ISA 2004 - After installing, not able to browse internal network

 Mustekkzn,
       From which host to which host are you trying to browse? (with IPs please)
       Is Firewall client installed in clients? Can they resolve ISA server correctly?

Regards

Hi guys, thanks for the post .  .  .
Just an quick update for you guys.
I have done the above and I am still not able to get it to work like it should.
Another thing I picked up was that I am able to get internet access through the ISA server (from a workstation PC), but not actually on the server itself.
I am not even able to use go through my backup ISA server to access the internet either.
Attached is an updated print screen of my Firewall Policy.
Thanks so much.
mustekkzn
ISA---Firewall-Policy.JPG

just another quick update . . .
I am able to ping internal PC's. No problems.
Not to sure if that helps.
Thanks so much.
From
mustekkzn

"Another thing I picked up was that I am able to get internet access through the ISA server (from a workstation PC), but not actually on the server itself. "
For correcting this, create a firewall policy which has "Local Host" as source and "External" as destination, and permit http access.

Do you still have  browsing problem? If yes can you specify the hosts IPs?

a rule with "Local Host" in source and "Local Host" again in destination has no effect.

Hi there
Attached is a print screen of the changes I have. With these changes I am able to browse the internal network and go on the internet, but (there are always but's) I feel now with the permissions changes I have made, it is to "open".
Am I correct in thinking so? Or can I leave it at that?
Regards
mustekkzn
ISA---Firewall-Policy.JPG

I thought to just send through the link of my next question for you guys.
Thanks so much.

https://www.experts-exchange.com/index.jsp?qid=23424574

No you shouldnt leave it like that, as you remember, I have stated your rule as "OK for now!" in your previous question. We moved so open for troubleshooting purposes, now time for restrictions.
   First of all, for internet access, change the "protocols" from "All outbound traffic" to "Http" . Try to be as specific as possible while setting access rules.
   Second and most important, your Number 2 Policy completely (except inbound) eliminates the implict rule. Temporarily disable that rule and see what is going wrong. Define exactly which traffic from - to which host is denied and essential for you, then we create a specific rule for that access. Then completely delete No 2 rule
   Watch your network users closly if they report any issues.
   In your previous question, you wanted to Publish your mail server. Have you done that yet?

Mr Husy - you are mis-informed. A web service running on ISA will require a localhost - localhost rule if accessed from the ISA itself. Localhost - localhost may not be a specific requirement in this case but it does perform a function. By all means add your view, but please don't discount my comments unless you are factually correct.

It just causes confusion for the asker.

Keith
ISA MVP
ISA MCT

Dear Keith,
    Maybe you wont believe but with all my honesty, I didnt see that this was suggested by you. I have read your comment untill the local host to local host part, but didnt read that part.
    I havent seen a mention of a Web service by the asker and I was focused on the internal network browsing and internet connectivity, thats why I said localhost to localhost has no effect.
   I have previously participated in questions you participated and read your suggestions, have read comments by you in other threads, and I know how knowledgeable and humble expert you are, so my intend would never ever be discounting your comments, either I am factually correct or not. Please accept my apologizes.

Regards

Thank you for that - and I apologize to you too :)

Regards
Keith

Hi Guys, I just wanted to drop in quickly to let
you know that I am still here and just busy finishing of my next post.
Speak to you guys soon.
Regards
mustekkzn

Hi experts
I got to say, I am a bit lost at the moment with regards to get this working like it should.
The last post I made, 05.22.2008 at 04:34PM SAST, ID: 21624148, is basically how far I am at the moment. I dont want to sound ungracious in anyway, but the last 3 posts from you guys just got me a bit confused to how my Firewall Policy is suppose to look like.
I am very grateful for what we have accomplished up to now, without your help, I dont think I would have been able to be this far at all.
--
Second and most important, your Number 2 Policy completely (except inbound) eliminates the implicit rule. Temporarily disable that rule and see what is going wrong. Define exactly which traffic from - to which host is denied and essential for you, then we create a specific rule for that access. Then completely delete No 2 rule--
--

With regards to above, if I disable the second policy, I am not able to browse the network nor am I able to go on the internet off the ISA server, but the clients side of things seems to be working 100%.
 So, with that said, we know now that we need to modify/edit that rule for me to be able to do what I need to do.

Thanks once again for all your help.
Regards
mustekkzn

Hi Guys

I think I am one step closer now.

1. I am able to browse the internal network now
2. Accessing the internet off this server
3. Giving internet access to clients

Could I please just ask that you guys have a look at the attached print screen of my Firewall Policy.
I am just not totally happy about Policy number 2, where it says All Outbound traffic under Protocols.
How can I restrict that more?
Also, do you think the order of them is okay, or does that not really matter?

Thanks so much.
Regards
mustekkzn
ISA---Firewall-Policy.JPG

Cool, so if you are happy, I am happy.
I have been playing with that rule, especially with the protocols side of things and for some reason I can only get it work as it is sitting now.
I will be closing the question then now.
If I could just ask that you dont forget about my other question please.
https://www.experts-exchange.com/questions/23424574/ISA-2004-Remote-Desktop.html
Thanks once again for you guys help. It is much appreciated. I got to say that ISA 2004 was this mountain in front of me, which with the help of you guys made it a little hill now.

Just got in from work - certainly agree :)

I will be posting my next question for you guys on Monday, please have a look out for it please.
It will probably be something todo with OWA.
Thanks once again for help out.
It is much appreciated.
Have a great weekend.
Regards
mustekkzn