dalva
asked on
ISA firewall mystery has me stumped
Setup is:
SBS 2003 with ISA 2004
4 client PC with XP Pro and Outlook 2003
Problem:
Three of the four client PC are able to retrieve/send POP/SMTP email using Outlook 2003. We are not using Exchange at this time. Each client goes directly to the Internet to retrieve email. All four PC use the same ISP for email.
The fourth client PC was unable to retrieve email like the others until I added two rules to the ISA firewall. One rule to allow POP and one rule to allow SMTP.
Question 1:
Why could the fourth PC client not pass through the firewall while the other three could? I even added the email account from the fourth PC user on one of the other PC’s and we were able to retrieve and send email before the ISA rules were added.
Question 2:
We are using the ISA client on all four PC but I noticed if I disable the ISA client the user can still surf the Internet. What is the purpose for the ISA client?
Any insight would be appreciated.
SBS 2003 with ISA 2004
4 client PC with XP Pro and Outlook 2003
Problem:
Three of the four client PC are able to retrieve/send POP/SMTP email using Outlook 2003. We are not using Exchange at this time. Each client goes directly to the Internet to retrieve email. All four PC use the same ISP for email.
The fourth client PC was unable to retrieve email like the others until I added two rules to the ISA firewall. One rule to allow POP and one rule to allow SMTP.
Question 1:
Why could the fourth PC client not pass through the firewall while the other three could? I even added the email account from the fourth PC user on one of the other PC’s and we were able to retrieve and send email before the ISA rules were added.
Question 2:
We are using the ISA client on all four PC but I noticed if I disable the ISA client the user can still surf the Internet. What is the purpose for the ISA client?
Any insight would be appreciated.
ASKER
One of the first things I looked at was to make certain all users belonged to the same groups. I thought perhaps a rule was preventing the fourth PC from passing thru ISA firewall rules because it was not a member in all the needed groups. Turned out all users had the same groups.
I am not an expert with SBS and ISA. Is there such a thing as PC's (not users) belonging to certain groups which might cause certain ISA firewall rules to be actived from some PC's and not others?
I am not an expert with SBS and ISA. Is there such a thing as PC's (not users) belonging to certain groups which might cause certain ISA firewall rules to be actived from some PC's and not others?
Yes there is. If you look in Active directory you will see a OU called computers and another OU along the lines of 'My Business' and in here you will find another computers OU. Check out to see if all four are in the my business\computers OU
This is one of the reasons that it is so important to follow the correct process for adding users and computers to SBS. SBS 2003 is not Windows 2003
ASKER
It won't be until next Friday before I am at that site to follow up on your suggestions. I'll let you know what I discover.
No sweat. Have a good weekend.
ASKER
Keith,
I followed up on your suggestion. What I saw was the same OU which contained the fourth PC also contained some of the other PC's which are not having the problem. This leaves the issue still clouded. I am inclind to believe your suggestion that it is somehow tied to the OU because when we set up the same email account on a good PC it worked. This seems to point to a PC issue. I'll be stopping by there again next week. Any more suggestions otherwise this will have to sit on the back burner until later this summer when I get deep into AD.
I followed up on your suggestion. What I saw was the same OU which contained the fourth PC also contained some of the other PC's which are not having the problem. This leaves the issue still clouded. I am inclind to believe your suggestion that it is somehow tied to the OU because when we set up the same email account on a good PC it worked. This seems to point to a PC issue. I'll be stopping by there again next week. Any more suggestions otherwise this will have to sit on the back burner until later this summer when I get deep into AD.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Keith,
Your suggestions and the link to the document really made it clear that SBS 2003 is more than just having Win 2003 Server and Exchange 2003 combined. SBS management requires a different approach.
Thanks for your assistance.
dalva
Your suggestions and the link to the document really made it clear that SBS 2003 is more than just having Win 2003 Server and Exchange 2003 combined. SBS management requires a different approach.
Thanks for your assistance.
dalva
Excellent. Thanks :)
Did you add all four PC's in exactly the same way? As you probably know, SBS has a precise way of adding both machines and users which is totally different to the way you would add them through a standard windows 2003 system. If you have done this 4th machine differently then it is likely not in all of the correct groups etc that the other three are in.
This is even further likely based on your comment about disabling the isa firewall client.
The purpose of the ISA firewall client is varied. predominantly it is the preferred interface between the the ISA Server and active directory, authentication and control.
ISA client also allows you to send all traffic to the ISA server even when you are not using SecureNAT (where the client machine's default gateway points to the internal NIC of the ISA server).
What is the control mechanism you have placed in your ISA firewall rules? If you have used named active directory groups, then this restriction should operate assuming that all required users are actually within this group. If you have used the 'All Users' as the limiter then AD is not referenced.
regards
keith