[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


How to bypass ISA Server

Posted on 2004-08-10
Medium Priority
Last Modified: 2013-11-16

I have asked this question in a few other forums but no-one has been able to get it working for me. I am hoping someone from here will be able to help.

Here in our office, we have a SBS2003 server with ISA server on it. This has a 2nd NIC card connected to an ADSL modem out to the Internet.

What I want to be able to do is to be able to allow un-authenticated clients access to the Internet (Port 80/443 and a few others). I am not overly worried about internal security as it is only myself and one other person with access to here.

We are a computer reseller who constantly builds computers and adds them to the network to download updates/patches etc etc. I don't want to have to put in proxy settings AND a username and password each time these computers access the Internet, I want them to access it just as if the ISA server was performing NAT. Before SBS we used to run straight from a firewall with DHCP sending all these machines a default gateway and they could then access the Internet perfectly.

At the moment when I plug the machines in, DHCP provides them an IP address no problem, but when I try to access the Internet without putting in a proxy server, I get a:

"403 Forbidden - The ISA server denies the specified Uniform Resource Locator (URL). (12202)
Internet Security and Acceleration Server"

I have tried a few different things in the Protocol Rules but to no avail. I have been trying to get this going on and off for 3 months now and it is starting to really annoy me having to manually type in the proxy server and username and password each time I try to access the Internet.

This has compounded now due to the release of WinXP SP2 and Windows Update v5. Using the proxy server this way does not allow Windows Update to download any updates which is a down right pain in the ****.

I can clearly see why so many people never use ISA server with it's very obscure setup. A simple linux based firewall is sooo much easier to configure...
Question by:nigem
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 15

Expert Comment

ID: 11768977
1. You Have to run the "Connect to the internet wizard" and make sure to enable your web site to be accessed from the web. You will see when you get there.

2.- Since you have SBS, You have to go to the sharepoint site administration and allow "anonymous access"

Let me know if you need more help


Author Comment

ID: 11769035
I apoligise, I must have miscommunicated.

What I am trying to do has nothing to do with Sharepoint or internal web sites. I want the un-authenticated users to have able to have access to the "Internet" i.e. outside of the ADSL modem, i.e. the outside world. This is so I can run things like Windows Update and Office Update and Anti Virus downloads etc etc.

So in a nutshell, I need any computer that is physically plugged into our switch to have access to the Internet WITHOUT having to manually put a proxy server in Internet Explorer AND having to type in a domain username and password each time I attempt to access the Internet.

At this stage, authenticated users access the Internet perfectly (like the machine I am currently using). The SBS server does not even have Sharepoint on it so my question has nothing to do with IIS or internal sites.

Hopefully I have explained myself a bit better here.


Expert Comment

ID: 11769128
Create a DMZ for your client PCs and keep your own behind the SBS. Buy a cheap SOHO router and put it directly after the modem allowing DHCP addresses to Client PCs plugged into it. Plug the SBS server into one of the ports and statically IP it. Place all your trusted PCs behind the SBS server.

Forward from the router any ports you need to access the SBS and you are segregated from the Client network.

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal


Author Comment

ID: 11769185
Thanks for the reply.

I am after a solution where I can just add rules to the SBS server for it. I don't want to purchase anything for it and as I said, I don't mind if there are security implications. It doesn't worry me if the computers are on the same network, in fact, I need them on the same network, as I need to be able to access shares on the SBS server from the machines that I plug into the network. I don't mind having to type in a password here though to access the shares, I just want to get around it when I am accessing the Internet.

So essentially, the entire network of computers can see each other and all see the SBS server, I don't care if this is insecure. I just want all client computers to be able to access the Internet without having the need for being authenticated to the ISA server..

A previous suggestion was to put a Client Address Set with complete access to the Internet, however this didn't work at all. I am guessing though that the solution will be along those lines.

Thanks again for assistance so far.
LVL 15

Expert Comment

ID: 11769217
Assuming you are using ISA 2000,
From Management Console
Expand The ISA server
Expand Access Policy
and click Protocol Rules

on the right side of the pane Right click on  Small Business Internet Access Then click on properties.

Now You need to allow all request

Action = Allow
Protocol= All IP Traffic
Applies to= Any Request

that should do it

If you are Running ISA 2004 it is a little different, let me know

LVL 15

Expert Comment

ID: 11769225
Or you could add a range of IP  to have direct acces to the internet.

Author Comment

ID: 11769278
Thanks vico1 - I think we are on the right track here. I already have that exact rule in my config though. I modified it about 3 months ago when I first started trying to get this going. The details are as follows:

Name: Small BUsiness Internet Access Protocol Rule
Scope: Array
Description: <blank>
Protocol: All IP traffic
Action: Allow
Applies To: Any request
Schedule: Always

I have 4 other protocol rules in there as well named as follows:
MSN Messenger
Remote Desktop (Outbound)
SBS DHCP Network
Small Business Internet Access Protocol Rule 2

Could any of these protocols rules be getting in the way of the one I have there.. Remember that these clients are completely un-authenticated to the domain/ISA server.

Thanks - if you need any more information, please let me know.

Accepted Solution

MichealLow earned 1600 total points
ID: 11769321
make sure the ISA is install in mixed mode (Firewall & Proxy)

(Server name) -> properties -> outgoing web request
Uncheck "ask unauthentication user for identification"

In the Access Policy, enable HTTP
LVL 15

Assisted Solution

vico1 earned 400 total points
ID: 11769328
Right Click on "Small BUsiness Internet Access Protocol Rule"

then click on properties.

in the previous psot I meant make sure the value on the following tab are as Follow:

"Action" tab: value = Allow
"Protocol" tab : Value = All IP Traffic
"Applies to" Tab: Value = Any Request

The rest of the protocols should not affect access to (80/443)


LVL 15

Expert Comment

ID: 11769332
By default "ask unauthentication user for identification" is uncheck
LVL 15

Expert Comment

ID: 11769340
You Could play With ISA and Modify it the way you want but:
Make sure to bakup your configuration.

to do so Right click on the Server name then click on back up and save your working configuration.

ISA can be a problem sometimes.

Author Comment

ID: 11769405
Hi again,

That "ask unauthenticated users for identification" was checked so I unchecked it and also enabled the HTTP protocol in Access Policy and it seems to be working for me now. I am just going to run a few tests from different things to see how I go and then come back and post the results.

Thanks so far for your help, I think we might have it now...

Author Comment

ID: 11806439
Thank you for your help - this seems to be working perfectly now.


Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question