Environ = Server 2003 domain with an ISA 2004/Surf Control 2004 firewall/proxy server.
All of our domain clients use the MS Firewall to authenticate and they browse the web via our proxy server/firewall for content filtering purposes. At the risk of sounding repetitive, no user can access our network w/out the FW client or w/out authenticating and w/out going thru our proxy server.
Our ISA is configured as a three-leg perimeter and it has three NICS.
NIC 1 is our public IP
NIC 2 is our LAN on 10.0.x.x
NIC 3 is our DMZ on 192.168.x.x
The only thing in our perimeter is our IIS server and it runs our ticketing tool on 192.168.x.x
Now the pastor wants an Internet café.
What we thought wed do is set up a VLAN on the DMZ side of our network, drop in an AP and let the café users surf without having to authenticate and w/out having to join the domain. The only things we want to do is control content and force all users to surf via our proxy server so its all run thru Surf Control.
So far, we took NIC 3 from our proxy and plugged it into the VLAN in our 3 COM switch and we plugged in a PC on the VLAN as well. Our DMZ server has its second NIC plugged into the VLAN as well. We set our DMZ server to DHCP the 192s and our PC is pulling an IP. Our PC on the VLAN can also ping our DMZ and our proxy server and our DNS server. Everyone is pinging everyone else and all is well with the world on the LAN side. However, when we try to browse the Internet, we hit a wall.
The last rule in ISA, the default rule, is blocking our PCs request to get to the Internet and the protocol it lists in the block is DHCP. I wrote a rule that allows ALL perimeter traffic out to the external network, but that didnt do it either.
The PC on our VLAN is pulling a 192.168.x.x IP. Its gateway is our LAN gateway, the same gateway every other PC uses to surf and its DNS is our DNS server, the same one every other PC uses, but the default rule, the last rule in ISA, blocks it.
I think thats as much as I know. Any ideas?