ISA 2004 Web Proxy confusion

Posted on 2006-07-18
Last Modified: 2013-11-16
I have installed SBS2003 Premium which includes ISA Server 2004 at a number of sites.
I also recently installed a Blackberry Enterprise Server (BES) at one of these sites.
BES installs a web page that listens on port 8080. Naturally this interfered with my web proxy clients that have were directed to use this port as well.
In debugging I changed the listening port on the BES application without success.
I was about to change the port on the ISA server when just goofing around I unchecked "use proxy server" on one of my web clients. To my great surprise this worked!
At all other sites I have to point the web client to the ISA box as a proxy server.

In trying figure out what is going on I compared the ISA 2004 setup at two sites.

The network configuration for the internal network of both sites is set up to "Enable Web Proxy Clients" and to "Enable HTTP" with "HTTP port: 8080"

Firewall clients are not used at either site.

Both sites have an internet access rule as follows,
Name: SBS Internet Access Rule
Action: Allow
Protocols: HTTP, HTTPS
From: All Protected Networks
To: External

The site that works without a proxy also has an additional rule that I was set up by another administrator
Name: All outbound
Action: Allow
Protocols: All Outbound traffic
From: Internal
To: External

Other than that I can see not difference.

I am confused about the function of the additional rule. It would seem to imply that the internal network can use any protocol to any external address. In fact, this doesn't seem to be true. For instance, I have an external terminal server in my home office that listens on a non-standard port (10941). In order for me to RDP to this server from internal addresses at my client's site I needed to set up a protocol for this port and a firewall policy rule.

The sum of all this is I clearly don't understand firewall policies. Specifically,

1) If an All Outbound traffic rule such as described above is in place why is it necessary to have outbound access rules for specific protocols?

2) Why is not necessary for the one site to use a proxy server? Does have anything to do with the additional all outbound traffic rule?

Question by:DaveChoiceTech
  • 2
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17145429
1. All protocols means all protocols that ISA is aware of in its defintion list. If a protocol is 'not known or unidentified', it does not get included in the all protocols category.
2. None of the sites need to have proxy enabled. You can instead use ordinary routing of standard port 80 traffic fro example. The web proxy port means that it will take the traffic into ISA on port 8080 and then forward it out of port 80 as it leaves ISA on the other side. Think of it like Network address translation (NAT); traffic comes in from the individual internal ip addresses but leaves ISA as the single external IP address for all users (assuming you are nat'ting rather than routing).

Author Comment

ID: 17146440

I get what your saying about 1.

With respect to 2. at the one site if I don't set IE to use the ISA server as a proxy server then the cannot browse.  At the other site IE can be used without a proxy server. I still don't know why this is the case.

LVL 51

Accepted Solution

Keith Alabaster earned 500 total points
ID: 17146526

Are you also allowing port 80 traffic out of the firewall in addition to 8080?
Are you pointing the default gateway of the work stations to ISA's internal NIC at the other site (so it has a path to the ISA server without needing the reference to ISA in the proxy settings?
Are you using the ISA firewall client at the other site?

Each of these scenario's would work towards the picture you describe.

Author Comment

ID: 17146840
Now we're getting somewhere!

I am not using firewall clients at either site (see original post) so that's not it.

I don't know enough about ISA to refute your second point however,
the default gateway at both sites is pointed to ISA's  internal NIC. SBS2003 is a single server environment so the standard set up would be to use the single server as the default gateway. Ot would seem that simply having a path to the ISA server would in itself not be sufficient to allow internet access. This makes sense to me since I would expect ISA would filter outgoing access via the internal NIC. This would apply to any protocol not just HTTP. Isn't this right?

Your last point seems to be the most likely. I expect the rule
Name: All outbound
Action: Allow
Protocols: All Outbound traffic
From: Internal
To: External
would allow port 80 traffic out of the firewall.

If you have time please confirm my comments about the default gateway but in any case I'm awarding you the points with my thanks.


Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now