Solved

ISA firewall mystery has me stumped

Posted on 2006-06-22
10
223 Views
Last Modified: 2013-11-16
Setup is:
SBS 2003 with ISA 2004
4 client PC with XP Pro and Outlook 2003

Problem:
Three of the four client PC are able to retrieve/send  POP/SMTP email using Outlook 2003.  We are not using Exchange at this time.  Each client goes directly to the Internet to retrieve email.  All four PC use the same ISP for email.

The fourth client PC was unable to retrieve email like the others until I added two rules to the ISA firewall.  One rule to allow POP and one rule to allow SMTP.

Question 1:
Why could the fourth PC client not pass through the firewall while the other three could?  I even added the email account from the fourth PC user on one of the other PC’s and we were able to retrieve and send email before the ISA rules were added.

Question 2:
We are using the ISA client on all four PC but I noticed if I disable the ISA client the user can still surf the Internet.  What is the purpose for the ISA client?

Any insight would be appreciated.
0
Comment
Question by:dalva
  • 6
  • 4
10 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16967529
You say its SBS?
Did you add all four PC's in exactly the same way? As you probably know, SBS has a precise way of adding both machines and users which is totally different to the way you would add them through a standard windows 2003 system. If you have done this 4th machine differently then it is likely not in all of the correct groups etc that the other three are in.
This is even further likely based on your comment about disabling the isa firewall client.

The purpose of the ISA firewall client is varied. predominantly it is the preferred interface between the the ISA Server and active directory, authentication and control.

ISA client also allows you to send all traffic to the ISA server even when you are not using SecureNAT (where the client machine's default gateway points to the internal NIC of the ISA server).

What is the control mechanism you have placed in your ISA firewall rules? If you have used named active directory groups, then this restriction should operate assuming that all required users are actually within this group. If you have used the 'All Users' as the limiter then AD is not referenced.

regards
keith
0
 
LVL 1

Author Comment

by:dalva
ID: 16970222
One of the first things I looked at was to make certain all users belonged to the same groups.  I thought perhaps a rule was preventing the fourth PC from passing thru ISA firewall rules because it was not a member in all the needed groups.  Turned out all users had the same groups.

I am not an expert with SBS and ISA.  Is there such a thing as PC's (not users) belonging to certain groups which might cause certain ISA firewall rules to be actived from some PC's and not others?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16970460
Yes there is. If you look in Active directory you will see a OU called computers and another OU along the lines of 'My Business' and in here you will find another computers OU. Check out to see if all four are in the my business\computers OU
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16970470
This is one of the reasons that it is so important to follow the correct process for adding users and computers to SBS. SBS 2003 is not Windows 2003
0
 
LVL 1

Author Comment

by:dalva
ID: 16970759
It won't be until next Friday before I am at that site to follow up on your suggestions.  I'll let you know what I discover.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16970900
No sweat. Have a good weekend.
0
 
LVL 1

Author Comment

by:dalva
ID: 17142476
Keith,
I followed up on your suggestion.  What I saw was the same OU which contained the fourth PC also contained some of the other PC's which are not having the problem.  This leaves the issue still clouded.  I am inclind to believe your suggestion that it is somehow tied to the OU because when we set up the same email account on a good PC it worked.  This seems to point to a PC issue.  I'll be stopping by there again next week.  Any more suggestions otherwise this will have to sit on the back burner until later this summer when I get deep into AD.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 17146660
Have a look at this link; it may clarify things a little.

http://sbsurl.com/itpro

Look at the add user & add computer section. Not saying it applies to you but many people get knocked off their feet when they see how it 'should' be done....
0
 
LVL 1

Author Comment

by:dalva
ID: 17189207
Keith,

Your suggestions and the link to the document really made it clear that SBS 2003 is more than just having Win 2003 Server and Exchange 2003 combined.  SBS management requires a different approach.
Thanks for your assistance.
dalva
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17190323
Excellent. Thanks :)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question