• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 817
  • Last Modified:

I'm just starting to experiment with ISA 2004 on our network.

I'm just starting to experiment with ISA 2004 on our network.

We already use a PIX535 for our firewall needs and Cisco 2600s for our routing needs. This has been working wonderfully for quite some time and is also our corporate standard, so I have absolutely no need for ISA's firewall features.

That being said, what I do need is a proxy server. I just want ISA to sit there and do absolutely nothing even remotely close to acting as a firewall or router or anything else -- just listen for requests on 8080, check Integrated Authentication credentials, and forward the requests out the PIX.

The way that I'm currently trying to accomplish this is with ISA in a unihomed configuration (using the integrated template), I have firewall client support disabled and web proxy client support enabled. I also have the firewall rules to allow traffic from all networks to all networks.

I'm still having problems with some clients accessing other web-based applications that are being hosted on the same server.

Is there any way that I can basically just tell ISA to do absolutely nothing but be a proxy server? I'd very much like to simplify this configuration because the way that it currently works couldn't really be more cumbersome if they tried.

Thanks!
0
titan6400
Asked:
titan6400
  • 2
  • 2
  • 2
  • +1
1 Solution
 
Tim HolmanCommented:
Take a look at www.isaserver.org for general assistance with ISA.
I would generally recommend you DO use the client firewall features of ISA to protect your internal clients.  It's good as just a proxy, but that doesn't complete your security picture.
0
 
LimeSMJCommented:
Are you setting the proxy configurations in each browser (servername and proxy port 8080)?  You might want to also check on the option to bypass proxy for local addresses since, the web-based applications may run into problems with ISA's HTTP filtering.
0
 
lrmooreCommented:
In the Configuration section, Networks, add Localhost and check Web Browser tab,
"Bypass proxy for Web servers in this network"
Under Proxy tab, un-chedk Enable Web Proxy clients"
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
titan6400Author Commented:
I've actually come to the conclusion that ISA is simply going to have to go on its own box, which will resolve a lot of the conflicts that I've been having.

lrmoore--  I'm interested to say why you think I should uncheck the "Enable web proxy clients".  The "bypass proxy for web servers in this network" was already checked, the problem stems more from the fact that ISA was actually on the server trying to be accessed, rather than connections being routed to servers unrelated to ISA.

LimeSMJ-- What sort of problems might be caused by the HTTP filtering with web apps, just for my info?
0
 
lrmooreCommented:
I have a very similar setup as you, with a single-NIC ISA2004 server in proxy mode only. I had to add the "localhost" to the networks section, and uncheck that box so that I could access the web sites hosted on that server. The only web sites that it hosts is the administrative management tool and one other application.

Putting the ISA proxy on its own box will be a much better solution long-run..
0
 
titan6400Author Commented:
Yeah, I agree.  The server that I was trying to put it on initally is a little too critical to our systems to be fooling with fate like that.

I'm still interested in whatever comments anyone might have about anything.  I'm going go ahead and award the points to lrmoore since it sounds like his solution is the best answer to my original question.
0
 
LimeSMJCommented:
HTTP filtering includes such things as URL checking and custom security/exploit filters... For instance, if you goto www.isatoolz.org and download those MS worm/exploit fixes for ISA and install them, they may cause errors in web-based applications - in my case, a custom web app that we use was "breaking" due to certain body keywords that were being blocked.

In the default configuration though, you should be fine with the HTTP filter.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now