How to bypass ISA Server

Posted on 2004-08-10
Last Modified: 2013-11-16

I have asked this question in a few other forums but no-one has been able to get it working for me. I am hoping someone from here will be able to help.

Here in our office, we have a SBS2003 server with ISA server on it. This has a 2nd NIC card connected to an ADSL modem out to the Internet.

What I want to be able to do is to be able to allow un-authenticated clients access to the Internet (Port 80/443 and a few others). I am not overly worried about internal security as it is only myself and one other person with access to here.

We are a computer reseller who constantly builds computers and adds them to the network to download updates/patches etc etc. I don't want to have to put in proxy settings AND a username and password each time these computers access the Internet, I want them to access it just as if the ISA server was performing NAT. Before SBS we used to run straight from a firewall with DHCP sending all these machines a default gateway and they could then access the Internet perfectly.

At the moment when I plug the machines in, DHCP provides them an IP address no problem, but when I try to access the Internet without putting in a proxy server, I get a:

"403 Forbidden - The ISA server denies the specified Uniform Resource Locator (URL). (12202)
Internet Security and Acceleration Server"

I have tried a few different things in the Protocol Rules but to no avail. I have been trying to get this going on and off for 3 months now and it is starting to really annoy me having to manually type in the proxy server and username and password each time I try to access the Internet.

This has compounded now due to the release of WinXP SP2 and Windows Update v5. Using the proxy server this way does not allow Windows Update to download any updates which is a down right pain in the ****.

I can clearly see why so many people never use ISA server with it's very obscure setup. A simple linux based firewall is sooo much easier to configure...
Question by:nigem
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 15

Expert Comment

ID: 11768977
1. You Have to run the "Connect to the internet wizard" and make sure to enable your web site to be accessed from the web. You will see when you get there.

2.- Since you have SBS, You have to go to the sharepoint site administration and allow "anonymous access"

Let me know if you need more help


Author Comment

ID: 11769035
I apoligise, I must have miscommunicated.

What I am trying to do has nothing to do with Sharepoint or internal web sites. I want the un-authenticated users to have able to have access to the "Internet" i.e. outside of the ADSL modem, i.e. the outside world. This is so I can run things like Windows Update and Office Update and Anti Virus downloads etc etc.

So in a nutshell, I need any computer that is physically plugged into our switch to have access to the Internet WITHOUT having to manually put a proxy server in Internet Explorer AND having to type in a domain username and password each time I attempt to access the Internet.

At this stage, authenticated users access the Internet perfectly (like the machine I am currently using). The SBS server does not even have Sharepoint on it so my question has nothing to do with IIS or internal sites.

Hopefully I have explained myself a bit better here.


Expert Comment

ID: 11769128
Create a DMZ for your client PCs and keep your own behind the SBS. Buy a cheap SOHO router and put it directly after the modem allowing DHCP addresses to Client PCs plugged into it. Plug the SBS server into one of the ports and statically IP it. Place all your trusted PCs behind the SBS server.

Forward from the router any ports you need to access the SBS and you are segregated from the Client network.

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.


Author Comment

ID: 11769185
Thanks for the reply.

I am after a solution where I can just add rules to the SBS server for it. I don't want to purchase anything for it and as I said, I don't mind if there are security implications. It doesn't worry me if the computers are on the same network, in fact, I need them on the same network, as I need to be able to access shares on the SBS server from the machines that I plug into the network. I don't mind having to type in a password here though to access the shares, I just want to get around it when I am accessing the Internet.

So essentially, the entire network of computers can see each other and all see the SBS server, I don't care if this is insecure. I just want all client computers to be able to access the Internet without having the need for being authenticated to the ISA server..

A previous suggestion was to put a Client Address Set with complete access to the Internet, however this didn't work at all. I am guessing though that the solution will be along those lines.

Thanks again for assistance so far.
LVL 15

Expert Comment

ID: 11769217
Assuming you are using ISA 2000,
From Management Console
Expand The ISA server
Expand Access Policy
and click Protocol Rules

on the right side of the pane Right click on  Small Business Internet Access Then click on properties.

Now You need to allow all request

Action = Allow
Protocol= All IP Traffic
Applies to= Any Request

that should do it

If you are Running ISA 2004 it is a little different, let me know

LVL 15

Expert Comment

ID: 11769225
Or you could add a range of IP  to have direct acces to the internet.

Author Comment

ID: 11769278
Thanks vico1 - I think we are on the right track here. I already have that exact rule in my config though. I modified it about 3 months ago when I first started trying to get this going. The details are as follows:

Name: Small BUsiness Internet Access Protocol Rule
Scope: Array
Description: <blank>
Protocol: All IP traffic
Action: Allow
Applies To: Any request
Schedule: Always

I have 4 other protocol rules in there as well named as follows:
MSN Messenger
Remote Desktop (Outbound)
SBS DHCP Network
Small Business Internet Access Protocol Rule 2

Could any of these protocols rules be getting in the way of the one I have there.. Remember that these clients are completely un-authenticated to the domain/ISA server.

Thanks - if you need any more information, please let me know.

Accepted Solution

MichealLow earned 400 total points
ID: 11769321
make sure the ISA is install in mixed mode (Firewall & Proxy)

(Server name) -> properties -> outgoing web request
Uncheck "ask unauthentication user for identification"

In the Access Policy, enable HTTP
LVL 15

Assisted Solution

vico1 earned 100 total points
ID: 11769328
Right Click on "Small BUsiness Internet Access Protocol Rule"

then click on properties.

in the previous psot I meant make sure the value on the following tab are as Follow:

"Action" tab: value = Allow
"Protocol" tab : Value = All IP Traffic
"Applies to" Tab: Value = Any Request

The rest of the protocols should not affect access to (80/443)


LVL 15

Expert Comment

ID: 11769332
By default "ask unauthentication user for identification" is uncheck
LVL 15

Expert Comment

ID: 11769340
You Could play With ISA and Modify it the way you want but:
Make sure to bakup your configuration.

to do so Right click on the Server name then click on back up and save your working configuration.

ISA can be a problem sometimes.

Author Comment

ID: 11769405
Hi again,

That "ask unauthenticated users for identification" was checked so I unchecked it and also enabled the HTTP protocol in Access Policy and it seems to be working for me now. I am just going to run a few tests from different things to see how I go and then come back and post the results.

Thanks so far for your help, I think we might have it now...

Author Comment

ID: 11806439
Thank you for your help - this seems to be working perfectly now.


Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question