I made a mistake by going with ISA 2006 - port 80 Denied Connection

Posted on 2007-08-08
Last Modified: 2013-11-05
I have committed to ISA2006 and have had one problem after another.  I am asking about two policies, the first is my Internet Access policy.  To me it looks like it should allow me to open a web page, but it is not triggered and I get a Denied Connection from the next policy Default rule.  The Internet Access policy reads:

Order  Name             Action  Protocols             From/Listener  To        Condition
14     Internet Access  Allow   All Outbound Traffic  Internal,      External  All Users
                                                      Local Host
The Logging screen shows:
Log Time    Dest IP               Dest Port  Protocol   Action                      Rule              Client IP  
Client Username   Source   Dest
8/8/07 5:57  80             HTTP                                                             192.168.1.x
                            External  External
8/8/07 5:58  80             HTTP        Denied Connection  Default rule  192.168.1.x
                            External External
The second is my DNS policy (Allow DNS).  The action says Initiated Connection, but my nslookup times out.  The policy reads:

Order  Name                  Action  Protocols                    From/Listener  To           Condition
14       Internet Access  Allow   All Outbound Traffic  Internal,            External  All Users
                                                                                     Local Host
The Logging screen shows:
Log Time    Dest IP                 Dest Port  Protocol   Action                       Rule             Client IP  
Client Username   Source    Dest
8/8/07 6:55  53             DNS         Initiated Connection  Allow DNS   192.168.1.y
                             External  External
8/8/07 6:55  53             DNS         Initiated Connection  Allow DNS   192.168.1.y
                            External External

As I write this I see that for the DNS policy the Source and Destination Networks are both External.  Is that an fundamental problem?  Why would it be saying External/External?
Any other ideas?  Thanks.

Question by:danorme
    LVL 51

    Accepted Solution

    I doubt you have made a mistake going with ISA Server as it is the best firewall/proxy server available. The mistake you may have made is in thinking it is just a stick the cd in the drive and away you go. ISA is a specialist product.

    You have not identified whether you are running ISA as a firewall/proxy or just proxy?
    You do not state either what the overall aims are of the configuration?

    Assuming it is a firewall as well, then I would expect to see the following types of rule as a starting point:

    An outbound rule to allow the 'normal types of traffic to the internet
    1. allow smtp,dns, from internal to external
    2. allow http, https, ftp from internal to external
    3. Allow http, https from local host to external
    4. allow all outbound protocols from internal & local host TO internal & local host
    .. Your publishing rules to allow inbound access to mail servers, web servers, remote desktop etc etc
    10. default rule deny everything

    Author Comment

    Thanks.  I reinstalled the OS and ISA and used your policies as a starting point.  Works good now.
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Thank you :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
    So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video discusses moving either the default database or any database to a new volume.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now