ISA 2004 questions? 1

[bofhrevenge2]

I have a Win2k3 domain and have just installed ISA 2004 on a Win2k3 member server.
I'm having a few config issues:

1. Do i need the firewall client to use the groups feature, if i add 'All Users' then everyone can access the internet but if i then add an Active Directory group to allow certain users then no one can use the internet.

2. If i don't use the firewall client what is the best way to configure I.E. automatically and what should the settings be? (ISA:8080) ?

I have looked through loads of docs on ISA org and i'm certain i'm very close i just seem to be missing a couple of key settings.

Thanks for any tips.

 

[bofhrevenge2]

I now receive this page

Network Access Message: The page cannot be displayed

Technical Information (for support personnel)
Error Code 10060: Connection timeout
Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.

Date: 18/01/2005
Server: isa.domain.com
Source: Firewall

If i set I.E. to use our ISP's proxy i can browse fine and if i send an email to hotmail it says it receives it from the outward facing card on the ISA server, so it seems to be passing the requsts through.
I've set ISA to publish auto discovery info, set a wpad entry in DNS and set I.E. to auto discover. I have also set an Open All policy on ISA to test.

Can anyone see where i'm going wrong?

Thanks.

 

[bofhrevenge2]

I also found thisin the event log

ISA Server detected routes through adapter "WAN" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 10.4.116.3-10.4.116.14;10.4.116.16-10.4.119.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither.

Any ideas anyone.

 

[RichieClarke]

Bofhrevenge2,

Looks like you need to re-construct your LAT and you might aswell do the LDT aswell.

With the problem of getting out on the internet it could be a DNS issue, try using NSLOOKUP to resolve a web address from one of your clients.

Also to test routing try and ping your internet gateway throught the ISA server, this will give you some clues as to whether the routing is working.(What routing technique are you using, ie. static, RIP etc.) your clients need a route out to the internet so the default (0.0.0.0) route on your clients gateway needs to be set to the ISA servers internal ip address. Also make sure you have set the ISA servers ip settings correctly, the internal adapters should NOT have a default gateway of the ISA servers external ip address.

Hope some of this helps.

Cheers,

Richie

 

[bofhrevenge2]

Thanks for the reply Richie, i'm currently rebuilding the server and have made some alterations. The external and internal cards are now on different subnets, i have the internal card pointing to my DNS server but with no gateway set and the external card with no DNS set but the gateway points to my router.

I'll post back with how i get on.

Cheers.

 

[bofhrevenge2]

I still seem to be unable to get to the internet if I try to use the ISA as my proxy.

I now have my interfaces set up as in my previous post, my clients now have the ISA as their default gateway. I have a rule allowing my DNS forwarders to contact my ISP's DNS server and a rule opening HTTP to external networks and NSLOOKUP shows no name problems.

If I try to use the internet using my ISP's proxy it's fine e.g. proxy.isp.com port 80 in IE settings and if I use tracert I can see the traffic goes through the ISA and the router. If I put the proxy settings ISA.MYDOMAIN.COM port 80 in I.E. I receive a network access error from the ISA (The gateway could not receive a timely response from the website you are trying to access. ).

Can you tell me how my clients should be configured for me to use the ISA as a proxy as well?

Thanks.

 

[RichieClarke]

hi bofhrevenge2,

to set your clients up as secure nat clients configure the proxy server settings in the browser properties to be as follows:

make sure the "use a proxy server" is ticked
address: IP Addres of internal ISA NIC
Port: 8080
make sure the "bypass proxy server for local address" is ticked.
And thats the browsers done.

Could you ping through the ISA server from a client?

Cheers,

Richie.

 

[bofhrevenge2]

I have that set in the browser but still no joy, I can ping the ISA and the router on the other side but I get this error when trying to browse using the ISA as a proxy:

Technical Information (for support personnel)
Error Code: 502 Proxy Error. Cannot complete this function. (1003)
IP Address: 213.86.55.162
Date: 26/01/2005 15:03:25
Server: isa.domain.com
Source: proxy


Here is the output from an nslookup

Server: DNS.Domain.com
Address: 10.4.116.11

Name: google.com
Addresses: 216.239.39.99, 216.239.57.99, 216.239.37.99


My internal card has address
10.4.116.4
255.255.252.0
No Gateway
10.4.116.11 (For DNS)

External card is
172.16.136.4
255.255.255.128
172.16.136.1
No DNS

I can ping the router (172.16.136.4) from the ISA server and from clients but since I reinstalled I can't ping beyond this I just get Destination host unreachable.

Do I need to add something to my routing table?

Annoyingly this is the same way I had it setup last time and I could browse the net from the ISA server then.

Thanks for your help.

 

[bofhrevenge2]

I mean i can ping the router 172.16.136.1

 

[RichieClarke]

bofhrevenge2,

ISA and clients are setup correctly then. It sounds like you just need to create a policy to allow web traffic through the ISA. ISA Server blocks all traffic by default from when you first set it up.

Run the "New Access Rule Wizard" to create a new rule for allowing your clients to access the web.

Let me know how you get on.

Richie

 

[bofhrevenge2]

Thanks for the reply Richie i've c@cked it up with furiouse clicking, i'm going to reinstall ISA in the morning and try to setup a new rule to allow access.

I'll let you know if i get it working.

Thanks

Grant.

 

[bofhrevenge2]

Ok I’m still a bit stuck here, before I installed ISA I could browse the internet from the server just fine (obviously this won't work after I install ISA).

After I install ISA I created a test rule to allow all traffic from the internal network to the external network but I keep getting the same error. I have ISA.DOMAIN.COM port 8080 set in I.E. and still no joy, it says opening page but then pauses for a few seconds before failing.
If I set my proxy settings to my ISP's proxy on port 80 I can browse the internet from clients and the traffic is going through the ISA server as I can block it by disabling the all open rule.
Also Pathping shows the traffic going through the ISA server and this is also blocked by disabling the all open rule.

I feel I’m so close but just a couple of mystery clicks away.

The error from the ISA still is

Technical Information (for support personnel)
Error Code 10060: Connection timeout
Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
Date: 27/01/2005 15:28:08
Server: ISA.DOMAIN.COM
Source: Firewall

Is there something I need to do to allow web proxy clients?

Cheers

Grant.

 

[bofhrevenge2]

Hey Richie i think i might of realised why, i found out earlier that i can access a webserver that is out on the WAN. Do i need to configere my ISA to use an upstream proxy?

 

[RichieClarke]

Hi bofhrevenge2,

I'm not sure what your network layout is from the edge to internet.

Do you have a perimeter network (DMZ) sitting between two proxy/firewall servers?

I also noticed that your external interface on ISA doesn't have DNS configured to resolve internet address.

2 options:

1: configure DNS on your ISA server as a caching only server and configure forwarders (the forwarder must be a DNS server on your ISP's network or other external DNS).

2: configure a DNS server in the network properties of your ISA servers external interface.

The advantage of running DNS as cahing only is that the ISA server won't have to go out on the internet to resolve the same address multiple times and in the right environment this will reduce the load on the ISA server.

Let me know how you get on, I will try and monitor the thread tonight to give replies as quick as poss!

Cheers,

Richie

 

[RichieClarke]

hey bofhrevenge2,

I forgot to mention, if you do have an upstream proxy (another firewall the internet side of your perimeter network) they must be chained together, although if it isn't another ISA server or MS proxy 2.0 I'm not sure whether it will work with ISA. You might want to check with Microsoft.

Cheers,

Richie.

 

[bofhrevenge2]

Hi Richie thanks for replying again, I won't be back in until tomorrow so don't put yourself out. Thanks tho.

I read that I didn't need DNS on the external interface of the ISA is this wrong? I have the internal interface pointing to my DNS and the forwarder pointing to my ISP's DNS.

Our network setup is our ISA face's onto a WAN that connects all the high schools in the area to a central point where a company provide a firewall and internet filtering service.
They also have a proxy server that I believe runs squid, could this be a problem?

Cheers.

 

[RichieClarke]

Hi bofhrevenge2,

You need to set a DNS server on your external interface in order for it to resolve internet names to address. Review my above post for your options.

With regard to your network setup, I would just test the ISA server configured as a standalone server with the DNS settings setup correctly and if that doesn't work then try chaining it to the upstream proxy. you may need to talk to the company who manages the upstream proxy to get the correct settings to chain your ISA server to it.

Good Luck,

Richie

 

[bofhrevenge2]

Yes up and running at last, I added a DNS server to the external card and set the ISA to request content from the upstream proxy (which is a SQUID 2.4 stable proxy apparently) and it's working fine so far.

I should of thought about the upstream proxy really but with it been open I just assumed it wouldn't need any settings.

Anyway thank you very much for you time Richie.

 

[RichieClarke]

No problem, I know how frustrating it is when you something just doesn't wanna work. Sometimes a little help goes a long way.

Cheers,

Richie.

 

[bofhrevenge2]

Sorry Richie one last question.

If i do install a cache only DNS server on the ISA i assume i set the forwarder to point to my ISP's DNS. Do i point the external ISA card back as itself for DNS?

Cheers.