I'm just starting to experiment with ISA 2004 on our network.

I'm just starting to experiment with ISA 2004 on our network.

We already use a PIX535 for our firewall needs and Cisco 2600s for our routing needs. This has been working wonderfully for quite some time and is also our corporate standard, so I have absolutely no need for ISA's firewall features.

That being said, what I do need is a proxy server. I just want ISA to sit there and do absolutely nothing even remotely close to acting as a firewall or router or anything else -- just listen for requests on 8080, check Integrated Authentication credentials, and forward the requests out the PIX.

The way that I'm currently trying to accomplish this is with ISA in a unihomed configuration (using the integrated template), I have firewall client support disabled and web proxy client support enabled. I also have the firewall rules to allow traffic from all networks to all networks.

I'm still having problems with some clients accessing other web-based applications that are being hosted on the same server.

Is there any way that I can basically just tell ISA to do absolutely nothing but be a proxy server? I'd very much like to simplify this configuration because the way that it currently works couldn't really be more cumbersome if they tried.

Who is Participating?
lrmooreConnect With a Mentor Commented:
I have a very similar setup as you, with a single-NIC ISA2004 server in proxy mode only. I had to add the "localhost" to the networks section, and uncheck that box so that I could access the web sites hosted on that server. The only web sites that it hosts is the administrative management tool and one other application.

Putting the ISA proxy on its own box will be a much better solution long-run..
Tim HolmanCommented:
Take a look at www.isaserver.org for general assistance with ISA.
I would generally recommend you DO use the client firewall features of ISA to protect your internal clients.  It's good as just a proxy, but that doesn't complete your security picture.
Are you setting the proxy configurations in each browser (servername and proxy port 8080)?  You might want to also check on the option to bypass proxy for local addresses since, the web-based applications may run into problems with ISA's HTTP filtering.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

In the Configuration section, Networks, add Localhost and check Web Browser tab,
"Bypass proxy for Web servers in this network"
Under Proxy tab, un-chedk Enable Web Proxy clients"
titan6400Author Commented:
I've actually come to the conclusion that ISA is simply going to have to go on its own box, which will resolve a lot of the conflicts that I've been having.

lrmoore--  I'm interested to say why you think I should uncheck the "Enable web proxy clients".  The "bypass proxy for web servers in this network" was already checked, the problem stems more from the fact that ISA was actually on the server trying to be accessed, rather than connections being routed to servers unrelated to ISA.

LimeSMJ-- What sort of problems might be caused by the HTTP filtering with web apps, just for my info?
titan6400Author Commented:
Yeah, I agree.  The server that I was trying to put it on initally is a little too critical to our systems to be fooling with fate like that.

I'm still interested in whatever comments anyone might have about anything.  I'm going go ahead and award the points to lrmoore since it sounds like his solution is the best answer to my original question.
HTTP filtering includes such things as URL checking and custom security/exploit filters... For instance, if you goto www.isatoolz.org and download those MS worm/exploit fixes for ISA and install them, they may cause errors in web-based applications - in my case, a custom web app that we use was "breaking" due to certain body keywords that were being blocked.

In the default configuration though, you should be fine with the HTTP filter.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.