Solved

Clients can't surf!

Posted on 2004-09-09
5
338 Views
Last Modified: 2012-05-05
Hi all,
This is my situation now..

I have a Standard server (STDSRV) and an ISA server (ISASRV). They are connected together thru a hub and the ISASRV is connected to the Internet Router. My client PCs are all connected to the STDSRV. The client PCs are able to access the internet. But recently, my ISASRV crashed and I'm forced to reformat it. No backup was done, so I need to reconfigure the entire ISASRV.

But after I've completed my configuration, my STDSRV can't ping to the ISASRV. After I disabled these four services namely: Microsoft Firewall, Microsoft Web Proxy, Microsoft Scheduled Cache Download and Microsoft ISA Server Control, my STDSRV is able to ping to the ISASRV.

Even if the two servers are able to ping each other now, my STDSRV still can't access the internet. When the 4 services are up, I tried pinging the STDSRV from ISASRV and Router from ISASRV. I got a "Destination Host Unreachable" msg.

Any suggestions would be greatly appreciated. Thanks!
0
Comment
Question by:Ouzo85
  • 2
5 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12024400
It sounds like you didn't set any rules up for the ISA server after you reinstalled.  By default, ISA blocks all requests to it (incoming and outgoing) - which is a good thing.  I don't know how familiar you are with setting up and ISA server or what version you are running.  Your best bet is to go to www.isaserver.org and read up on installing and configuring the server.  As with all firewalls, there isn't an easy way to determine what rules you should setup as every environment has its own needs.

Just to start however, do not ever disable the Firewall service.  That basically leaves your network open to the outside.

Setup a new rule that allows the Internal LAN to access the External WAN using the HTTP and HTTPS protocol.  That rule alone should get your users browsing the Internet right away - I hope they are not complaining.

If you want to be able to ping the ISA server from the STDSRV, just setup a rule that allows the STDSRV to access the Firewall server using the Ping protocol.  Remember to set the From and To fields correct as you don't really want the outside Pinging to the inside.

Again... sorry to hear about your server crash but ISA server isn't the only thing you need to setup again as the Windows OS that is on the firewall server needs to also be hardened (security patches, some security tweaks, etc.)  As I mentioned this before, you will find all this info at www.isaserver.org  Good luck.
0
 

Author Comment

by:Ouzo85
ID: 12024899
--LimeSMJ
Thanks for your reply. Sadly, I've already inputted the default rules into the ISASRV already and the rule that supposedly allows my clients to access the Internet is already in place.

For your second suggestion abt setting a rule "that allows the STDSRV to access the Firewall server using the Ping protocol..", I will try that out.

In the meantime, do you have other suggestions? I'm ruling out any tweakings to be done on my STDSRV as its the ISASRV that crashed and naturally, if there's any rules/filters missing, it would be on the ISASRV side. Correct me if I'm wrong.

Thanks.
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 125 total points
ID: 12024961
I should've been clearer in my server hardening... you don't need to do anything on STDSRV.  However the ISASRV machine is running Windows itself - that operating system needs to be locked down... things like the lastest service packs, disabling services that you don't need (like IIS - unless you are doing an SMTP relay), etc.

Here's an article that I used to secure the Windows setup on my ISA server machine:
http://www.isaserver.org/tutorials/ISA_Server_Security_Checklist__Part_1_Securing_the_Operating_System_and_the_Interface.html

The article was written for Win 2000 Server but there are some similarities that you can use for Win 2003 (I myself am using Win 2003 Server to run ISA 2004).

Regards.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now