Solved

Clients can't surf!

Posted on 2004-09-09
5
340 Views
Last Modified: 2012-05-05
Hi all,
This is my situation now..

I have a Standard server (STDSRV) and an ISA server (ISASRV). They are connected together thru a hub and the ISASRV is connected to the Internet Router. My client PCs are all connected to the STDSRV. The client PCs are able to access the internet. But recently, my ISASRV crashed and I'm forced to reformat it. No backup was done, so I need to reconfigure the entire ISASRV.

But after I've completed my configuration, my STDSRV can't ping to the ISASRV. After I disabled these four services namely: Microsoft Firewall, Microsoft Web Proxy, Microsoft Scheduled Cache Download and Microsoft ISA Server Control, my STDSRV is able to ping to the ISASRV.

Even if the two servers are able to ping each other now, my STDSRV still can't access the internet. When the 4 services are up, I tried pinging the STDSRV from ISASRV and Router from ISASRV. I got a "Destination Host Unreachable" msg.

Any suggestions would be greatly appreciated. Thanks!
0
Comment
Question by:Ouzo85
  • 2
5 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12024400
It sounds like you didn't set any rules up for the ISA server after you reinstalled.  By default, ISA blocks all requests to it (incoming and outgoing) - which is a good thing.  I don't know how familiar you are with setting up and ISA server or what version you are running.  Your best bet is to go to www.isaserver.org and read up on installing and configuring the server.  As with all firewalls, there isn't an easy way to determine what rules you should setup as every environment has its own needs.

Just to start however, do not ever disable the Firewall service.  That basically leaves your network open to the outside.

Setup a new rule that allows the Internal LAN to access the External WAN using the HTTP and HTTPS protocol.  That rule alone should get your users browsing the Internet right away - I hope they are not complaining.

If you want to be able to ping the ISA server from the STDSRV, just setup a rule that allows the STDSRV to access the Firewall server using the Ping protocol.  Remember to set the From and To fields correct as you don't really want the outside Pinging to the inside.

Again... sorry to hear about your server crash but ISA server isn't the only thing you need to setup again as the Windows OS that is on the firewall server needs to also be hardened (security patches, some security tweaks, etc.)  As I mentioned this before, you will find all this info at www.isaserver.org  Good luck.
0
 

Author Comment

by:Ouzo85
ID: 12024899
--LimeSMJ
Thanks for your reply. Sadly, I've already inputted the default rules into the ISASRV already and the rule that supposedly allows my clients to access the Internet is already in place.

For your second suggestion abt setting a rule "that allows the STDSRV to access the Firewall server using the Ping protocol..", I will try that out.

In the meantime, do you have other suggestions? I'm ruling out any tweakings to be done on my STDSRV as its the ISASRV that crashed and naturally, if there's any rules/filters missing, it would be on the ISASRV side. Correct me if I'm wrong.

Thanks.
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 125 total points
ID: 12024961
I should've been clearer in my server hardening... you don't need to do anything on STDSRV.  However the ISASRV machine is running Windows itself - that operating system needs to be locked down... things like the lastest service packs, disabling services that you don't need (like IIS - unless you are doing an SMTP relay), etc.

Here's an article that I used to secure the Windows setup on my ISA server machine:
http://www.isaserver.org/tutorials/ISA_Server_Security_Checklist__Part_1_Securing_the_Operating_System_and_the_Interface.html

The article was written for Win 2000 Server but there are some similarities that you can use for Win 2003 (I myself am using Win 2003 Server to run ISA 2004).

Regards.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question