Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

Clients can't surf!

Hi all,
This is my situation now..

I have a Standard server (STDSRV) and an ISA server (ISASRV). They are connected together thru a hub and the ISASRV is connected to the Internet Router. My client PCs are all connected to the STDSRV. The client PCs are able to access the internet. But recently, my ISASRV crashed and I'm forced to reformat it. No backup was done, so I need to reconfigure the entire ISASRV.

But after I've completed my configuration, my STDSRV can't ping to the ISASRV. After I disabled these four services namely: Microsoft Firewall, Microsoft Web Proxy, Microsoft Scheduled Cache Download and Microsoft ISA Server Control, my STDSRV is able to ping to the ISASRV.

Even if the two servers are able to ping each other now, my STDSRV still can't access the internet. When the 4 services are up, I tried pinging the STDSRV from ISASRV and Router from ISASRV. I got a "Destination Host Unreachable" msg.

Any suggestions would be greatly appreciated. Thanks!
0
Ouzo85
Asked:
Ouzo85
  • 2
1 Solution
 
LimeSMJCommented:
It sounds like you didn't set any rules up for the ISA server after you reinstalled.  By default, ISA blocks all requests to it (incoming and outgoing) - which is a good thing.  I don't know how familiar you are with setting up and ISA server or what version you are running.  Your best bet is to go to www.isaserver.org and read up on installing and configuring the server.  As with all firewalls, there isn't an easy way to determine what rules you should setup as every environment has its own needs.

Just to start however, do not ever disable the Firewall service.  That basically leaves your network open to the outside.

Setup a new rule that allows the Internal LAN to access the External WAN using the HTTP and HTTPS protocol.  That rule alone should get your users browsing the Internet right away - I hope they are not complaining.

If you want to be able to ping the ISA server from the STDSRV, just setup a rule that allows the STDSRV to access the Firewall server using the Ping protocol.  Remember to set the From and To fields correct as you don't really want the outside Pinging to the inside.

Again... sorry to hear about your server crash but ISA server isn't the only thing you need to setup again as the Windows OS that is on the firewall server needs to also be hardened (security patches, some security tweaks, etc.)  As I mentioned this before, you will find all this info at www.isaserver.org  Good luck.
0
 
Ouzo85Author Commented:
--LimeSMJ
Thanks for your reply. Sadly, I've already inputted the default rules into the ISASRV already and the rule that supposedly allows my clients to access the Internet is already in place.

For your second suggestion abt setting a rule "that allows the STDSRV to access the Firewall server using the Ping protocol..", I will try that out.

In the meantime, do you have other suggestions? I'm ruling out any tweakings to be done on my STDSRV as its the ISASRV that crashed and naturally, if there's any rules/filters missing, it would be on the ISASRV side. Correct me if I'm wrong.

Thanks.
0
 
LimeSMJCommented:
I should've been clearer in my server hardening... you don't need to do anything on STDSRV.  However the ISASRV machine is running Windows itself - that operating system needs to be locked down... things like the lastest service packs, disabling services that you don't need (like IIS - unless you are doing an SMTP relay), etc.

Here's an article that I used to secure the Windows setup on my ISA server machine:
http://www.isaserver.org/tutorials/ISA_Server_Security_Checklist__Part_1_Securing_the_Operating_System_and_the_Interface.html

The article was written for Win 2000 Server but there are some similarities that you can use for Win 2003 (I myself am using Win 2003 Server to run ISA 2004).

Regards.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now