ISA 2004 Web Proxy confusion
Posted on 2006-07-18
I have installed SBS2003 Premium which includes ISA Server 2004 at a number of sites.
I also recently installed a Blackberry Enterprise Server (BES) at one of these sites.
BES installs a web page that listens on port 8080. Naturally this interfered with my web proxy clients that have were directed to use this port as well.
In debugging I changed the listening port on the BES application without success.
I was about to change the port on the ISA server when just goofing around I unchecked "use proxy server" on one of my web clients. To my great surprise this worked!
At all other sites I have to point the web client to the ISA box as a proxy server.
In trying figure out what is going on I compared the ISA 2004 setup at two sites.
The network configuration for the internal network of both sites is set up to "Enable Web Proxy Clients" and to "Enable HTTP" with "HTTP port: 8080"
Firewall clients are not used at either site.
Both sites have an internet access rule as follows,
Name: SBS Internet Access Rule
Protocols: HTTP, HTTPS
From: All Protected Networks
The site that works without a proxy also has an additional rule that I was set up by another administrator
Name: All outbound
Protocols: All Outbound traffic
Other than that I can see not difference.
I am confused about the function of the additional rule. It would seem to imply that the internal network can use any protocol to any external address. In fact, this doesn't seem to be true. For instance, I have an external terminal server in my home office that listens on a non-standard port (10941). In order for me to RDP to this server from internal addresses at my client's site I needed to set up a protocol for this port and a firewall policy rule.
The sum of all this is I clearly don't understand firewall policies. Specifically,
1) If an All Outbound traffic rule such as described above is in place why is it necessary to have outbound access rules for specific protocols?
2) Why is not necessary for the one site to use a proxy server? Does have anything to do with the additional all outbound traffic rule?