Isa 2004 frontend and backend scenario

I've got isa 2004 as the front end server running standard edition ( direct access to the web) and isa 2004 backend. these machines can communicate with each other as i can ping both. but i cannot get the backend server to browse the web. after which i will need to set up access rules to allow internal (domain members) to browse the web.

I tried setting up and access rules to allow outbound http, https and ftp access to external on the backend and on the front end i done the same. no luck. any suggestions please?
kiddkapurcjwAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Leon FesterConnect With a Mentor Senior Solutions ArchitectCommented:
Ooops, um, forgot to say...the above rule needs to exist on the BE server...

Last resort is create an access rule with ALL Networks/(Localhost) in both the to: and from: field in the rule.

Test if you can browse then...You can always add/remove the unneccessary connections later, but at least you can test if traffic is passing correctly between the two servers.

Post back with the results of the monitoring tool again...maybe we've missed something in there. I know you've posted it earlier, but you've made some changes since, so lets get some new information. :)
0
 
Leon FesterSenior Solutions ArchitectCommented:
Use the monitoring tool in ISA.

IT's the best way to see what rules are being applied to your traffic. I'm guessing that you haven't specified allow incoming traffic from your backend server. By default no traffic is allowed to pass through the ISA server, and the default rule is deny all.

In ISA Server Management Console,
Click on 'Monitoring'
Click 'Logging' TAB
Start the default trace and try browsing from your backend server. Once you know what traffic is being blocked and by what rule...you can then create the neccessary rules to allow your browsing.

0
 
kiddkapurcjwAuthor Commented:
i am getting unidentified ip traffic closed. It does not say what rule.

 Scenario  

      internet

           ¦
 
 ISA 2004 FRONTEND (workgroup)

       
           ¦         ----DMZ


ISA 2004 BACKEND (domain member)

           ¦

INTERNAL NETWORK

if i try to browse the internet from the backend server i get the message unidentified ip traffice denied default rule.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
Leon FesterSenior Solutions ArchitectCommented:
Are you specifying your FE-Server as a proxy? Is your FE-Server set as the default gateway on BE-Server?

What port is the unidentified traffic being reported on? 8080? You'll need to create a new protocol for that port.
Call it transparent http or whatever, assign port 8080 outbound.

Front end server needs to have a rule for traffic coming from the internal network.

Have you applied the edge firewall template on the network setup?
If YES, then there will only be 1 rule, stating deny all.

Create a rule:
protocol: http/https/transparent http(this is the protocol created earlier)
from: Internal(alternatively, specify the IP address of the NIC where the BE Server connects)
to: external
Action: Allow
0
 
kiddkapurcjwAuthor Commented:
The frontend server has got the front end template applied and the backend has got the backend template applied. Is this incorrect?
0
 
Leon FesterSenior Solutions ArchitectCommented:
No problem with those templates. Check that your perimeter network has the correct IP settings for the connections in the DMZ.

The FE template, creates a perimeter network that should be defined as the IP's in the DMZ.
Your network is currently...
  internet

           ¦
 x.x.x.x(public IP)
 ISA 2004 FRONTEND (workgroup)
192.168.1.2
       
           ¦         ----DMZ

192.168.1.1
ISA 2004 BACKEND (domain member)
10.0.0.1
           ¦
10.0.0.x
INTERNAL NETWORK

I've added my a dummy set of IP's, however this is what should be defined in each network configuration.
Internal network: 10.0.0.0
Perimeter Network: 192.168.1.0
External network: by default is any public address that you may have on your machine.

Re-apply the networking templates and double check the IP settings. Try allowing unrestricted access in the wizard, and see what happens in the monitoring tool when you try to browse.
0
 
Kumar_Jayant123Commented:
Hi,

Have you tries web chaning?

You can configure Web Chaning from the Network tab.

Mention the IP address of the Front End ISA server in the Upstream Server and allow Web Traffic from Internal to External.

Hope this helps
Kumar
0
 
kiddkapurcjwAuthor Commented:
Hello,

The network adapters on the FE and BE firewall have being configured correctly. on the front end server i have also added the internal network address range and this still does not work. Machines sitting on the perimeter network can browse the web. ( i have created thatn new protocol definition that you ask me to and a new access rule) when i browse from the perimeter networked machine i can see in the monitor that it is using the new rule.

I wonder. the FE is in the workgroup and the BE is a domain server member. Could this be a problem?
0
 
Leon FesterSenior Solutions ArchitectCommented:
'I wonder. the FE is in the workgroup and the BE is a domain server member. Could this be a problem?'

No this should not be the issue. Your firewall does not care where it is located, it is the traffic that is of most concern to the firewall.

'When i browse from the perimeter networked machine i can see in the monitor that it is using the new rule.'
- when do you see this? when you try to access the Internet from the BE server? or when some machine in your DMZ tries to access the Internet?

You should now concentrate on the BE server. Check the monitoring tool there and see what is happening to traffic.
N.B. BE server should have its' default gateway pointing to NIC(in DMZ) of FE server.
N.B. Only 1 default gateway per machine.
0
 
kiddkapurcjwAuthor Commented:
The error message that i get is Denied connection rule default souce local host destination perimeter. this seems to be a rule but i cannot figure out what rule as i have allowed http port 80 and 8080 and https out bound.Similar to the rule on the FE. But this does not seem to work.

If i disable the fW service i can connect to the net ok from the BE, but whilst it is running i am having no joy. Any ideas guys?
0
 
Kumar_Jayant123Commented:
Have you tries web chaning?
0
 
kiddkapurcjwAuthor Commented:
Web chaining will not work if i cannot get the BE server to browse the net.
0
 
David GeorgeIS/Network Security OfficerCommented:
What order are the rules listed in?  The most restrictive rule must be at the bottom as rules are applied to web requests from the top downward.  If you have a "deny" rule (so to speak) before the "allow" rule, the allow all rule will never get used.
0
 
kiddkapurcjwAuthor Commented:
The Web access rule is at the top on both the isa box
0
 
Leon FesterSenior Solutions ArchitectCommented:
Check if the following rule exists, otherwise create it.
Action: Allow
Protocols: All Outbound
From: Internal, Localhost
To: External

You need to specify the localhost in your rules as well.

Check the properties of your Internal Network, under the configuration section.
Enable the Web proxy client.

Test it again
0
 
kiddkapurcjwAuthor Commented:
i have that rule configured. and web proxy enabled. I know this is a brain buster guys, but i am greatful for all your help
0
 
kiddkapurcjwAuthor Commented:
Hey i did as you mentioned and walah. Then i remove accordingly and tested. it seem that all that was need was to add the perimeter network to the destinations list.

Now all I need to do is to get the internal machines to browse the web, then i am home free.
0
 
Leon FesterSenior Solutions ArchitectCommented:
Excellent!

The client setup should be as easy as either changing their default gateway to point to the Internal NIC of the ISA server, or alternatively, configure the browser to use the ISA server as a proxy, set the IP address(of the NIC on the Internal Network) port 8080.
0
 
kiddkapurcjwAuthor Commented:
thank you very much
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.