Solved

How to bypass ISA Server

Posted on 2004-08-10
13
5,850 Views
Last Modified: 2013-11-16
Hello,

I have asked this question in a few other forums but no-one has been able to get it working for me. I am hoping someone from here will be able to help.

Here in our office, we have a SBS2003 server with ISA server on it. This has a 2nd NIC card connected to an ADSL modem out to the Internet.

What I want to be able to do is to be able to allow un-authenticated clients access to the Internet (Port 80/443 and a few others). I am not overly worried about internal security as it is only myself and one other person with access to here.

We are a computer reseller who constantly builds computers and adds them to the network to download updates/patches etc etc. I don't want to have to put in proxy settings AND a username and password each time these computers access the Internet, I want them to access it just as if the ISA server was performing NAT. Before SBS we used to run straight from a firewall with DHCP sending all these machines a default gateway and they could then access the Internet perfectly.

At the moment when I plug the machines in, DHCP provides them an IP address no problem, but when I try to access the Internet without putting in a proxy server, I get a:

"403 Forbidden - The ISA server denies the specified Uniform Resource Locator (URL). (12202)
Internet Security and Acceleration Server"

I have tried a few different things in the Protocol Rules but to no avail. I have been trying to get this going on and off for 3 months now and it is starting to really annoy me having to manually type in the proxy server and username and password each time I try to access the Internet.

This has compounded now due to the release of WinXP SP2 and Windows Update v5. Using the proxy server this way does not allow Windows Update to download any updates which is a down right pain in the ****.

I can clearly see why so many people never use ISA server with it's very obscure setup. A simple linux based firewall is sooo much easier to configure...
0
Comment
Question by:nigem
13 Comments
 
LVL 15

Expert Comment

by:vico1
ID: 11768977
1. You Have to run the "Connect to the internet wizard" and make sure to enable your web site to be accessed from the web. You will see when you get there.

2.- Since you have SBS, You have to go to the sharepoint site administration and allow "anonymous access"

Let me know if you need more help

vico1
0
 

Author Comment

by:nigem
ID: 11769035
I apoligise, I must have miscommunicated.

What I am trying to do has nothing to do with Sharepoint or internal web sites. I want the un-authenticated users to have able to have access to the "Internet" i.e. outside of the ADSL modem, i.e. the outside world. This is so I can run things like Windows Update and Office Update and Anti Virus downloads etc etc.

So in a nutshell, I need any computer that is physically plugged into our switch to have access to the Internet WITHOUT having to manually put a proxy server in Internet Explorer AND having to type in a domain username and password each time I attempt to access the Internet.

At this stage, authenticated users access the Internet perfectly (like the machine I am currently using). The SBS server does not even have Sharepoint on it so my question has nothing to do with IIS or internal sites.

Hopefully I have explained myself a bit better here.

0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11769128
Create a DMZ for your client PCs and keep your own behind the SBS. Buy a cheap SOHO router and put it directly after the modem allowing DHCP addresses to Client PCs plugged into it. Plug the SBS server into one of the ports and statically IP it. Place all your trusted PCs behind the SBS server.

Forward from the router any ports you need to access the SBS and you are segregated from the Client network.

Kent
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:nigem
ID: 11769185
Thanks for the reply.

I am after a solution where I can just add rules to the SBS server for it. I don't want to purchase anything for it and as I said, I don't mind if there are security implications. It doesn't worry me if the computers are on the same network, in fact, I need them on the same network, as I need to be able to access shares on the SBS server from the machines that I plug into the network. I don't mind having to type in a password here though to access the shares, I just want to get around it when I am accessing the Internet.

So essentially, the entire network of computers can see each other and all see the SBS server, I don't care if this is insecure. I just want all client computers to be able to access the Internet without having the need for being authenticated to the ISA server..

A previous suggestion was to put a Client Address Set with complete access to the Internet, however this didn't work at all. I am guessing though that the solution will be along those lines.

Thanks again for assistance so far.
0
 
LVL 15

Expert Comment

by:vico1
ID: 11769217
Assuming you are using ISA 2000,
From Management Console
Expand The ISA server
Expand Access Policy
and click Protocol Rules

on the right side of the pane Right click on  Small Business Internet Access Then click on properties.

Now You need to allow all request

Action = Allow
Protocol= All IP Traffic
Applies to= Any Request

that should do it

If you are Running ISA 2004 it is a little different, let me know

vico1
0
 
LVL 15

Expert Comment

by:vico1
ID: 11769225
Or you could add a range of IP  to have direct acces to the internet.
0
 

Author Comment

by:nigem
ID: 11769278
Thanks vico1 - I think we are on the right track here. I already have that exact rule in my config though. I modified it about 3 months ago when I first started trying to get this going. The details are as follows:

Name: Small BUsiness Internet Access Protocol Rule
Scope: Array
Description: <blank>
Protocol: All IP traffic
Action: Allow
Applies To: Any request
Schedule: Always

I have 4 other protocol rules in there as well named as follows:
MSN Messenger
Remote Desktop (Outbound)
SBS DHCP Network
Small Business Internet Access Protocol Rule 2

Could any of these protocols rules be getting in the way of the one I have there.. Remember that these clients are completely un-authenticated to the domain/ISA server.

Thanks - if you need any more information, please let me know.
0
 
LVL 2

Accepted Solution

by:
MichealLow earned 400 total points
ID: 11769321
make sure the ISA is install in mixed mode (Firewall & Proxy)

(Server name) -> properties -> outgoing web request
Uncheck "ask unauthentication user for identification"

In the Access Policy, enable HTTP
0
 
LVL 15

Assisted Solution

by:vico1
vico1 earned 100 total points
ID: 11769328
Right Click on "Small BUsiness Internet Access Protocol Rule"

then click on properties.

in the previous psot I meant make sure the value on the following tab are as Follow:

"Action" tab: value = Allow
"Protocol" tab : Value = All IP Traffic
"Applies to" Tab: Value = Any Request

The rest of the protocols should not affect access to (80/443)

vico1


0
 
LVL 15

Expert Comment

by:vico1
ID: 11769332
By default "ask unauthentication user for identification" is uncheck
0
 
LVL 15

Expert Comment

by:vico1
ID: 11769340
You Could play With ISA and Modify it the way you want but:
Make sure to bakup your configuration.

to do so Right click on the Server name then click on back up and save your working configuration.

ISA can be a problem sometimes.
0
 

Author Comment

by:nigem
ID: 11769405
Hi again,

That "ask unauthenticated users for identification" was checked so I unchecked it and also enabled the HTTP protocol in Access Policy and it seems to be working for me now. I am just going to run a few tests from different things to see how I go and then come back and post the results.

Thanks so far for your help, I think we might have it now...
0
 

Author Comment

by:nigem
ID: 11806439
Thank you for your help - this seems to be working perfectly now.

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question