Solved

How to bypass ISA Server

Posted on 2004-08-10
13
5,779 Views
Last Modified: 2013-11-16
Hello,

I have asked this question in a few other forums but no-one has been able to get it working for me. I am hoping someone from here will be able to help.

Here in our office, we have a SBS2003 server with ISA server on it. This has a 2nd NIC card connected to an ADSL modem out to the Internet.

What I want to be able to do is to be able to allow un-authenticated clients access to the Internet (Port 80/443 and a few others). I am not overly worried about internal security as it is only myself and one other person with access to here.

We are a computer reseller who constantly builds computers and adds them to the network to download updates/patches etc etc. I don't want to have to put in proxy settings AND a username and password each time these computers access the Internet, I want them to access it just as if the ISA server was performing NAT. Before SBS we used to run straight from a firewall with DHCP sending all these machines a default gateway and they could then access the Internet perfectly.

At the moment when I plug the machines in, DHCP provides them an IP address no problem, but when I try to access the Internet without putting in a proxy server, I get a:

"403 Forbidden - The ISA server denies the specified Uniform Resource Locator (URL). (12202)
Internet Security and Acceleration Server"

I have tried a few different things in the Protocol Rules but to no avail. I have been trying to get this going on and off for 3 months now and it is starting to really annoy me having to manually type in the proxy server and username and password each time I try to access the Internet.

This has compounded now due to the release of WinXP SP2 and Windows Update v5. Using the proxy server this way does not allow Windows Update to download any updates which is a down right pain in the ****.

I can clearly see why so many people never use ISA server with it's very obscure setup. A simple linux based firewall is sooo much easier to configure...
0
Comment
Question by:nigem
13 Comments
 
LVL 15

Expert Comment

by:vico1
Comment Utility
1. You Have to run the "Connect to the internet wizard" and make sure to enable your web site to be accessed from the web. You will see when you get there.

2.- Since you have SBS, You have to go to the sharepoint site administration and allow "anonymous access"

Let me know if you need more help

vico1
0
 

Author Comment

by:nigem
Comment Utility
I apoligise, I must have miscommunicated.

What I am trying to do has nothing to do with Sharepoint or internal web sites. I want the un-authenticated users to have able to have access to the "Internet" i.e. outside of the ADSL modem, i.e. the outside world. This is so I can run things like Windows Update and Office Update and Anti Virus downloads etc etc.

So in a nutshell, I need any computer that is physically plugged into our switch to have access to the Internet WITHOUT having to manually put a proxy server in Internet Explorer AND having to type in a domain username and password each time I attempt to access the Internet.

At this stage, authenticated users access the Internet perfectly (like the machine I am currently using). The SBS server does not even have Sharepoint on it so my question has nothing to do with IIS or internal sites.

Hopefully I have explained myself a bit better here.

0
 
LVL 7

Expert Comment

by:EmpKent
Comment Utility
Create a DMZ for your client PCs and keep your own behind the SBS. Buy a cheap SOHO router and put it directly after the modem allowing DHCP addresses to Client PCs plugged into it. Plug the SBS server into one of the ports and statically IP it. Place all your trusted PCs behind the SBS server.

Forward from the router any ports you need to access the SBS and you are segregated from the Client network.

Kent
0
 

Author Comment

by:nigem
Comment Utility
Thanks for the reply.

I am after a solution where I can just add rules to the SBS server for it. I don't want to purchase anything for it and as I said, I don't mind if there are security implications. It doesn't worry me if the computers are on the same network, in fact, I need them on the same network, as I need to be able to access shares on the SBS server from the machines that I plug into the network. I don't mind having to type in a password here though to access the shares, I just want to get around it when I am accessing the Internet.

So essentially, the entire network of computers can see each other and all see the SBS server, I don't care if this is insecure. I just want all client computers to be able to access the Internet without having the need for being authenticated to the ISA server..

A previous suggestion was to put a Client Address Set with complete access to the Internet, however this didn't work at all. I am guessing though that the solution will be along those lines.

Thanks again for assistance so far.
0
 
LVL 15

Expert Comment

by:vico1
Comment Utility
Assuming you are using ISA 2000,
From Management Console
Expand The ISA server
Expand Access Policy
and click Protocol Rules

on the right side of the pane Right click on  Small Business Internet Access Then click on properties.

Now You need to allow all request

Action = Allow
Protocol= All IP Traffic
Applies to= Any Request

that should do it

If you are Running ISA 2004 it is a little different, let me know

vico1
0
 
LVL 15

Expert Comment

by:vico1
Comment Utility
Or you could add a range of IP  to have direct acces to the internet.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:nigem
Comment Utility
Thanks vico1 - I think we are on the right track here. I already have that exact rule in my config though. I modified it about 3 months ago when I first started trying to get this going. The details are as follows:

Name: Small BUsiness Internet Access Protocol Rule
Scope: Array
Description: <blank>
Protocol: All IP traffic
Action: Allow
Applies To: Any request
Schedule: Always

I have 4 other protocol rules in there as well named as follows:
MSN Messenger
Remote Desktop (Outbound)
SBS DHCP Network
Small Business Internet Access Protocol Rule 2

Could any of these protocols rules be getting in the way of the one I have there.. Remember that these clients are completely un-authenticated to the domain/ISA server.

Thanks - if you need any more information, please let me know.
0
 
LVL 2

Accepted Solution

by:
MichealLow earned 400 total points
Comment Utility
make sure the ISA is install in mixed mode (Firewall & Proxy)

(Server name) -> properties -> outgoing web request
Uncheck "ask unauthentication user for identification"

In the Access Policy, enable HTTP
0
 
LVL 15

Assisted Solution

by:vico1
vico1 earned 100 total points
Comment Utility
Right Click on "Small BUsiness Internet Access Protocol Rule"

then click on properties.

in the previous psot I meant make sure the value on the following tab are as Follow:

"Action" tab: value = Allow
"Protocol" tab : Value = All IP Traffic
"Applies to" Tab: Value = Any Request

The rest of the protocols should not affect access to (80/443)

vico1


0
 
LVL 15

Expert Comment

by:vico1
Comment Utility
By default "ask unauthentication user for identification" is uncheck
0
 
LVL 15

Expert Comment

by:vico1
Comment Utility
You Could play With ISA and Modify it the way you want but:
Make sure to bakup your configuration.

to do so Right click on the Server name then click on back up and save your working configuration.

ISA can be a problem sometimes.
0
 

Author Comment

by:nigem
Comment Utility
Hi again,

That "ask unauthenticated users for identification" was checked so I unchecked it and also enabled the HTTP protocol in Access Policy and it seems to be working for me now. I am just going to run a few tests from different things to see how I go and then come back and post the results.

Thanks so far for your help, I think we might have it now...
0
 

Author Comment

by:nigem
Comment Utility
Thank you for your help - this seems to be working perfectly now.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now