darrell667
asked on
ISA 2000 Config Help!!
I am running ISA 2000 on SBS 2003 and have just made some network changes, going from a one network card to a two network card configuration. This seems to be working just fine as I can access the internet from the server, however I can not get any external websites from the client workstation. The client workstation is getting to the intranet just fine.
For a little while the client was getting this message:
403 Forbidden - The ISA Server denies the Uniform Resource Locator (URL). (12202)
I have been all over the web and here looking for something on this but with no luck finding a working solution.
I have run the 'Connect to the Internet' wizard several times looking for a way to get it right with and without the Firewall configuration.
For a little while the client was getting this message:
403 Forbidden - The ISA Server denies the Uniform Resource Locator (URL). (12202)
I have been all over the web and here looking for something on this but with no luck finding a working solution.
I have run the 'Connect to the Internet' wizard several times looking for a way to get it right with and without the Firewall configuration.
ASKER
Okay the Workstation:
IP: 10.4.17.30
SM: 255.255.255.0
DG: 10.4.17.20
DNS: 10.4.17.20
WINS: 10.4.17.20
Servers Internal NIC:
IP: 10.4.17.20
SM: 255.255.255.0
DG: blank
DNS: 10.4.17.20
WINS: 10.4.17.20
Servers External NIC:
IP: 10.41.7.10
SM: 255.255.255.0
DG: 10.41.7.1 (Router)
DNS: 10.4.17.20
NetBIOS over TCPIP Disabled
IP: 10.4.17.30
SM: 255.255.255.0
DG: 10.4.17.20
DNS: 10.4.17.20
WINS: 10.4.17.20
Servers Internal NIC:
IP: 10.4.17.20
SM: 255.255.255.0
DG: blank
DNS: 10.4.17.20
WINS: 10.4.17.20
Servers External NIC:
IP: 10.41.7.10
SM: 255.255.255.0
DG: 10.41.7.1 (Router)
DNS: 10.4.17.20
NetBIOS over TCPIP Disabled
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have check this as well and made the modifications, moving the Internal up to the top and the External second. I am very green when it comes to ISA (in any version).
If I decline the Firewall option in the 'Connect to the Internet' does this shut down the ISA Server, or is there a way I can bypass it all together?
If I decline the Firewall option in the 'Connect to the Internet' does this shut down the ISA Server, or is there a way I can bypass it all together?
Those aren't really COMPLETE IPCONFIGs... it really would be helpful to see the entire thing... if you don't mind.
Just in case you aren't aware, how to do this, open a command prompt and enter IPCONFIG /ALL. Then, right click on the title bar of that window to access edit > select all, then hit the ENTER key to copy. You can paste to notepad and edit if you like...
While there is nothing in an IPCONFIG /ALL that would compromise the security of your network (this is the most often requested output in any support forum), there may be items which would provide your identity and therefore compromise your privacy if that is of concern.
Therefore, if you feel that it's necessary, you can modify the domain name, but please only modify anything that is identifiable to something generic. Such as changing TechSoEasy.local to MyCompany.local. If you have any public IP addresses, please just replace the last two octets with ***.***, and some people do not like to have the MAC (Physical) address shown... if you like, just modify he last few sections of these to **-**-**.
Jeff
TechSoEasy
Just in case you aren't aware, how to do this, open a command prompt and enter IPCONFIG /ALL. Then, right click on the title bar of that window to access edit > select all, then hit the ENTER key to copy. You can paste to notepad and edit if you like...
While there is nothing in an IPCONFIG /ALL that would compromise the security of your network (this is the most often requested output in any support forum), there may be items which would provide your identity and therefore compromise your privacy if that is of concern.
Therefore, if you feel that it's necessary, you can modify the domain name, but please only modify anything that is identifiable to something generic. Such as changing TechSoEasy.local to MyCompany.local. If you have any public IP addresses, please just replace the last two octets with ***.***, and some people do not like to have the MAC (Physical) address shown... if you like, just modify he last few sections of these to **-**-**.
Jeff
TechSoEasy
In SBS Premium with ISA 2004, the CEICW will add a set of default rules IF ISA is installed and running. However, I do not know if it does this when ISA 2000 is running.
ASKER
Sorry Jeff, here they are.
Workstation:
Host Name: mycomputer
Primary DNS Suffix: chuk.local
Node Type: Hybrid
IP Routing Enabled: No
Wins Proxy Enabled: No
DNS Suffix Search List: chuk.local
Connection-specific DNS Suffix: blank
Description: Broadcom NetXtreme
Physical Address: xx-xx-xx-xx-xx-xx
DHCP Enabled: No
IP Address: 10.4.17.30
Subnet Maks: 255.255.255.0
Default Gateway: 10.4.17.20
DNS Server: 10.4.17.20
Primary WINS: 10.4.17.20
Server
Windows IP configuration
Host Name: server
Primary DNS Suffix: chuk.local
Node Type: Unknown
IP Routing Enabled: Yes
WINS Proxy Enabled: Yes
DNS Suffix Search List: chuk.local
Internal NIC:
Connection-specific DNS Suffix: chuk.local
Description: Intel PRO/1000 MT Adapter
Physical Address: xx-xx-xx-xx-xx-xx
DHCP Enabled: No
IP Address: 10.4.17.20
Subnet Mask: 255.255.255.0
Default Gateway: (blank)
DNS Servers: 10.4.17.20
Primary WINS Server: 10.4.17.20
External NIC:
Connection-specific DNS Suffix:
Description: Intel PRO/1000 MT Adapter #2
Physical Address: xx-xx-xx-xx-xx-xx
DHCP Enabled: No
IP Address: 10.41.7.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.41.7.1
DNS Servers: 10.4.17.20
NetBIOS over Tcpip: Disabled
Workstation:
Host Name: mycomputer
Primary DNS Suffix: chuk.local
Node Type: Hybrid
IP Routing Enabled: No
Wins Proxy Enabled: No
DNS Suffix Search List: chuk.local
Connection-specific DNS Suffix: blank
Description: Broadcom NetXtreme
Physical Address: xx-xx-xx-xx-xx-xx
DHCP Enabled: No
IP Address: 10.4.17.30
Subnet Maks: 255.255.255.0
Default Gateway: 10.4.17.20
DNS Server: 10.4.17.20
Primary WINS: 10.4.17.20
Server
Windows IP configuration
Host Name: server
Primary DNS Suffix: chuk.local
Node Type: Unknown
IP Routing Enabled: Yes
WINS Proxy Enabled: Yes
DNS Suffix Search List: chuk.local
Internal NIC:
Connection-specific DNS Suffix: chuk.local
Description: Intel PRO/1000 MT Adapter
Physical Address: xx-xx-xx-xx-xx-xx
DHCP Enabled: No
IP Address: 10.4.17.20
Subnet Mask: 255.255.255.0
Default Gateway: (blank)
DNS Servers: 10.4.17.20
Primary WINS Server: 10.4.17.20
External NIC:
Connection-specific DNS Suffix:
Description: Intel PRO/1000 MT Adapter #2
Physical Address: xx-xx-xx-xx-xx-xx
DHCP Enabled: No
IP Address: 10.41.7.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.41.7.1
DNS Servers: 10.4.17.20
NetBIOS over Tcpip: Disabled
You need to have the workstations using DHCP, because otherwise they are not getting the correct settings. Because they are not using DHCP, I would also suspect that you didn't connect them to the SBS Network in the way that is required for everything to work properly, using http://<servername>/connectcomput
To correct this, please follow these steps:
At the client machine:
1. Log in with THAT machine's LOCAL administrator account.
2. Unjoin the domain into a WORKGROUP
3. Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4. Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5. Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6. Reboot
Then on the server, from the Server Management Console:
1. Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2. Add the client with it's NEW name using the Add Computer wizard
Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer
Once that's done you may want to rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) as well.
A visual how-to is here: http://sbsurl.com/ceicw and a full networking overview for SBS is at http://sbsurl.com/msicw
Within that wizard you'll see a "more information" button on each screen that has invaluable help in deciding which options to select.
Be sure to check those out too.
Jeff
TechSoEasy
To correct this, please follow these steps:
At the client machine:
1. Log in with THAT machine's LOCAL administrator account.
2. Unjoin the domain into a WORKGROUP
3. Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4. Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5. Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6. Reboot
Then on the server, from the Server Management Console:
1. Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2. Add the client with it's NEW name using the Add Computer wizard
Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer
Once that's done you may want to rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) as well.
A visual how-to is here: http://sbsurl.com/ceicw and a full networking overview for SBS is at http://sbsurl.com/msicw
Within that wizard you'll see a "more information" button on each screen that has invaluable help in deciding which options to select.
Be sure to check those out too.
Jeff
TechSoEasy
In addition to Jeff's suggestion, if you are not using DHCP then you will have to manually configure all the workstations' internet aware programs with a web proxy for ISA 2000. You will also have to manually configure the ISA Firewall Client.
When you setup ISA, you should configure option 252 to your DHCP scope to automatically provide network clients with the ISA's web proxy information. A simialr process also needs to be performed in your DNS server. If you have done neither of these your clients can have trouble accessing internet resources. If you need instructions on this I can provide them for you.
When you setup ISA, you should configure option 252 to your DHCP scope to automatically provide network clients with the ISA's web proxy information. A simialr process also needs to be performed in your DNS server. If you have done neither of these your clients can have trouble accessing internet resources. If you need instructions on this I can provide them for you.
ASKER
I have 45 workstations and they have all been on the network for over a year with SBS, the were connected using the above mentioned process and are all configured for DHCP. All of these problems came about when I changed from a One NIC configuration to a Two NIC configuration and ran the CEICW to get the right settings for the router.
The only reason the workstation NIC above was set not to use DHCP was all the troubleshooting I have been doing.
Jeff, so what your telling me is that because I have rerun the CEICW I have to go rejoin all the workstations to the network? If that is the case that was a really bad move on my part to rerun it, but worse on the part of MS to force such a thing.
manicsquirrel, I would be interested in the instructions for the ISA configs.
You guys have been a great help, please don't take this the wrong way, I am sure you know how it is when you work the long hours and it just don't make since anymore.
The only reason the workstation NIC above was set not to use DHCP was all the troubleshooting I have been doing.
Jeff, so what your telling me is that because I have rerun the CEICW I have to go rejoin all the workstations to the network? If that is the case that was a really bad move on my part to rerun it, but worse on the part of MS to force such a thing.
manicsquirrel, I would be interested in the instructions for the ISA configs.
You guys have been a great help, please don't take this the wrong way, I am sure you know how it is when you work the long hours and it just don't make since anymore.
I'll get those to you in the morning...
I've read over these instructions and they are pretty thorough. Be sure you read EVERYTHING. There are little things that are mentioned that you might miss like the wpad path needing to be all lower case.
http://www.microsoft.com/technet/isa/2004/plan/automaticdiscovery.mspx
Here's why I touched on this. ISA 2000 is a different animal. I'm not familiar with the LAT table aproach that it uses. But, you stated that you sometimes get a 403 error. This would indicate that the web proxy is not passing credentials from the client to the ISA server. Is that because the client cannot always detect the ISA server? Maybe the above procedure will help.
It still would be very helpful for you to open the Network Monitor in ISA 2000 and watch traffic for a client computer is it tries to access the internet because it will be explicit on why it is being denied.
Jeff: this really may need to be moved to the ISA TA.
http://www.microsoft.com/technet/isa/2004/plan/automaticdiscovery.mspx
Here's why I touched on this. ISA 2000 is a different animal. I'm not familiar with the LAT table aproach that it uses. But, you stated that you sometimes get a 403 error. This would indicate that the web proxy is not passing credentials from the client to the ISA server. Is that because the client cannot always detect the ISA server? Maybe the above procedure will help.
It still would be very helpful for you to open the Network Monitor in ISA 2000 and watch traffic for a client computer is it tries to access the internet because it will be explicit on why it is being denied.
Jeff: this really may need to be moved to the ISA TA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One other thought... do your workstations have the ISA client installed? If so, I'd check to see if uninstalling on one workstation will clear this up for you.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Well, I wish I knew the exact setting for sure that did it, but I was going through the ISA settings and low and behold, somewhere in there I was able to get the right combination and everything seems to be working just fine. This is where I thought the issue was but as stated I am very green on ISA all together.
Again I would like to express my thanks to both of you for the assistance over this weekend. If I get it right both of you should be getting points for your help in this one.
Again I would like to express my thanks to both of you for the assistance over this weekend. If I get it right both of you should be getting points for your help in this one.
Jeff
TechSoEasy