• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 889
  • Last Modified:

ISA - Connection Denied

Hello,

ISA 2006 was working fine in test. Clients on test network had Ip address on same subnet as ISA and had ISA as their Default Gateway.

The real network however is made up of vlans that connect to a central switch, the switch will them route all to the ISA box. So none of the clients have ISA as the DG.

Any machine which attempts to connect to internet can't and a "connection is denied" appears on the ISA log.

All these internal networks are added to the list of allowed networks in ISA. There are no rules on the firewall (any.any).

Any ideas

Any ideas?
0
58872
Asked:
58872
  • 3
  • 3
1 Solution
 
Keith AlabasterCommented:
As long as the clients get to the ISA server (and get responses) using normal routing then that is cool. Else, you will need to use the ISA firewall client.

open the isa gui, select configuration - networks - internal - properties - addresses
Are ALL the internal ip addresses listed here including network IDs and broadcast addresses?

On the outbound http rule from internal to external, what authemntication is being applied? are you using All Users? Authenticated Users? ad group or something?

What do mean there are no rules on the firewall?

Keith


0
 
Keith AlabasterCommented:
PS dumb question but I assume you have set the proxy server settings in the clients browsers?
0
 
58872Author Commented:
As fas as authentication goes we allow Anoymous for the time being.

Clients cannot ping the ISA box, but ICMP is disbaled. We know that ISA works when the clients are plugged into the vlan that the ISA box is on, although they cant actually ping it the ISA.

The error messgae is "error number connection denied 0xc0040014fwx_e_fwe_spoofing_packet_dropped", so I am guessing some poiicy on the ISA box doesnt like all the IP addresses outside its vlan, although they are all listed in the internal network settings.

The rulke on the firewall is allow any protocol from internal  to external...all users

Maybe its this spoof detection thing   http://support.microsoft.com/kb/838114,   may give it a go.

Maybe its somethig with the vlan gateways that the ISA doesnt like?

Appreciate it.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
Keith AlabasterCommented:
Give the best practice analyser a go - lets just check the nasics first
http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
0
 
58872Author Commented:
well, found out the the issue was that the ISA could not see the clients from its interface which was causing the packets to be dropped. A persistent route was put on the isa routing table to the router.

But, now the clients can connect to the internet with ot without adding the proxy settings to thier browser. If the firewall rules are disable thjough, no one can get out either way...so must be somethings in the rules.

What rule wouls i need to put in to ensure all http traffic must go through the proxy? Thanks
0
 
58872Author Commented:
Thanks for the help.
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now