Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Anyone can get to the internet
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Anyone can get to the internet - 20.Jan.2004 5:36:00 PM
|
|
|
pinball
Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
|
Hi ralphyost,
Okay so all fields are being logged. From the small bit you have included in your last post, you can see that the connections made by ACRM\KAPETRECCA, were all sucessful and the protocol rule and site&content rule that allowed access are shown (BackOffice Internet Access Protocol Rule, BackOffice Internet Access Site and Content Rule).
What you now need to do is try and access the internet without logging into your domain, and then look in your logs to see what rule is allowing the access, once you have worked that out, we can start to work out why access is being allowed.
|
|
|
|
|
RE: Anyone can get to the internet - 20.Jan.2004 8:24:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Hi all:
I am not on site but I just called over there. I had someone hook up the test PC for me and log on (locally) as the test user, then open a few web browsers that update periodically. This should create a few entries in the log files. The new logs will be written tonight at 12:00midnight.
I'll look through them tomorrow morning....and post anything notable.
R
|
|
|
|
|
RE: Anyone can get to the internet - 21.Jan.2004 2:08:00 AM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Does anyone understand WHY there are anonymous access entries in the log from the SAME IP address as a legitimate, authenticated user (See example above from me posted January 20, 2004 05:11 PM. The ANONYMOUS and ACMR/KAPETRECAA are from the same machine and user. I understand that the LIVE UPDATE of Symantec/Norton runs automatically, but it comes through as ANONYMOUS and then doesnt use a protocol rule.....?
|
|
|
|
|
RE: Anyone can get to the internet - 21.Jan.2004 4:03:00 AM
|
|
|
Guest
|
The client first tries to use anonymous access, if rejected the client tries to authenticate. So far, ISA logs first anonymous connect followed by authenticated connect.
|
|
|
|
|
RE: Anyone can get to the internet - 21.Jan.2004 9:48:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi ralphyost,
what is a trace route from that client to an external IP address telling you?
HTH,
Stefaan
|
|
|
|
|
RE: Anyone can get to the internet - 21.Jan.2004 9:52:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Hi Stefaan:
Tracert is a great idea. I wont be back into that facility until Friday, but I will run TRACERT at that time and report back here. Someone else has suggested the same.
Thanks
R.
|
|
|
|
|
RE: Anyone can get to the internet - 23.Jan.2004 3:33:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
OK, I am now at the facility again (until 2;30pm today, Eastern time).
I ran tracert to a web site from the test PC. I shows the first entry is to the server's internal NIC: 192.168.16.2. (The "external" NIC to the internet is on a different subnet 192.168.1.1).
Note that I also ran TRACERT to the same web site from another, legitimately logged in workstation and got the same exact route.
Any ideas now?
R.
|
|
|
|
|
RE: Anyone can get to the internet - 23.Jan.2004 3:39:00 PM
|
|
|
pinball
Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
|
Hi ralphyost,
I am stumped, is there any chance you could just pull the cable from the external NIC, to check that internet access is stopped for all pc's?
|
|
|
|
|
RE: Anyone can get to the internet - 23.Jan.2004 4:35:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Pinball:
Yep, just pulled the cable from the external NIC. Verified that internet access stopped for both the test PC and the normal PC....as I suspected.
My ISA server is somehow allowing DHCP clients
who are not authenticated to the server to get out to the internet......
R.
|
|
|
|
|
RE: Anyone can get to the internet - 23.Jan.2004 4:56:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Here's another data point...dont know if it means anything. Try it on your own ISA Servers to see what you get:
I do a tracert to 192.168.1.1 which is the IP address of the External NIC. The return I get is a simple, one line that shows the path directly to 192.168.1.1. This result is the same if I do it from the text PC, the logged on PC, or the server. I find it interesting that the two PCs do not show it going to 192.168.16.2 first, which is the internal LAN nic. Does this mean anything?
R.
|
|
|
|
|
RE: Anyone can get to the internet - 24.Jan.2004 2:10:00 PM
|
|
|
Guest
|
Such difference takes place for SNAT and FW clients.
SNAT client interprets ISA as regular router.
FW client interprets ISA as self. You can think this as follow: FW client operates "at ISA" and it uses ISA's external NIC "directly".
So far, your network has SNAT clients, hence NO AUTHORIZATION at all.
I guess that in IE "Proxy Autodiscovery" is ON and when client can be authenticated it reach Internet via WebProxy, in the other case the client just becomes SNAT-client and can reach Internet too.
Your ISA rules seems to be incorrect.
|
|
|
|
|
RE: Anyone can get to the internet - 24.Jan.2004 4:34:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Hi aleks:
How are my ISA rules incorrect, or rather, what should they be and what should I do to correct it?
Thanks
R.
|
|
|
|
|
RE: Anyone can get to the internet - 24.Jan.2004 5:47:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi ralphyost,
I've done a quick re-read of the topic and if I remember well your ISA internal interface is '192.168.16.2/24' (no default gateway) and your external interface is '192.168.1.1/24' with default gateway '192.168.1.2'.
Now, what is your LAT on ISA server? The LAT should only contain your internal IP range -nothing more, nothing less. So, if your internal IP range is '192.168.16.0/24' then the LAT should contain only '192.168.16.0 - '192.168.16.255'.
HTH,
Stefaan
|
|
|
|
|
RE: Anyone can get to the internet - 24.Jan.2004 6:04:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Hi Stefan:
This ic what I found in my LAT:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
192.168.1.1 to 192.168.1.2
192.168.16.0 to 192.168.16.255
192.168.16.255 to 192.168.16.255
|
|
|
|
|
RE: Anyone can get to the internet - 24.Jan.2004 6:35:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi ralphyost,
aha... your LAT is misconfigured because it contains also your ISA external network ID! So, delete all entries except '192.168.16.0 to 192.168.16.255' and it should start working.
HTH,
Stefaan
|
|
|
|
|
RE: Anyone can get to the internet - 24.Jan.2004 6:59:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Stefan:
I did precisely as you suggested, deleted all entries except '192.168.16.0 to 192.168.16.255'.
However, when I deleted 192.168.1.1 to 192.168.1.2 it prompted me to reboot the ISA Server service, so I did. Now there is no interent access at all.
?
R.
|
|
|
|
|
RE: Anyone can get to the internet - 24.Jan.2004 7:38:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Hi StefaaN:
Here is is, the results of all 3 commands. Note that I had to VPN into the server, as I am not on site today:
Stefaan
Results of ipconfig /all:
Windows 2000 Configuration
Host name: acrmdell
primary DNS: acrm.local
NODE type: hybrid
IP routing enabled: yes
WINS Proxy enabled: no
DNS Suffix Search List: acrm.local
Ethernet Adapter Internal NIC:
DHCP Enabled: no
IP Address: 102.168.16.2
subnet mask 255.255.255.0
Default Gateway:
DNS Server : 192.168.16.2
Primary WINS Server 192.168.16.2
Ethernet Adapter External NIC Internet:
DHCP Enabled: no
IP Address: 102.168.1.1
subnet mask 255.255.255.0
Default Gateway: 192.168.16.2
DNS Server : 24.40.32.33
Primary WINS Server 192.168.16.2
Result table of ROUTE PRINT (remember that I was on a VPN to obtain this):
Actvie Routes:
NetworkDestination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.2 192.168.1.1 1
68.46.80.6 255.255.255.255 192.168.1.2 192.168.1.1 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.1 1
192.168.1.255 255.255.255.255 192.168.1.1 192.168.1.1 1
192.168.16.0 255.255.255.0 192.168.16.2 192.168.16.0 1
192.168.16.11 255.255.255.255 192.168.16.49 192.168.16.49 1 (my VPN)
192.168.16.49 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.16.255 255.255.255.255 192.168.16.2 192.168.16.2 1
224.0.0.0 224.0.0.0 192.168.1.1 192.168.1.1 1
224.0.0.0 224.0.0.0 192.168.16.2 192.168.16.2 1
255.255.255.255 255.255.255.255 192.168.1.1 192.168.1.1 1
Default Gateway 192.168.1.2
Persistent Routes: NONE
- content of the LAT:
Only one: 192.168..16.0 to 192.168..16.255
Thanks
R.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
![[Razz]](/image/smiles/tongue.gif)
