• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

Can't browse Internet with Windows 2000 server

Hi,

I have a small network that consists of 20 clients and a server. Windows 2000 OS on the clients and windows 2000 server on the server.
Am using dial-up as a network connection to the internet. ISA server (ISA 2000 I guess) is being installed on the server to distribute the dial-up connection among the clients. Now, clients can browse the net with no problems, however, from the server I can’t browse !!
From clients PC, I just put the server name in the proxy server address in the LAN settings (internet explorer). But in the server I didn’t specify in proxy address or even the server name/IP address but no use .

Can you help me?
0
turki_00
Asked:
turki_00
  • 6
  • 5
  • 2
  • +1
1 Solution
 
Keith AlabasterCommented:
The server should be using the same proxy ip/port number as the clients. Any reason why you didn't put these in?
0
 
BembiCEOCommented:
Jepp, and maybe additional packet filters, as the server itself does not take notice of protocol rules. But as I remeber ISA 2000, HTTP is set by default as packet filter.
0
 
turki_00Author Commented:
Keith,

which proxy are you talking about ?
is it the dial-up proxy or the LAN settings proxy ??

for the dial-up, I don't need to specify proxy with my ISP, also the clients can currently can browse the internet. so i guess no problem with that.

in the LAN settings where it says Proxy Server:
I've tried both ways (put and remove the server IP/Port) but not luck :(

just a reminder, that my problem is only in browser the net in the server, the clients have no problems.
------------------------
Bembi,
I need to chk that packet filter, where i can find it ?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
BembiCEOCommented:
> which proxy are you talking about ?
He means the Proxy settings for the LAN within the browser settings.

ISA provides a Web Proxy, that means, you have to tell every client a way to the internet (including the server).
You can set the proxy settings for the browser to redirect all Web traffic (HTTP, FTP) to ISA

For all other traffic (including ping, tracert etc., but also HTTP / FTP if net set by the browser settings) you can either set the standard gateway for your clients to the server, and the default gateway of the server to your internet router, or you can set all default gateways (clients + server) to the internet router.

Dependend on the settings, you have to make sure, that ISA is allowed to pass the traffic to the internet. For all traffic, which is directed to the server, you need a "site and content rules" as well as a protocol rule to allow this. For all direct traffic, you need a packet filter, which allows outgoing traffic for that protocol (esp. the server itself).

You find all of them in ISA MMC - your server -  "access policies".

Also have a look here:
http://www.ISAserver.org/
http://www.isaserver.org/tutorials/Understanding_Site_and_content_rules.html
you will find a lot of configuration hints here.
0
 
IPKON_NetworksCommented:
Your Windows 2000 server works in the same way as your clients. For Web browsing you need to point the IP stack at something that will get it out to the internet. As per your clients, they have the LAN Proxy settings pointing to your ISA server so you should point the LAN Proxy settings to point to the proxy server as well. This may be the same server as itself, but the ISA is providing your network with the ability to get out to the Internet.

As per Keith and Bembi above.

Barny
IPKON Networks Ltd
0
 
turki_00Author Commented:
Guys,

Thank you for your help.....
Definitely i need to read more about access policies.
but can you explain to me one thing,

why are my clients can browse the internet and the server it self CAN NOT !!
I've put the IP for the server itself in the LAN settings in the proxy settings of the server. (confusued, huh !! :D )

I mean in the server->Internet Explorer->Tools->internet options->Connection TAB ->LAN settings-> Proxy server (i put the IP address of the server itself, iwth the port 8080)
and still can't broswe from the server , but any clients ....yes I can !!


one thing, do i have to mention that the ISA server is installed in the server (windwos 2000).

I guess at the end i need to know how can i point the srever to the ISA server, HOW ?

again, thank you :)
0
 
Keith AlabasterCommented:
If ISA is on the server itself??

OK, this box is called local host (in the networks list) have you added local host into the outgoing rule (in the from box)?
0
 
BembiCEOCommented:
Keith: turki said ISA 2000, your hint point to 2004.

> one thing, do i have to mention that the ISA server is installed in the server
Yes, sure, but you wrote this before.

If you go to my 2. Linke above, you see the three options you can config in ISA
Check first the content of "site and content filter" and "Protocol Rules"
There is 1 default rule by default.
Open them and click through the tabs to make sure, your server is not excluded in this rules.
Open "IP Packet filters" and have a look at the list, if there is a HTTP filter rule in there.

Can you ping a server on the internet from your server?

0
 
turki_00Author Commented:
>OK, this box is called local host (in the networks list) have you added local host into the outgoing rule (in the from box)?

Keith, which box ?? which networks list ?? are these in the ISA console or in windows ?
----------------------------------------
Bembi: yes am using ISA 2000
1. I've chked the "Site and Content Rules" under the Access Policy:
thre is only one rule "Allow Rule" it is enable, destinations tab= All Destinations, schedule= always, Action= Allowed, Applies to= any request, HTTP content= All content groups.

2. I've chked the "Protocol Rules" under the access policy menu:
only one rule exist which is "allow", enabled, action=allow, Protocol= All IP Traffic, schedule=always, Applies to=any request

3. In the "IP Packet Filter" there are number of filters here, amnog them there are the DHCP Client, DNS filter, ICMP outbound....etc
I've chked them and all of them got the allow tick on them..!!!

finally, yes i can ping " ping www.yahoo.com"  from the server.
0
 
BembiCEOCommented:
1.) sounds fine
2.) sounds fine
3.) And HTTP??

So, try the following:
First check again if your proxy settings for the browser are pointing to your ISA, usually, you can set any name (NetBios, FQDN or IP Address). Make sure the setting is excactly the same (including the port, mostly 8080) than on all clients. Close all browser windows and check again, if you get now access.

If this do not work, add a new IP packet filter (right mouse click)
call it HTTP
Protocol TCP outgoing
local port any
remote port 80
On the next pages, you can leave everything as default.

You may repeat this procedure for HTTPS (SSL) on port 443, if needed.

Save the rule and restart the firewall services.
Now try, if your server connects to the outside world.
0
 
turki_00Author Commented:
Bembi,

I've created an IP packet filter, with the following properties:

General Tab:
filter name: HTTP
enable this filter

Filter Type:
user this filter - Predefined = HTTP server (port 80)

Local Computer:
This filter applies to= default IP adddress(es) on external interface(s)

Remote computer:
This filter applies to= All remote coputers

and in the server browser, LAN settinges, proxy address, i've put the server IP/name with port 80 or 8080

I've restarted the Microsoft ISA server control - service

and still I can't browser the net from the server browser.
I CAN browse from any client.
I CAN ping www.yahoo.com


0
 
BembiCEOCommented:
Nope, what you have setup is a server rule, this rule allows a user from the internet to pass ISA (ie. to publish an internal Web-Server.

Either there is a predefined filter HTTP (not HTTP server) or you have to setup:

TCP
outbound
local port: any
remote port: 80

Local computer: default...
Remote computer: All

Here, you find an example for SMTP / POP3 outgoing, there are simply the ports 25/110 instead of 80
http://www.isaserver.org/tutorials/How_to_use_ISA_Server_Packet_Filters.html
0
 
turki_00Author Commented:
Bembi,

IT WORKS :D

Thank you Thank you Thank you

What i did is the follwoing:
1. read the provided link (very useful)
2. enable the "Intusion detection" in the properties of the Packet fliter
3. create a new packet filter with TCP type and port 80

finally i can browse the net from both the server and the client.

thank you again.
0
 
BembiCEOCommented:
You are welcome... :-)
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 6
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now