ISA 2004 Web Proxy confusion

Posted on 2006-07-18
Last Modified: 2013-11-16
I have installed SBS2003 Premium which includes ISA Server 2004 at a number of sites.
I also recently installed a Blackberry Enterprise Server (BES) at one of these sites.
BES installs a web page that listens on port 8080. Naturally this interfered with my web proxy clients that have were directed to use this port as well.
In debugging I changed the listening port on the BES application without success.
I was about to change the port on the ISA server when just goofing around I unchecked "use proxy server" on one of my web clients. To my great surprise this worked!
At all other sites I have to point the web client to the ISA box as a proxy server.

In trying figure out what is going on I compared the ISA 2004 setup at two sites.

The network configuration for the internal network of both sites is set up to "Enable Web Proxy Clients" and to "Enable HTTP" with "HTTP port: 8080"

Firewall clients are not used at either site.

Both sites have an internet access rule as follows,
Name: SBS Internet Access Rule
Action: Allow
Protocols: HTTP, HTTPS
From: All Protected Networks
To: External

The site that works without a proxy also has an additional rule that I was set up by another administrator
Name: All outbound
Action: Allow
Protocols: All Outbound traffic
From: Internal
To: External

Other than that I can see not difference.

I am confused about the function of the additional rule. It would seem to imply that the internal network can use any protocol to any external address. In fact, this doesn't seem to be true. For instance, I have an external terminal server in my home office that listens on a non-standard port (10941). In order for me to RDP to this server from internal addresses at my client's site I needed to set up a protocol for this port and a firewall policy rule.

The sum of all this is I clearly don't understand firewall policies. Specifically,

1) If an All Outbound traffic rule such as described above is in place why is it necessary to have outbound access rules for specific protocols?

2) Why is not necessary for the one site to use a proxy server? Does have anything to do with the additional all outbound traffic rule?

Question by:DaveChoiceTech
  • 2
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17145429
1. All protocols means all protocols that ISA is aware of in its defintion list. If a protocol is 'not known or unidentified', it does not get included in the all protocols category.
2. None of the sites need to have proxy enabled. You can instead use ordinary routing of standard port 80 traffic fro example. The web proxy port means that it will take the traffic into ISA on port 8080 and then forward it out of port 80 as it leaves ISA on the other side. Think of it like Network address translation (NAT); traffic comes in from the individual internal ip addresses but leaves ISA as the single external IP address for all users (assuming you are nat'ting rather than routing).

Author Comment

ID: 17146440

I get what your saying about 1.

With respect to 2. at the one site if I don't set IE to use the ISA server as a proxy server then the cannot browse.  At the other site IE can be used without a proxy server. I still don't know why this is the case.

LVL 51

Accepted Solution

Keith Alabaster earned 500 total points
ID: 17146526

Are you also allowing port 80 traffic out of the firewall in addition to 8080?
Are you pointing the default gateway of the work stations to ISA's internal NIC at the other site (so it has a path to the ISA server without needing the reference to ISA in the proxy settings?
Are you using the ISA firewall client at the other site?

Each of these scenario's would work towards the picture you describe.

Author Comment

ID: 17146840
Now we're getting somewhere!

I am not using firewall clients at either site (see original post) so that's not it.

I don't know enough about ISA to refute your second point however,
the default gateway at both sites is pointed to ISA's  internal NIC. SBS2003 is a single server environment so the standard set up would be to use the single server as the default gateway. Ot would seem that simply having a path to the ISA server would in itself not be sufficient to allow internet access. This makes sense to me since I would expect ISA would filter outgoing access via the internal NIC. This would apply to any protocol not just HTTP. Isn't this right?

Your last point seems to be the most likely. I expect the rule
Name: All outbound
Action: Allow
Protocols: All Outbound traffic
From: Internal
To: External
would allow port 80 traffic out of the firewall.

If you have time please confirm my comments about the default gateway but in any case I'm awarding you the points with my thanks.


Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonic Firewall re-routing 443 wrong server IP 10 110
increase internet speed 3 93
ASE reports it as spam 2 310
Advice on setting up a new network for a small business 3 102
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question