Solved

Clients can't surf!

Posted on 2004-09-09
5
337 Views
Last Modified: 2012-05-05
Hi all,
This is my situation now..

I have a Standard server (STDSRV) and an ISA server (ISASRV). They are connected together thru a hub and the ISASRV is connected to the Internet Router. My client PCs are all connected to the STDSRV. The client PCs are able to access the internet. But recently, my ISASRV crashed and I'm forced to reformat it. No backup was done, so I need to reconfigure the entire ISASRV.

But after I've completed my configuration, my STDSRV can't ping to the ISASRV. After I disabled these four services namely: Microsoft Firewall, Microsoft Web Proxy, Microsoft Scheduled Cache Download and Microsoft ISA Server Control, my STDSRV is able to ping to the ISASRV.

Even if the two servers are able to ping each other now, my STDSRV still can't access the internet. When the 4 services are up, I tried pinging the STDSRV from ISASRV and Router from ISASRV. I got a "Destination Host Unreachable" msg.

Any suggestions would be greatly appreciated. Thanks!
0
Comment
Question by:Ouzo85
  • 2
5 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12024400
It sounds like you didn't set any rules up for the ISA server after you reinstalled.  By default, ISA blocks all requests to it (incoming and outgoing) - which is a good thing.  I don't know how familiar you are with setting up and ISA server or what version you are running.  Your best bet is to go to www.isaserver.org and read up on installing and configuring the server.  As with all firewalls, there isn't an easy way to determine what rules you should setup as every environment has its own needs.

Just to start however, do not ever disable the Firewall service.  That basically leaves your network open to the outside.

Setup a new rule that allows the Internal LAN to access the External WAN using the HTTP and HTTPS protocol.  That rule alone should get your users browsing the Internet right away - I hope they are not complaining.

If you want to be able to ping the ISA server from the STDSRV, just setup a rule that allows the STDSRV to access the Firewall server using the Ping protocol.  Remember to set the From and To fields correct as you don't really want the outside Pinging to the inside.

Again... sorry to hear about your server crash but ISA server isn't the only thing you need to setup again as the Windows OS that is on the firewall server needs to also be hardened (security patches, some security tweaks, etc.)  As I mentioned this before, you will find all this info at www.isaserver.org  Good luck.
0
 

Author Comment

by:Ouzo85
ID: 12024899
--LimeSMJ
Thanks for your reply. Sadly, I've already inputted the default rules into the ISASRV already and the rule that supposedly allows my clients to access the Internet is already in place.

For your second suggestion abt setting a rule "that allows the STDSRV to access the Firewall server using the Ping protocol..", I will try that out.

In the meantime, do you have other suggestions? I'm ruling out any tweakings to be done on my STDSRV as its the ISASRV that crashed and naturally, if there's any rules/filters missing, it would be on the ISASRV side. Correct me if I'm wrong.

Thanks.
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 125 total points
ID: 12024961
I should've been clearer in my server hardening... you don't need to do anything on STDSRV.  However the ISASRV machine is running Windows itself - that operating system needs to be locked down... things like the lastest service packs, disabling services that you don't need (like IIS - unless you are doing an SMTP relay), etc.

Here's an article that I used to secure the Windows setup on my ISA server machine:
http://www.isaserver.org/tutorials/ISA_Server_Security_Checklist__Part_1_Securing_the_Operating_System_and_the_Interface.html

The article was written for Win 2000 Server but there are some similarities that you can use for Win 2003 (I myself am using Win 2003 Server to run ISA 2004).

Regards.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now