Solved

ISA firewall mystery has me stumped

Posted on 2006-06-22
10
225 Views
Last Modified: 2013-11-16
Setup is:
SBS 2003 with ISA 2004
4 client PC with XP Pro and Outlook 2003

Problem:
Three of the four client PC are able to retrieve/send  POP/SMTP email using Outlook 2003.  We are not using Exchange at this time.  Each client goes directly to the Internet to retrieve email.  All four PC use the same ISP for email.

The fourth client PC was unable to retrieve email like the others until I added two rules to the ISA firewall.  One rule to allow POP and one rule to allow SMTP.

Question 1:
Why could the fourth PC client not pass through the firewall while the other three could?  I even added the email account from the fourth PC user on one of the other PC’s and we were able to retrieve and send email before the ISA rules were added.

Question 2:
We are using the ISA client on all four PC but I noticed if I disable the ISA client the user can still surf the Internet.  What is the purpose for the ISA client?

Any insight would be appreciated.
0
Comment
Question by:dalva
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16967529
You say its SBS?
Did you add all four PC's in exactly the same way? As you probably know, SBS has a precise way of adding both machines and users which is totally different to the way you would add them through a standard windows 2003 system. If you have done this 4th machine differently then it is likely not in all of the correct groups etc that the other three are in.
This is even further likely based on your comment about disabling the isa firewall client.

The purpose of the ISA firewall client is varied. predominantly it is the preferred interface between the the ISA Server and active directory, authentication and control.

ISA client also allows you to send all traffic to the ISA server even when you are not using SecureNAT (where the client machine's default gateway points to the internal NIC of the ISA server).

What is the control mechanism you have placed in your ISA firewall rules? If you have used named active directory groups, then this restriction should operate assuming that all required users are actually within this group. If you have used the 'All Users' as the limiter then AD is not referenced.

regards
keith
0
 
LVL 1

Author Comment

by:dalva
ID: 16970222
One of the first things I looked at was to make certain all users belonged to the same groups.  I thought perhaps a rule was preventing the fourth PC from passing thru ISA firewall rules because it was not a member in all the needed groups.  Turned out all users had the same groups.

I am not an expert with SBS and ISA.  Is there such a thing as PC's (not users) belonging to certain groups which might cause certain ISA firewall rules to be actived from some PC's and not others?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16970460
Yes there is. If you look in Active directory you will see a OU called computers and another OU along the lines of 'My Business' and in here you will find another computers OU. Check out to see if all four are in the my business\computers OU
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16970470
This is one of the reasons that it is so important to follow the correct process for adding users and computers to SBS. SBS 2003 is not Windows 2003
0
 
LVL 1

Author Comment

by:dalva
ID: 16970759
It won't be until next Friday before I am at that site to follow up on your suggestions.  I'll let you know what I discover.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16970900
No sweat. Have a good weekend.
0
 
LVL 1

Author Comment

by:dalva
ID: 17142476
Keith,
I followed up on your suggestion.  What I saw was the same OU which contained the fourth PC also contained some of the other PC's which are not having the problem.  This leaves the issue still clouded.  I am inclind to believe your suggestion that it is somehow tied to the OU because when we set up the same email account on a good PC it worked.  This seems to point to a PC issue.  I'll be stopping by there again next week.  Any more suggestions otherwise this will have to sit on the back burner until later this summer when I get deep into AD.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 17146660
Have a look at this link; it may clarify things a little.

http://sbsurl.com/itpro

Look at the add user & add computer section. Not saying it applies to you but many people get knocked off their feet when they see how it 'should' be done....
0
 
LVL 1

Author Comment

by:dalva
ID: 17189207
Keith,

Your suggestions and the link to the document really made it clear that SBS 2003 is more than just having Win 2003 Server and Exchange 2003 combined.  SBS management requires a different approach.
Thanks for your assistance.
dalva
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17190323
Excellent. Thanks :)
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question