Posts: 2
Joined: 12.Nov.2002
From: UK
Status: offline
Hi Tshinder I am very new to ISA configuration and this article answers most of my queries and probably save me a lot of sleepless nights in next few weeks
I recently configured a new DMZ with ISA to allow users to access out intranet pages via GPRS. The web publishing rule works fine and user now want to have internet access using the same infrastructure.
My issue is - the exisitng internet enable proxy for our internal client is not the same ISA server. Is it possible to configure the ISA server as you mention in the arctile to pass on the web request to another proxy server instead?
I'm not sure exactly what it is you want to accomplish, but I suppose you could configure Web Proxy chaining with an upstream ISA Server, so that requests go from one to another.
Posts: 2
Joined: 12.Nov.2002
From: UK
Status: offline
Hi Tshinder
Thanks for the reply. I am still having few problems with the configuration. But first, let me just clarify our configuration first.
I have a ISA server configured with single extneral IP address to allows our offsite users to access our internal web pages via web publishing rules. I want to enable the internet access to these users but would like to redirect their internet requests to another proxy server which has good internet connectivity. Is this possible ? The reasons behind this is really down to the follows * Costs - Want to utilize the existing internet connection than install another connection * Security / Censorship - The other server already setup to minitoring our internal users internet access and block any potential web sites.
You mentioned that I could configure the Web Proxy chaining with an upstream ISA Server, so that requests go from one to another. Could you explain this in more details ?
PS I ordered your book via Amazon but still not arrive yet. I would be grateful if you can help me out on this.
I have set up my isa server as you stated and also only allow specific ip address to use the server. This works great for those people on known IP address. My question: Is there a way that I can have users on not known IP addresses authenticate to use the server? I know if I choose "require unauthenticated users to authenticate" all users must authenticate before before they can browse but I woulld only those without a known IP to need to authenticate.
Another question /problem. Everything is setup and working well most of the time. About once or twice a day our users can't browse (and me as well). I stop the firewall and start it again and everything is working again. Any Ideas? I have this setup on 2 diferent windows 2000 adv. servers and the both have the same problem.
Thanks.
Ryan
[ March 01, 2003, 08:03 PM: Message edited by: Ryan Lamberton ]
Ok, no answer one that one. How about this. I have the ISA server setup as you said and with no SMTP server installed and I am getting complants that someone is sending spam from my ISA server. The log reads:
Offending message: X-Message-Info: yOfSAGsvVmXvO7ZRyvQQAkyTmTNMFYWm Received: from mc7-f12.law1.hotmail.com ([65.54.253.19]) by mc7-s16.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sat, 22 Mar 2003 16:43:31 -0800 Received: from mailin-02.mx.aol.com ([XXX.XXX.36.217]) by mc7-f12.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sat, 22 Mar 2003 16:43:31 -0800
There is no smtp service on the computer. I have found in the logs that someone is logging in to the proxy that is not in the allowed IP address list (client address set used by the incoming web request listener in server publishing rules). I have it set it up to only allow users with specific IP addresses. This works for me and if my ip address is not in the list I cannot use the proxy. Yet I can see his IP address in the firewall log with allow after it. How can they get through the firewall? I also added a IP packet filter to block port 25 in both directions but that has not helped.
This is the log entry (if it helps): 10.0.1.105- - N 2003-03-23 20:17:52 fwsr FAMILINK-PROXY - - 66.207.212.111 2006 - - - 2320 TCP Accept - - - 0 - incoming web request listener - 2 1
I have tryed everything I can think of to block the 66.207.212.111 address even creating a protocol rule to deny all IP traaffic that applies to that client set. Yet is is still in the log as accept! Am I missing something?
RE: Publishing the Incoming Web Requests Listener article - 17.Oct.2003 5:53:00 PM
Guest
Hi tshinder i followed your 'allowing external connections to use the ISA proxy' but when a user authenticates they are able to browse and when they load up a new browser window they don't get asked to re authenticate.
I understand that this of benifit to the users to save them from having to re authenticate every time they open a new browser but i would like to set it so they do have to re authenticate.
The only part of your article i didn't complete was to disable the W3SVC service. How exactly does disabling this service help, and is this the reason for it not asking to re authenticate?
RE: Publishing the Incoming Web Requests Listener article - 1.Jun.2005 4:18:00 PM
Guest
Thanks for the great articles on this subject!
I have a need to allow external connections to use the web proxy on ISA 2004. We have field users who sometimes cannot connect to the VPN - mostly from public WiFi spots (hotels and such).
Can you please explain this process in ISA 2004? I have done it on 2000 but 2004 is quite different.
Hi have anyone got this solution to work on Isa2004 SP2 , i really need this when i have multiple users out in the field who i want to go through my isa with antivirus /antispyware ...
If anyone have this solution working please help me out here