ISA outbound Traffic

I've got an isa server 2k4 w/ server 2003 running with 1 network card.  Its only purpose in life is to proxy traffic on port 8080 and authenticate internal users to allow/disallow internet access.  This part is working great.  I have an app on the server itself that needs access to the internet.  However every time i try to go to any site or i try to make this app download its updates (Watchgaurd web-blocker updates) I get the ISA Error Code: 403 Forbidden.  The ISA Server denided the specified Uniform Resource Locator (URL). (122202).  I've chaged system policy rule 17 to allow outbound from the isa server to all networks.  Still no luck?  Any help?
LVL 1
stamperbAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Don't change rule 17; this is NOT what it is for.
have you included local host to the 'FROM' box in your firewall rule?
Are there any rules ahead of this one that is stopping the traffic ahead of this rule?
Matt_HeuerCommented:
Since you are using the server as a web proxy, you will need to plug in the values and possible user names into the application you are using.  If the app doesnt support this then you will need to make some changes to your policy in place.  To fix this you will need to create a new rule and have the app access the internet through securenat and not web proxy.  As Keith said, you will need to make sure the rule includes local host in the from field and external in the to field and make sure that it applies to all users since securenat clients cant authenticate.  Also for troubleshooting purposes, move this newly created rule to the top of the list.

Cole
Keith AlabasterEnterprise ArchitectCommented:
Matt, no disrespect to your answer as I see where you are coming from but the server has a single NIC so doesn't support SecureNAT clients.

regards
Keith
ISA MCT
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Matt_HeuerCommented:
I stand corrected, sorry about that.
Keith AlabasterEnterprise ArchitectCommented:
Don't ever be sorry Matt; you make a good contribution to Experts-exchange and your views are valued. I would be the first to stand up and state I make errors of my own. :)

Regards
keith
stamperbAuthor Commented:
OK well i'm seriously thinking about just putting the app on a differenet box and letting isa just be isa :-)  
Keith AlabasterEnterprise ArchitectCommented:
I have to be honest and say this is the recomended approach (different box). The only scenario when the rule changes really is for SBS where SBS uses a modified, cut-down version of ISA server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.