Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


ISA 2004 Web Proxy confusion

Posted on 2006-07-18
Medium Priority
Last Modified: 2013-11-16
I have installed SBS2003 Premium which includes ISA Server 2004 at a number of sites.
I also recently installed a Blackberry Enterprise Server (BES) at one of these sites.
BES installs a web page that listens on port 8080. Naturally this interfered with my web proxy clients that have were directed to use this port as well.
In debugging I changed the listening port on the BES application without success.
I was about to change the port on the ISA server when just goofing around I unchecked "use proxy server" on one of my web clients. To my great surprise this worked!
At all other sites I have to point the web client to the ISA box as a proxy server.

In trying figure out what is going on I compared the ISA 2004 setup at two sites.

The network configuration for the internal network of both sites is set up to "Enable Web Proxy Clients" and to "Enable HTTP" with "HTTP port: 8080"

Firewall clients are not used at either site.

Both sites have an internet access rule as follows,
Name: SBS Internet Access Rule
Action: Allow
Protocols: HTTP, HTTPS
From: All Protected Networks
To: External

The site that works without a proxy also has an additional rule that I was set up by another administrator
Name: All outbound
Action: Allow
Protocols: All Outbound traffic
From: Internal
To: External

Other than that I can see not difference.

I am confused about the function of the additional rule. It would seem to imply that the internal network can use any protocol to any external address. In fact, this doesn't seem to be true. For instance, I have an external terminal server in my home office that listens on a non-standard port (10941). In order for me to RDP to this server from internal addresses at my client's site I needed to set up a protocol for this port and a firewall policy rule.

The sum of all this is I clearly don't understand firewall policies. Specifically,

1) If an All Outbound traffic rule such as described above is in place why is it necessary to have outbound access rules for specific protocols?

2) Why is not necessary for the one site to use a proxy server? Does have anything to do with the additional all outbound traffic rule?

Question by:DaveChoiceTech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17145429
1. All protocols means all protocols that ISA is aware of in its defintion list. If a protocol is 'not known or unidentified', it does not get included in the all protocols category.
2. None of the sites need to have proxy enabled. You can instead use ordinary routing of standard port 80 traffic fro example. The web proxy port means that it will take the traffic into ISA on port 8080 and then forward it out of port 80 as it leaves ISA on the other side. Think of it like Network address translation (NAT); traffic comes in from the individual internal ip addresses but leaves ISA as the single external IP address for all users (assuming you are nat'ting rather than routing).

Author Comment

ID: 17146440

I get what your saying about 1.

With respect to 2. at the one site if I don't set IE to use the ISA server as a proxy server then the cannot browse.  At the other site IE can be used without a proxy server. I still don't know why this is the case.

LVL 51

Accepted Solution

Keith Alabaster earned 2000 total points
ID: 17146526

Are you also allowing port 80 traffic out of the firewall in addition to 8080?
Are you pointing the default gateway of the work stations to ISA's internal NIC at the other site (so it has a path to the ISA server without needing the reference to ISA in the proxy settings?
Are you using the ISA firewall client at the other site?

Each of these scenario's would work towards the picture you describe.

Author Comment

ID: 17146840
Now we're getting somewhere!

I am not using firewall clients at either site (see original post) so that's not it.

I don't know enough about ISA to refute your second point however,
the default gateway at both sites is pointed to ISA's  internal NIC. SBS2003 is a single server environment so the standard set up would be to use the single server as the default gateway. Ot would seem that simply having a path to the ISA server would in itself not be sufficient to allow internet access. This makes sense to me since I would expect ISA would filter outgoing access via the internal NIC. This would apply to any protocol not just HTTP. Isn't this right?

Your last point seems to be the most likely. I expect the rule
Name: All outbound
Action: Allow
Protocols: All Outbound traffic
From: Internal
To: External
would allow port 80 traffic out of the firewall.

If you have time please confirm my comments about the default gateway but in any case I'm awarding you the points with my thanks.


Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question