Link to home
Start Free TrialLog in
Avatar of 58872
58872

asked on

ISA - Connection Denied

Hello,

ISA 2006 was working fine in test. Clients on test network had Ip address on same subnet as ISA and had ISA as their Default Gateway.

The real network however is made up of vlans that connect to a central switch, the switch will them route all to the ISA box. So none of the clients have ISA as the DG.

Any machine which attempts to connect to internet can't and a "connection is denied" appears on the ISA log.

All these internal networks are added to the list of allowed networks in ISA. There are no rules on the firewall (any.any).

Any ideas

Any ideas?
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
PS dumb question but I assume you have set the proxy server settings in the clients browsers?
Avatar of 58872
58872

ASKER

As fas as authentication goes we allow Anoymous for the time being.

Clients cannot ping the ISA box, but ICMP is disbaled. We know that ISA works when the clients are plugged into the vlan that the ISA box is on, although they cant actually ping it the ISA.

The error messgae is "error number connection denied 0xc0040014fwx_e_fwe_spoofing_packet_dropped", so I am guessing some poiicy on the ISA box doesnt like all the IP addresses outside its vlan, although they are all listed in the internal network settings.

The rulke on the firewall is allow any protocol from internal  to external...all users

Maybe its this spoof detection thing   http://support.microsoft.com/kb/838114,   may give it a go.

Maybe its somethig with the vlan gateways that the ISA doesnt like?

Appreciate it.
Avatar of 58872

ASKER

well, found out the the issue was that the ISA could not see the clients from its interface which was causing the packets to be dropped. A persistent route was put on the isa routing table to the router.

But, now the clients can connect to the internet with ot without adding the proxy settings to thier browser. If the firewall rules are disable thjough, no one can get out either way...so must be somethings in the rules.

What rule wouls i need to put in to ensure all http traffic must go through the proxy? Thanks
Avatar of 58872

ASKER

Thanks for the help.