ISA 2004 questions? 1

[bofhrevenge2]

I have a Win2k3 domain and have just installed ISA 2004 on a Win2k3 member server.
I'm having a few config issues:

1. Do i need the firewall client to use the groups feature, if i add 'All Users' then everyone can access the internet but if i then add an Active Directory group to allow certain users then no one can use the internet.

2. If i don't use the firewall client what is the best way to configure I.E. automatically and what should the settings be? (ISA:8080) ?

I have looked through loads of docs on ISA org and i'm certain i'm very close i just seem to be missing a couple of key settings.

Thanks for any tips.

 

[RichieClarke]

No problem.

If you want to setup a caching only DNS server on ISA, set the DNS settings on the external interface card to 127.0.0.1 (only the external interface, leave the internal interface pointing to your internal DNS server) and yes, set your forwarders to be an ISP DNS server or if the company who manages the upstream proxy have internet DNS servers you could use theirs. Also you may have to enable the advanced view in DNS manager to see cached forward lookup zones.

Hope this helps, any more probs just post a reply and I'll get back to you as soon as I can.

Cheers,

Richie.

 

[bofhrevenge2]

Ok it's all running quite nicely now, but I have a couple more questions

The initial startup of I.E seems quite slow (10 -15 seconds) if I use AD groups in rules, once the initial page has loaded then browsing is fine is this the ISAs checking which groups the user is a member of and if so should it be this slow?

What is the best way to use the groups feature should I create local groups on the ISA and put AD groups into these or shall I just add AD groups to ISA rules?

cheers

Grant.

p.s there's no rush

 

[RichieClarke]

IE sometimes does that if you have automatically detect settings checked in the internet options. If you manualy specify the proxy and port details it seems to be quicker.

Try it and let me know how you get on.

Cheers,

Richie.

 

[bofhrevenge2]

I've unchecked that and it's still slow, once it's opened the first page then browsing is rocket powered. If I allow the all users group access then it opens straight away.

Another odd thing I’ve noticed is that if I create an All Open policy and add the all users ISA group then MSN Messenger works fine, but if I remove all users and add domain admins then I can still browse the internet and send email but MSN will not work.


Any ideas?

 

[RichieClarke]

There could be a policy blocking web based mail.
Try adding a username explicitly instead of using a group it may be slow resolving group membership.

hope that helps

cheers,

Richie.

 

[bofhrevenge2]

Yeh that seems to of perked it up a bit, although it's still not super fast but it's useable.

I had a look on ISA.org and I think the firewall client maybe needed for Messenger.

Cheers.

 

[bofhrevenge2]

I discovered the problem with MSN Messenger just in case anyone else is foolish enough to allow it.

If you are using web proxy clients then when Messenger sends it's credentials to MSN it also sends the credentials to the ISA, as ISA cannot match the username and password (as it doesn't match your domain account) it bans access.

To get around this you can either use the firewall client or create an anonymous access rule for Web Proxy clients to use HTTP to reach just the MSN site.

Hope that helps anyone with a similare problem.

I don't mean to sound bitter, cold, or cruel, but I am, so that's how it comes out - Bill Hicks

 

[TBTL]

Hi anyone can help me to setup msn messenger on exhcnage 2003, i cant sign in, it says user name password not correct, proxy port used is 8080??

Help pls