[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

I'm just starting to experiment with ISA 2004 on our network.

Posted on 2004-09-15
7
Medium Priority
?
814 Views
Last Modified: 2013-11-16
I'm just starting to experiment with ISA 2004 on our network.

We already use a PIX535 for our firewall needs and Cisco 2600s for our routing needs. This has been working wonderfully for quite some time and is also our corporate standard, so I have absolutely no need for ISA's firewall features.

That being said, what I do need is a proxy server. I just want ISA to sit there and do absolutely nothing even remotely close to acting as a firewall or router or anything else -- just listen for requests on 8080, check Integrated Authentication credentials, and forward the requests out the PIX.

The way that I'm currently trying to accomplish this is with ISA in a unihomed configuration (using the integrated template), I have firewall client support disabled and web proxy client support enabled. I also have the firewall rules to allow traffic from all networks to all networks.

I'm still having problems with some clients accessing other web-based applications that are being hosted on the same server.

Is there any way that I can basically just tell ISA to do absolutely nothing but be a proxy server? I'd very much like to simplify this configuration because the way that it currently works couldn't really be more cumbersome if they tried.

Thanks!
0
Comment
Question by:titan6400
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12072416
Take a look at www.isaserver.org for general assistance with ISA.
I would generally recommend you DO use the client firewall features of ISA to protect your internal clients.  It's good as just a proxy, but that doesn't complete your security picture.
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12072490
Are you setting the proxy configurations in each browser (servername and proxy port 8080)?  You might want to also check on the option to bypass proxy for local addresses since, the web-based applications may run into problems with ISA's HTTP filtering.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12076402
In the Configuration section, Networks, add Localhost and check Web Browser tab,
"Bypass proxy for Web servers in this network"
Under Proxy tab, un-chedk Enable Web Proxy clients"
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:titan6400
ID: 12076497
I've actually come to the conclusion that ISA is simply going to have to go on its own box, which will resolve a lot of the conflicts that I've been having.

lrmoore--  I'm interested to say why you think I should uncheck the "Enable web proxy clients".  The "bypass proxy for web servers in this network" was already checked, the problem stems more from the fact that ISA was actually on the server trying to be accessed, rather than connections being routed to servers unrelated to ISA.

LimeSMJ-- What sort of problems might be caused by the HTTP filtering with web apps, just for my info?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12076735
I have a very similar setup as you, with a single-NIC ISA2004 server in proxy mode only. I had to add the "localhost" to the networks section, and uncheck that box so that I could access the web sites hosted on that server. The only web sites that it hosts is the administrative management tool and one other application.

Putting the ISA proxy on its own box will be a much better solution long-run..
0
 

Author Comment

by:titan6400
ID: 12077186
Yeah, I agree.  The server that I was trying to put it on initally is a little too critical to our systems to be fooling with fate like that.

I'm still interested in whatever comments anyone might have about anything.  I'm going go ahead and award the points to lrmoore since it sounds like his solution is the best answer to my original question.
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12078568
HTTP filtering includes such things as URL checking and custom security/exploit filters... For instance, if you goto www.isatoolz.org and download those MS worm/exploit fixes for ISA and install them, they may cause errors in web-based applications - in my case, a custom web app that we use was "breaking" due to certain body keywords that were being blocked.

In the default configuration though, you should be fine with the HTTP filter.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question