nigem
asked on
How to bypass ISA Server
Hello,
I have asked this question in a few other forums but no-one has been able to get it working for me. I am hoping someone from here will be able to help.
Here in our office, we have a SBS2003 server with ISA server on it. This has a 2nd NIC card connected to an ADSL modem out to the Internet.
What I want to be able to do is to be able to allow un-authenticated clients access to the Internet (Port 80/443 and a few others). I am not overly worried about internal security as it is only myself and one other person with access to here.
We are a computer reseller who constantly builds computers and adds them to the network to download updates/patches etc etc. I don't want to have to put in proxy settings AND a username and password each time these computers access the Internet, I want them to access it just as if the ISA server was performing NAT. Before SBS we used to run straight from a firewall with DHCP sending all these machines a default gateway and they could then access the Internet perfectly.
At the moment when I plug the machines in, DHCP provides them an IP address no problem, but when I try to access the Internet without putting in a proxy server, I get a:
"403 Forbidden - The ISA server denies the specified Uniform Resource Locator (URL). (12202)
Internet Security and Acceleration Server"
I have tried a few different things in the Protocol Rules but to no avail. I have been trying to get this going on and off for 3 months now and it is starting to really annoy me having to manually type in the proxy server and username and password each time I try to access the Internet.
This has compounded now due to the release of WinXP SP2 and Windows Update v5. Using the proxy server this way does not allow Windows Update to download any updates which is a down right pain in the ****.
I can clearly see why so many people never use ISA server with it's very obscure setup. A simple linux based firewall is sooo much easier to configure...
I have asked this question in a few other forums but no-one has been able to get it working for me. I am hoping someone from here will be able to help.
Here in our office, we have a SBS2003 server with ISA server on it. This has a 2nd NIC card connected to an ADSL modem out to the Internet.
What I want to be able to do is to be able to allow un-authenticated clients access to the Internet (Port 80/443 and a few others). I am not overly worried about internal security as it is only myself and one other person with access to here.
We are a computer reseller who constantly builds computers and adds them to the network to download updates/patches etc etc. I don't want to have to put in proxy settings AND a username and password each time these computers access the Internet, I want them to access it just as if the ISA server was performing NAT. Before SBS we used to run straight from a firewall with DHCP sending all these machines a default gateway and they could then access the Internet perfectly.
At the moment when I plug the machines in, DHCP provides them an IP address no problem, but when I try to access the Internet without putting in a proxy server, I get a:
"403 Forbidden - The ISA server denies the specified Uniform Resource Locator (URL). (12202)
Internet Security and Acceleration Server"
I have tried a few different things in the Protocol Rules but to no avail. I have been trying to get this going on and off for 3 months now and it is starting to really annoy me having to manually type in the proxy server and username and password each time I try to access the Internet.
This has compounded now due to the release of WinXP SP2 and Windows Update v5. Using the proxy server this way does not allow Windows Update to download any updates which is a down right pain in the ****.
I can clearly see why so many people never use ISA server with it's very obscure setup. A simple linux based firewall is sooo much easier to configure...
ASKER
I apoligise, I must have miscommunicated.
What I am trying to do has nothing to do with Sharepoint or internal web sites. I want the un-authenticated users to have able to have access to the "Internet" i.e. outside of the ADSL modem, i.e. the outside world. This is so I can run things like Windows Update and Office Update and Anti Virus downloads etc etc.
So in a nutshell, I need any computer that is physically plugged into our switch to have access to the Internet WITHOUT having to manually put a proxy server in Internet Explorer AND having to type in a domain username and password each time I attempt to access the Internet.
At this stage, authenticated users access the Internet perfectly (like the machine I am currently using). The SBS server does not even have Sharepoint on it so my question has nothing to do with IIS or internal sites.
Hopefully I have explained myself a bit better here.
What I am trying to do has nothing to do with Sharepoint or internal web sites. I want the un-authenticated users to have able to have access to the "Internet" i.e. outside of the ADSL modem, i.e. the outside world. This is so I can run things like Windows Update and Office Update and Anti Virus downloads etc etc.
So in a nutshell, I need any computer that is physically plugged into our switch to have access to the Internet WITHOUT having to manually put a proxy server in Internet Explorer AND having to type in a domain username and password each time I attempt to access the Internet.
At this stage, authenticated users access the Internet perfectly (like the machine I am currently using). The SBS server does not even have Sharepoint on it so my question has nothing to do with IIS or internal sites.
Hopefully I have explained myself a bit better here.
Create a DMZ for your client PCs and keep your own behind the SBS. Buy a cheap SOHO router and put it directly after the modem allowing DHCP addresses to Client PCs plugged into it. Plug the SBS server into one of the ports and statically IP it. Place all your trusted PCs behind the SBS server.
Forward from the router any ports you need to access the SBS and you are segregated from the Client network.
Kent
Forward from the router any ports you need to access the SBS and you are segregated from the Client network.
Kent
ASKER
Thanks for the reply.
I am after a solution where I can just add rules to the SBS server for it. I don't want to purchase anything for it and as I said, I don't mind if there are security implications. It doesn't worry me if the computers are on the same network, in fact, I need them on the same network, as I need to be able to access shares on the SBS server from the machines that I plug into the network. I don't mind having to type in a password here though to access the shares, I just want to get around it when I am accessing the Internet.
So essentially, the entire network of computers can see each other and all see the SBS server, I don't care if this is insecure. I just want all client computers to be able to access the Internet without having the need for being authenticated to the ISA server..
A previous suggestion was to put a Client Address Set with complete access to the Internet, however this didn't work at all. I am guessing though that the solution will be along those lines.
Thanks again for assistance so far.
I am after a solution where I can just add rules to the SBS server for it. I don't want to purchase anything for it and as I said, I don't mind if there are security implications. It doesn't worry me if the computers are on the same network, in fact, I need them on the same network, as I need to be able to access shares on the SBS server from the machines that I plug into the network. I don't mind having to type in a password here though to access the shares, I just want to get around it when I am accessing the Internet.
So essentially, the entire network of computers can see each other and all see the SBS server, I don't care if this is insecure. I just want all client computers to be able to access the Internet without having the need for being authenticated to the ISA server..
A previous suggestion was to put a Client Address Set with complete access to the Internet, however this didn't work at all. I am guessing though that the solution will be along those lines.
Thanks again for assistance so far.
Assuming you are using ISA 2000,
From Management Console
Expand The ISA server
Expand Access Policy
and click Protocol Rules
on the right side of the pane Right click on Small Business Internet Access Then click on properties.
Now You need to allow all request
Action = Allow
Protocol= All IP Traffic
Applies to= Any Request
that should do it
If you are Running ISA 2004 it is a little different, let me know
vico1
From Management Console
Expand The ISA server
Expand Access Policy
and click Protocol Rules
on the right side of the pane Right click on Small Business Internet Access Then click on properties.
Now You need to allow all request
Action = Allow
Protocol= All IP Traffic
Applies to= Any Request
that should do it
If you are Running ISA 2004 it is a little different, let me know
vico1
Or you could add a range of IP to have direct acces to the internet.
ASKER
Thanks vico1 - I think we are on the right track here. I already have that exact rule in my config though. I modified it about 3 months ago when I first started trying to get this going. The details are as follows:
Name: Small BUsiness Internet Access Protocol Rule
Scope: Array
Description: <blank>
Protocol: All IP traffic
Action: Allow
Applies To: Any request
Schedule: Always
I have 4 other protocol rules in there as well named as follows:
MSN Messenger
Remote Desktop (Outbound)
SBS DHCP Network
Small Business Internet Access Protocol Rule 2
Could any of these protocols rules be getting in the way of the one I have there.. Remember that these clients are completely un-authenticated to the domain/ISA server.
Thanks - if you need any more information, please let me know.
Name: Small BUsiness Internet Access Protocol Rule
Scope: Array
Description: <blank>
Protocol: All IP traffic
Action: Allow
Applies To: Any request
Schedule: Always
I have 4 other protocol rules in there as well named as follows:
MSN Messenger
Remote Desktop (Outbound)
SBS DHCP Network
Small Business Internet Access Protocol Rule 2
Could any of these protocols rules be getting in the way of the one I have there.. Remember that these clients are completely un-authenticated to the domain/ISA server.
Thanks - if you need any more information, please let me know.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By default "ask unauthentication user for identification" is uncheck
You Could play With ISA and Modify it the way you want but:
Make sure to bakup your configuration.
to do so Right click on the Server name then click on back up and save your working configuration.
ISA can be a problem sometimes.
Make sure to bakup your configuration.
to do so Right click on the Server name then click on back up and save your working configuration.
ISA can be a problem sometimes.
ASKER
Hi again,
That "ask unauthenticated users for identification" was checked so I unchecked it and also enabled the HTTP protocol in Access Policy and it seems to be working for me now. I am just going to run a few tests from different things to see how I go and then come back and post the results.
Thanks so far for your help, I think we might have it now...
That "ask unauthenticated users for identification" was checked so I unchecked it and also enabled the HTTP protocol in Access Policy and it seems to be working for me now. I am just going to run a few tests from different things to see how I go and then come back and post the results.
Thanks so far for your help, I think we might have it now...
ASKER
Thank you for your help - this seems to be working perfectly now.
2.- Since you have SBS, You have to go to the sharepoint site administration and allow "anonymous access"
Let me know if you need more help
vico1