Solved

I'm just starting to experiment with ISA 2004 on our network.

Posted on 2004-09-15
7
804 Views
Last Modified: 2013-11-16
I'm just starting to experiment with ISA 2004 on our network.

We already use a PIX535 for our firewall needs and Cisco 2600s for our routing needs. This has been working wonderfully for quite some time and is also our corporate standard, so I have absolutely no need for ISA's firewall features.

That being said, what I do need is a proxy server. I just want ISA to sit there and do absolutely nothing even remotely close to acting as a firewall or router or anything else -- just listen for requests on 8080, check Integrated Authentication credentials, and forward the requests out the PIX.

The way that I'm currently trying to accomplish this is with ISA in a unihomed configuration (using the integrated template), I have firewall client support disabled and web proxy client support enabled. I also have the firewall rules to allow traffic from all networks to all networks.

I'm still having problems with some clients accessing other web-based applications that are being hosted on the same server.

Is there any way that I can basically just tell ISA to do absolutely nothing but be a proxy server? I'd very much like to simplify this configuration because the way that it currently works couldn't really be more cumbersome if they tried.

Thanks!
0
Comment
Question by:titan6400
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12072416
Take a look at www.isaserver.org for general assistance with ISA.
I would generally recommend you DO use the client firewall features of ISA to protect your internal clients.  It's good as just a proxy, but that doesn't complete your security picture.
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12072490
Are you setting the proxy configurations in each browser (servername and proxy port 8080)?  You might want to also check on the option to bypass proxy for local addresses since, the web-based applications may run into problems with ISA's HTTP filtering.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12076402
In the Configuration section, Networks, add Localhost and check Web Browser tab,
"Bypass proxy for Web servers in this network"
Under Proxy tab, un-chedk Enable Web Proxy clients"
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:titan6400
ID: 12076497
I've actually come to the conclusion that ISA is simply going to have to go on its own box, which will resolve a lot of the conflicts that I've been having.

lrmoore--  I'm interested to say why you think I should uncheck the "Enable web proxy clients".  The "bypass proxy for web servers in this network" was already checked, the problem stems more from the fact that ISA was actually on the server trying to be accessed, rather than connections being routed to servers unrelated to ISA.

LimeSMJ-- What sort of problems might be caused by the HTTP filtering with web apps, just for my info?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12076735
I have a very similar setup as you, with a single-NIC ISA2004 server in proxy mode only. I had to add the "localhost" to the networks section, and uncheck that box so that I could access the web sites hosted on that server. The only web sites that it hosts is the administrative management tool and one other application.

Putting the ISA proxy on its own box will be a much better solution long-run..
0
 

Author Comment

by:titan6400
ID: 12077186
Yeah, I agree.  The server that I was trying to put it on initally is a little too critical to our systems to be fooling with fate like that.

I'm still interested in whatever comments anyone might have about anything.  I'm going go ahead and award the points to lrmoore since it sounds like his solution is the best answer to my original question.
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12078568
HTTP filtering includes such things as URL checking and custom security/exploit filters... For instance, if you goto www.isatoolz.org and download those MS worm/exploit fixes for ISA and install them, they may cause errors in web-based applications - in my case, a custom web app that we use was "breaking" due to certain body keywords that were being blocked.

In the default configuration though, you should be fine with the HTTP filter.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now