Isa 2004 frontend and backend scenario

Use the monitoring tool in ISA.

IT's the best way to see what rules are being applied to your traffic. I'm guessing that you haven't specified allow incoming traffic from your backend server. By default no traffic is allowed to pass through the ISA server, and the default rule is deny all.

In ISA Server Management Console,
Click on 'Monitoring'
Click 'Logging' TAB
Start the default trace and try browsing from your backend server. Once you know what traffic is being blocked and by what rule...you can then create the neccessary rules to allow your browsing.

i am getting unidentified ip traffic closed. It does not say what rule.

 Scenario  

      internet

           ¦
 
 ISA 2004 FRONTEND (workgroup)

       
           ¦         ----DMZ


ISA 2004 BACKEND (domain member)

           ¦

INTERNAL NETWORK

if i try to browse the internet from the backend server i get the message unidentified ip traffice denied default rule.

Are you specifying your FE-Server as a proxy? Is your FE-Server set as the default gateway on BE-Server?

What port is the unidentified traffic being reported on? 8080? You'll need to create a new protocol for that port.
Call it transparent http or whatever, assign port 8080 outbound.

Front end server needs to have a rule for traffic coming from the internal network.

Have you applied the edge firewall template on the network setup?
If YES, then there will only be 1 rule, stating deny all.

Create a rule:
protocol: http/https/transparent http(this is the protocol created earlier)
from: Internal(alternatively, specify the IP address of the NIC where the BE Server connects)
to: external
Action: Allow

The frontend server has got the front end template applied and the backend has got the backend template applied. Is this incorrect?

No problem with those templates. Check that your perimeter network has the correct IP settings for the connections in the DMZ.

The FE template, creates a perimeter network that should be defined as the IP's in the DMZ.
Your network is currently...
  internet

           ¦
 x.x.x.x(public IP)
 ISA 2004 FRONTEND (workgroup)
192.168.1.2
       
           ¦         ----DMZ

192.168.1.1
ISA 2004 BACKEND (domain member)
10.0.0.1
           ¦
10.0.0.x
INTERNAL NETWORK

I've added my a dummy set of IP's, however this is what should be defined in each network configuration.
Internal network: 10.0.0.0
Perimeter Network: 192.168.1.0
External network: by default is any public address that you may have on your machine.

Re-apply the networking templates and double check the IP settings. Try allowing unrestricted access in the wizard, and see what happens in the monitoring tool when you try to browse.

Hi,

Have you tries web chaning?

You can configure Web Chaning from the Network tab.

Mention the IP address of the Front End ISA server in the Upstream Server and allow Web Traffic from Internal to External.

Hope this helps
Kumar

Hello,

The network adapters on the FE and BE firewall have being configured correctly. on the front end server i have also added the internal network address range and this still does not work. Machines sitting on the perimeter network can browse the web. ( i have created thatn new protocol definition that you ask me to and a new access rule) when i browse from the perimeter networked machine i can see in the monitor that it is using the new rule.

I wonder. the FE is in the workgroup and the BE is a domain server member. Could this be a problem?

'I wonder. the FE is in the workgroup and the BE is a domain server member. Could this be a problem?'

No this should not be the issue. Your firewall does not care where it is located, it is the traffic that is of most concern to the firewall.

'When i browse from the perimeter networked machine i can see in the monitor that it is using the new rule.'
- when do you see this? when you try to access the Internet from the BE server? or when some machine in your DMZ tries to access the Internet?

You should now concentrate on the BE server. Check the monitoring tool there and see what is happening to traffic.
N.B. BE server should have its' default gateway pointing to NIC(in DMZ) of FE server.
N.B. Only 1 default gateway per machine.

The error message that i get is Denied connection rule default souce local host destination perimeter. this seems to be a rule but i cannot figure out what rule as i have allowed http port 80 and 8080 and https out bound.Similar to the rule on the FE. But this does not seem to work.

If i disable the fW service i can connect to the net ok from the BE, but whilst it is running i am having no joy. Any ideas guys?

Have you tries web chaning?

Web chaining will not work if i cannot get the BE server to browse the net.

What order are the rules listed in?  The most restrictive rule must be at the bottom as rules are applied to web requests from the top downward.  If you have a "deny" rule (so to speak) before the "allow" rule, the allow all rule will never get used.

The Web access rule is at the top on both the isa box

Check if the following rule exists, otherwise create it.
Action: Allow
Protocols: All Outbound
From: Internal, Localhost
To: External

You need to specify the localhost in your rules as well.

Check the properties of your Internal Network, under the configuration section.
Enable the Web proxy client.

Test it again

i have that rule configured. and web proxy enabled. I know this is a brain buster guys, but i am greatful for all your help

Hey i did as you mentioned and walah. Then i remove accordingly and tested. it seem that all that was need was to add the perimeter network to the destinations list.

Now all I need to do is to get the internal machines to browse the web, then i am home free.

Excellent!

The client setup should be as easy as either changing their default gateway to point to the Internal NIC of the ISA server, or alternatively, configure the browser to use the ISA server as a proxy, set the IP address(of the NIC on the Internal Network) port 8080.

thank you very much