   
firdavs_abc

 

Posts: 6
Joined: 6.Apr.2008
Status: offline
Then, my question is how can i configure the server and the client to work in securenat?

I have read several articles about ISA'a securenat configuration, but i did not find the information i need.

on one of the articles, it says:
"You make a machine a SecureNAT client when you point its default gateway to an interface that routes Internet bound requests to the internal interface of the ISA Server. The default gateway is the IP address of the internal interface of the ISA Server if the client is on the same network ID as the internal interface of the ISA Server."

My clients' network configuration is already ok. So what should i do with the isa server in order for it to treat some clients as securenat rather than web proxy client?

(in reply to hrsanchez)
Post #: 5
RE: direct internet access without proxy configuration - 26.Dec.2009 2:44:54 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
It is simple, do not configure IE with proxy settings and not install FWC !
regards,

_____________________________

Eng.Hector Sanchez
MCSE + Security 2000/2003
MCTS Isa 2004/Isa 2006

(in reply to firdavs_abc)
Post #: 6
RE: direct internet access without proxy configuration - 10.Feb.2010 6:20:45 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
That is correct.

The SecureNAT client will need to be configured to use a DNS server that can resolve both internal and Internet names.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to hrsanchez)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> direct internet access without proxy configuration Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts