Solved

ISA 2000 Config Help!!

Posted on 2006-11-04
15
330 Views
Last Modified: 2012-06-21
I am running ISA 2000 on SBS 2003 and have just made some network changes, going from a one network card to a two network card configuration.  This seems to be working just fine as I can access the internet from the server, however I can not get any external websites from the client workstation.  The client workstation is getting to the intranet just fine.  

For a little while the client was getting this message:
   403 Forbidden - The ISA Server denies the Uniform Resource Locator (URL). (12202)

I have been all over the web and here looking for something on this but with no luck finding a working solution.

I have run the 'Connect to the Internet' wizard several times looking for a way to get it right with and without the Firewall configuration.
0
Comment
Question by:darrell667
  • 5
  • 5
  • 5
15 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17875201
Can you please post a complete IPCONFIG /ALL from the server as well as a workstation?  That'll help in diagnosing this.

Jeff
TechSoEasy
0
 

Author Comment

by:darrell667
ID: 17875216
Okay the Workstation:
IP: 10.4.17.30
SM: 255.255.255.0
DG: 10.4.17.20
DNS: 10.4.17.20
WINS: 10.4.17.20

Servers Internal NIC:
IP: 10.4.17.20
SM: 255.255.255.0
DG: blank
DNS: 10.4.17.20
WINS: 10.4.17.20

Servers External NIC:
IP: 10.41.7.10
SM: 255.255.255.0
DG: 10.41.7.1  (Router)
DNS: 10.4.17.20
NetBIOS over TCPIP Disabled
0
 
LVL 6

Assisted Solution

by:manicsquirrel
manicsquirrel earned 250 total points
ID: 17875241
On the server: In the Network Connections control panel applet, click on the Advanced menu, then Advanced Settings.  In the dialog box that displays in the is the Internal NIC listed above the External NIC?

I don't have a copy of ISA 2000 installed so I can only go off what I know based on ISA 2004 which I've heard is way different.  So, my questions about your configuration may not apply.  I also don't know about the monitoring capabilites of ISA 2000.  With that in mind, can you monitor one workstation's connection while you try to access an external web site and post the monitoring log here?
0
 

Author Comment

by:darrell667
ID: 17875255
I have check this as well and made the modifications, moving the Internal up to the top and the External second.  I am very green when it comes to ISA (in any version).

If I decline the Firewall option in the 'Connect to the Internet' does this shut down the ISA Server, or is there a way I can bypass it all together?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17875272
Those aren't really COMPLETE IPCONFIGs... it really would be helpful to see the entire thing... if you don't mind.  

Just in case you aren't aware, how to do this, open a command prompt and enter IPCONFIG /ALL.  Then, right click on the title bar of that window to access edit > select all, then hit the ENTER key to copy.  You can paste to notepad and edit if you like...

While there is nothing in an IPCONFIG /ALL that would compromise the security of your network (this is the most often requested output in any support forum), there may be items which would provide your identity and therefore compromise your privacy if that is of concern.

Therefore, if you feel that it's necessary, you can modify the domain name, but please only modify anything that is identifiable to something generic.  Such as changing TechSoEasy.local to MyCompany.local.  If you have any public IP addresses, please just replace the last two octets with ***.***, and some people do not like to have the MAC (Physical) address shown... if you like, just modify he last few sections of these to **-**-**.

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 17875291
In SBS Premium with ISA 2004, the CEICW will add a set of default rules IF ISA is installed and running.  However, I do not know if it does this when ISA 2000 is running.  
0
 

Author Comment

by:darrell667
ID: 17875295
Sorry Jeff, here they are.

Workstation:
Host Name: mycomputer
Primary DNS Suffix: chuk.local
Node Type: Hybrid
IP Routing Enabled: No
Wins Proxy Enabled: No
DNS Suffix Search List: chuk.local

Connection-specific DNS Suffix: blank
Description: Broadcom NetXtreme
Physical Address: xx-xx-xx-xx-xx-xx
DHCP Enabled: No
IP Address: 10.4.17.30
Subnet Maks: 255.255.255.0
Default Gateway: 10.4.17.20
DNS Server: 10.4.17.20
Primary WINS: 10.4.17.20

Server
Windows IP configuration
Host Name: server
Primary DNS Suffix: chuk.local
Node Type: Unknown
IP Routing Enabled: Yes
WINS Proxy Enabled: Yes
DNS Suffix Search List: chuk.local

Internal NIC:
Connection-specific DNS Suffix: chuk.local
Description: Intel PRO/1000 MT Adapter
Physical Address: xx-xx-xx-xx-xx-xx
DHCP Enabled: No
IP Address: 10.4.17.20
Subnet Mask: 255.255.255.0
Default Gateway:  (blank)
DNS Servers: 10.4.17.20
Primary WINS Server: 10.4.17.20

External NIC:
Connection-specific DNS Suffix:
Description: Intel PRO/1000 MT Adapter #2
Physical Address: xx-xx-xx-xx-xx-xx
DHCP Enabled: No
IP Address: 10.41.7.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.41.7.1
DNS Servers: 10.4.17.20
NetBIOS over Tcpip: Disabled
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17875303
You need to have the workstations using DHCP, because otherwise they are not getting the correct settings.  Because they are not using DHCP, I would also suspect that you didn't connect them to the SBS Network in the way that is required for everything to work properly, using http://<servername>/connectcomputer

To correct this, please follow these steps:

At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

Once that's done you may want to rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) as well.

A visual how-to is here:  http://sbsurl.com/ceicw and a full networking overview for SBS is at http://sbsurl.com/msicw

Within that wizard you'll see a "more information" button on each screen that has invaluable help in deciding which options to select.  
Be sure to check those out too.

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 17875308
In addition to Jeff's suggestion, if you are not using DHCP then you will have to manually configure all the workstations' internet aware programs with a web proxy for ISA 2000.  You will also have to manually configure the ISA Firewall Client.

When you setup ISA, you should configure option 252 to your DHCP scope to automatically provide network clients with the ISA's web proxy information.  A simialr process also needs to be performed in your DNS server.  If you have done neither of these your clients can have trouble accessing internet resources.  If you need instructions on this I can provide them for you.

0
 

Author Comment

by:darrell667
ID: 17875327
I have 45 workstations and they have all been on the network for over a year with SBS, the were connected using the above mentioned process and are all configured for DHCP.  All of these problems came about when I changed from a One NIC configuration to a Two NIC configuration and ran the CEICW to get the right settings for the router.

The only reason the workstation NIC above was set not to use DHCP was all the troubleshooting I have been doing.

Jeff, so what your telling me is that because I have rerun the CEICW I have to go rejoin all the workstations to the network?  If that is the case that was a really bad move on my part to rerun it, but worse on the part of MS to force such a thing.

manicsquirrel, I would be interested in the instructions for the ISA configs.

You guys have been a great help, please don't take this the wrong way, I am sure you know how it is when you work the long hours and it just don't make since anymore.
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 17875419
I'll get those to you in the morning...
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 17876318
I've read over these instructions and they are pretty thorough.  Be sure you read EVERYTHING.  There are little things that are mentioned that you might miss like the wpad path needing to be all lower case.

http://www.microsoft.com/technet/isa/2004/plan/automaticdiscovery.mspx

Here's why I touched on this.  ISA 2000 is a different animal.  I'm not familiar with the LAT table aproach that it uses.  But, you stated that you sometimes get a 403 error.  This would indicate that the web proxy is not passing credentials from the client to the ISA server.  Is that because the client cannot always detect the ISA server?  Maybe the above procedure will help.

It still would be very helpful for you to open the Network Monitor in ISA 2000 and watch traffic for a client computer is it tries to access the internet because it will be explicit on why it is being denied.

Jeff:  this really may need to be moved to the ISA TA.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 17876822
Well, there is no ISA TA... but a pointer question over in http://www.experts-exchange.com/Security/Firewalls/ might be a good idea...

darrell,

You would not have to rejoin the workstations if they were using DHCP... since you posted the one that wasn't configured that way, I had assumed that was typical.  With DHCP enabled, the workstations should have no problem picking up the change.

But all of this SHOULD be handled by the CEICW.  Since you say it hasn't, then we have to look at making sure that the new NIC is doing things right.   Your IP schema is kinda strange... I wonder how you came up with using a 10.x.x.x subnet?  It should work fine, but it's just difficult to easily troubleshoot because I have to look at each IP two or three times to be sure they're right.  :-)

So, I'll assume you added the external NIC and the new IP Subnet is the 10.41.7.0 one?  Therefore the server has always been 10.4.17.20?

Please run the Change Server IP Address Wizard (found in the Internet & Email section of the SMC).  Just run it for the current IP of 10.4.17.20.  This will make sure that the IP is set correctly in ALL appropriate places (DNS, DHCP, IIS, RRAS, Exchange and ISA).  Follow this again with the CEICW.  If you get any errors on the CEICW please advise.  Also, do not skip any sections with "Do Not Change" because you need to make sure that EVERYTHING is set correctly, including creating a new SSL certificate which will work on both IP addresses of the SBS (10.4.17.20 and 10.41.7.10).

If this still does not work for you, I'd ask that you please post the most recent IcwdetailsXX.htm (where XX is the highest incremental number) from:
C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW

Jeff
TechSoEasy

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17876834
One other thought... do your workstations have the ISA client installed?  If so, I'd check to see if uninstalling on one workstation will clear this up for you.

Jeff
TechSoEasy
0
 

Author Comment

by:darrell667
ID: 17877065
Well, I wish I knew the exact setting for sure that did it, but I was going through the ISA settings and low and behold, somewhere in there I was able to get the right combination and everything seems to be working just fine.  This is where I thought the issue was but as stated I am very green on ISA all together.

Again I would like to express my thanks to both of you for the assistance over this weekend.  If I get it right both of you should be getting points for your help in this one.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now