ISA 2006

Trigger · 27 Nov 2006 at 17:45

Hi,

I am trying to install ISA 2006 Standard Edition on Server 2003 and am having a few problems

Whenever I try and visit a website- google was used for the examples in the following screenshots, I get this:

EDIT: just a note- the address in the top picture is an internal IP address- I did type in googles address but then tried to see if I could access an internal address but captured the screen before it loaded.

The reason the errors are different is because I was trying different things in between. There must be something coming though the ISA server because DNS addresses are being resolved- for example in one of the screenshots, www.google.co.uk is resolved to its IP address.

Anyway, was just hoping some ISA server gurus might pass and point out the obvious and simple thing starring me in the face which I'm doing wrong

If any info is needed on configuration please ask- I think I can remember most of it.

Thanks for any help,

Ben

ruffneck · 27 Nov 2006 at 17:48

correct me if Im wrong but ISA has an implicit deny rule, which means all outgoing/incomming traffic is denied, you need to create a rule to allow your web traffic

Trigger · 27 Nov 2006 at 18:04

ruffneck said:
correct me if Im wrong but ISA has an implicit deny rule, which means all outgoing/incomming traffic is denied, you need to create a rule to allow your web traffic

Thanks for the reply

Already done though- I created a rule to allow all protocols through for all users and any rules created on top of the default deny one is processed first so the default one becomes pretty much inactive doesn't it?

Thanks

Ben

ruffneck · 27 Nov 2006 at 18:12

Try creating an IP packet Filter to allow packet transmission on TCP port 80 and apply it the the computers/users you want to..

oddjob62 · 27 Nov 2006 at 18:15

Are you accessing from the ISA server? Remember that the ISA box will consider itself a different network (localhost) from any of the other networks.

Trigger · 27 Nov 2006 at 18:20

Okay thanks- will try it tommorow when I'm back in work

Anymore suggestions?- I want to go in tommorow with a list of things to try is possible

Just for reference- I work in a school and am trying to set this up as a test network so it's an LEA broadband connection. In ISA, I have the internal network defined as 172.31.0.0 to 172.31.255.255 and anything other than that is defined as the external network- I then created a rule to transfer all requests other than internal ones to the external network... ...is that right?

EDIT: Could you tell me how to make an IP packet filter please? I know how to do it in ISA 2000 but my test network uses ISA 2006

Thanks

Ben

Trigger · 27 Nov 2006 at 18:24

oddjob62 said:
Are you accessing from the ISA server? Remember that the ISA box will consider itself a different network (localhost) from any of the other networks.

No, the screenshots are done from the DC which has the firewall client installed

It's odd though because I can't ping the proxy server from either of the two other servers but can ping the two other servers from the proxy :confused:

If I try and do 'ping charlie' (CHARLIE is the proxy server BTW) from the proxy server, it resolves to its external IP- shouldn't it resolve to its internal IP of 172.31.0.3?

EDIT: Just thought, would it fix the above problem if I changed the DNS record for CHARLIE to point to the IP I want it to?

Thanks

Ben

ruffneck · 27 Nov 2006 at 18:28

thats becasue the ISA Box will also be blocking incoming ICMP packets by default

oddjob62 · 27 Nov 2006 at 18:30

Trigger said:
It's odd though because I can't ping the proxy server from either of the two other servers but can ping the two other servers from the proxy If I try and do 'ping charlie' (CHARLIE is the proxy server BTW) from the proxy server, it resolves to its external IP- shouldn't it resolve to its internal IP of 172.31.0.3?

Ok, i'm just going on my ISA 2004 knowledge, but have you allowed incoming ping to the ISA server? Needs to be added in System Policy.
Wrt the ping resolution, try rebinding your network interfaces with the internal one first. This is the usual way of doing it anyway (i believe) assuming your DHS servers are connected to the internal interface.

ruffneck · 27 Nov 2006 at 18:32

EDIT: Could you tell me how to make an IP packet filter please? I know how to do it in ISA 2000 but my test network uses ISA 2006

Thanks

Ben

Should be the same way, ISA server console/management, Server and Arrays, Name , Access Policy, IP Packet Filters

Trigger · 27 Nov 2006 at 18:34

oddjob62 said:
Ok, i'm just going on my ISA 2004 knowledge, but have you allowed incoming ping to the ISA server? Needs to be added in System Policy.
Wrt the ping resolution, try rebinding your network interfaces with the internal one first. This is the usual way of doing it anyway (i believe) assuming your DHS servers are connected to the internal interface.

How do you 'rebind' a network interface?

Well the DC has DNS installed and the internal card on the ISA server points to this, the external card is set to our LEA DNS servers and the internal DNS is set to forward all unknown requests to the LEA DNS servers which is how the current ISA server is set up...

oddjob62 · 27 Nov 2006 at 18:37

Trigger said:
How do you 'rebind' a network interface?

Network connections -> Advanced -> Advanced Settings.
Under Connections move the internal interface to the top

Trigger · 27 Nov 2006 at 18:40

ruffneck said:
Should be the same way, ISA server console/management, Server and Arrays, Name , Access Policy, IP Packet Filters

Hmm, I don't think it's the same- ISA 2006 doesn't have that interface which is what has confused me

Trying to find a screenshot but can't find anything

Trigger · 27 Nov 2006 at 18:40

oddjob62 said:
Network connections -> Advanced -> Advanced Settings.
Under Connections move the internal interface to the top

Oh right, thanks

So will that fix my problem of no internet access also?

Thanks

Ben

oddjob62 · 27 Nov 2006 at 18:41

Trigger said:
Oh right, thanks So will that fix my problem of no internet access also?

Thanks

Ben

No.... it's hard to say why that's not working... must be a problem with your rules somewhere.

Trigger · 27 Nov 2006 at 20:54

Right, well I've got a few things to try tommorow so I'll see how it goes and report back.

Thanks to both of you

Ben

Trigger · 3 Dec 2006 at 11:57

Okay well we're still having problems. I had enough of ISA 2006 so downloaded and installed the 2004 trial which is exactly like 2006 damnit, not the 2000 interface I am used to

Anyway, I've got it permenantly down to this error now

It sits there saying 'connecting to www.google.co.uk' for ages and then comes up with the screen above. I can get it to resolve the addresses but just won't load the page. I have created a rule which allows HTTP and HTTPS traffic on port 80 for all users but it still doesn't work.

I've got to get this sorted soon as well because I need to activate my server 2003 trials and only have about 3 days remaining :eek:

Any ideas?

Thanks,

Ben

Trigger · 4 Dec 2006 at 08:40

Bump

ruffneck · 4 Dec 2006 at 08:59

make sure the networks are setup correctly, ie: what ISA thinks is internal is internal and what ISA thinks is external is external, should be as simple as setting up a rule to allow http traffic from network internal to external.

you also might want to add local host into the from network in the rule as well if you want the ISA server to access the external network.