Solved

ISA firewall mystery has me stumped

Posted on 2006-06-22
10
220 Views
Last Modified: 2013-11-16
Setup is:
SBS 2003 with ISA 2004
4 client PC with XP Pro and Outlook 2003

Problem:
Three of the four client PC are able to retrieve/send  POP/SMTP email using Outlook 2003.  We are not using Exchange at this time.  Each client goes directly to the Internet to retrieve email.  All four PC use the same ISP for email.

The fourth client PC was unable to retrieve email like the others until I added two rules to the ISA firewall.  One rule to allow POP and one rule to allow SMTP.

Question 1:
Why could the fourth PC client not pass through the firewall while the other three could?  I even added the email account from the fourth PC user on one of the other PC’s and we were able to retrieve and send email before the ISA rules were added.

Question 2:
We are using the ISA client on all four PC but I noticed if I disable the ISA client the user can still surf the Internet.  What is the purpose for the ISA client?

Any insight would be appreciated.
0
Comment
Question by:dalva
  • 6
  • 4
10 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
You say its SBS?
Did you add all four PC's in exactly the same way? As you probably know, SBS has a precise way of adding both machines and users which is totally different to the way you would add them through a standard windows 2003 system. If you have done this 4th machine differently then it is likely not in all of the correct groups etc that the other three are in.
This is even further likely based on your comment about disabling the isa firewall client.

The purpose of the ISA firewall client is varied. predominantly it is the preferred interface between the the ISA Server and active directory, authentication and control.

ISA client also allows you to send all traffic to the ISA server even when you are not using SecureNAT (where the client machine's default gateway points to the internal NIC of the ISA server).

What is the control mechanism you have placed in your ISA firewall rules? If you have used named active directory groups, then this restriction should operate assuming that all required users are actually within this group. If you have used the 'All Users' as the limiter then AD is not referenced.

regards
keith
0
 
LVL 1

Author Comment

by:dalva
Comment Utility
One of the first things I looked at was to make certain all users belonged to the same groups.  I thought perhaps a rule was preventing the fourth PC from passing thru ISA firewall rules because it was not a member in all the needed groups.  Turned out all users had the same groups.

I am not an expert with SBS and ISA.  Is there such a thing as PC's (not users) belonging to certain groups which might cause certain ISA firewall rules to be actived from some PC's and not others?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Yes there is. If you look in Active directory you will see a OU called computers and another OU along the lines of 'My Business' and in here you will find another computers OU. Check out to see if all four are in the my business\computers OU
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
This is one of the reasons that it is so important to follow the correct process for adding users and computers to SBS. SBS 2003 is not Windows 2003
0
 
LVL 1

Author Comment

by:dalva
Comment Utility
It won't be until next Friday before I am at that site to follow up on your suggestions.  I'll let you know what I discover.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
No sweat. Have a good weekend.
0
 
LVL 1

Author Comment

by:dalva
Comment Utility
Keith,
I followed up on your suggestion.  What I saw was the same OU which contained the fourth PC also contained some of the other PC's which are not having the problem.  This leaves the issue still clouded.  I am inclind to believe your suggestion that it is somehow tied to the OU because when we set up the same email account on a good PC it worked.  This seems to point to a PC issue.  I'll be stopping by there again next week.  Any more suggestions otherwise this will have to sit on the back burner until later this summer when I get deep into AD.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
Comment Utility
Have a look at this link; it may clarify things a little.

http://sbsurl.com/itpro

Look at the add user & add computer section. Not saying it applies to you but many people get knocked off their feet when they see how it 'should' be done....
0
 
LVL 1

Author Comment

by:dalva
Comment Utility
Keith,

Your suggestions and the link to the document really made it clear that SBS 2003 is more than just having Win 2003 Server and Exchange 2003 combined.  SBS management requires a different approach.
Thanks for your assistance.
dalva
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Excellent. Thanks :)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now