ISA - Connection Denied

Posted on 2007-10-15
Last Modified: 2010-04-21

ISA 2006 was working fine in test. Clients on test network had Ip address on same subnet as ISA and had ISA as their Default Gateway.

The real network however is made up of vlans that connect to a central switch, the switch will them route all to the ISA box. So none of the clients have ISA as the DG.

Any machine which attempts to connect to internet can't and a "connection is denied" appears on the ISA log.

All these internal networks are added to the list of allowed networks in ISA. There are no rules on the firewall (any.any).

Any ideas

Any ideas?
Question by:58872
    LVL 51

    Accepted Solution

    As long as the clients get to the ISA server (and get responses) using normal routing then that is cool. Else, you will need to use the ISA firewall client.

    open the isa gui, select configuration - networks - internal - properties - addresses
    Are ALL the internal ip addresses listed here including network IDs and broadcast addresses?

    On the outbound http rule from internal to external, what authemntication is being applied? are you using All Users? Authenticated Users? ad group or something?

    What do mean there are no rules on the firewall?


    LVL 51

    Expert Comment

    by:Keith Alabaster
    PS dumb question but I assume you have set the proxy server settings in the clients browsers?

    Author Comment

    As fas as authentication goes we allow Anoymous for the time being.

    Clients cannot ping the ISA box, but ICMP is disbaled. We know that ISA works when the clients are plugged into the vlan that the ISA box is on, although they cant actually ping it the ISA.

    The error messgae is "error number connection denied 0xc0040014fwx_e_fwe_spoofing_packet_dropped", so I am guessing some poiicy on the ISA box doesnt like all the IP addresses outside its vlan, although they are all listed in the internal network settings.

    The rulke on the firewall is allow any protocol from internal  to external...all users

    Maybe its this spoof detection thing,   may give it a go.

    Maybe its somethig with the vlan gateways that the ISA doesnt like?

    Appreciate it.
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Give the best practice analyser a go - lets just check the nasics first

    Author Comment

    well, found out the the issue was that the ISA could not see the clients from its interface which was causing the packets to be dropped. A persistent route was put on the isa routing table to the router.

    But, now the clients can connect to the internet with ot without adding the proxy settings to thier browser. If the firewall rules are disable thjough, no one can get out either must be somethings in the rules.

    What rule wouls i need to put in to ensure all http traffic must go through the proxy? Thanks

    Author Closing Comment

    Thanks for the help.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now