Avatar of mustekkzn
mustekkznFlag for South Africa asked on

ISA 2004 - After installing, not able to browse internal network

Hi experts
I am in the process of installing an ISA 2004 server. Any assistants will be much appreciated.
My question is as follows:
Before I installed ISA 2004, I was able to browse our network, after installing ISA 2004, I am not able to do so. It is obviously because of the firewall and I have to configure or change something on the ISA box.
Can this be changed that so I ca browse the internal network again?
Thanks so much.
Mustekkzn
Microsoft Forefront ISA Server

Avatar of undefined
Last Comment
mustekkzn

8/22/2022 - Mon
Alan Huseyin Kayahan

 Mustekkzn,
       From which host to which host are you trying to browse? (with IPs please)
       Is Firewall client installed in clients? Can they resolve ISA server correctly?

Regards
SOLUTION
Keith Alabaster

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
mustekkzn

Hi guys, thanks for the post .  .  .
Just an quick update for you guys.
I have done the above and I am still not able to get it to work like it should.
Another thing I picked up was that I am able to get internet access through the ISA server (from a workstation PC), but not actually on the server itself.
I am not even able to use go through my backup ISA server to access the internet either.
Attached is an updated print screen of my Firewall Policy.
Thanks so much.
mustekkzn
ISA---Firewall-Policy.JPG
ASKER
mustekkzn

just another quick update . . .
I am able to ping internal PC's. No problems.
Not to sure if that helps.
Thanks so much.
From
mustekkzn
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Alan Huseyin Kayahan

"Another thing I picked up was that I am able to get internet access through the ISA server (from a workstation PC), but not actually on the server itself. "
For correcting this, create a firewall policy which has "Local Host" as source and "External" as destination, and permit http access.

Do you still have  browsing problem? If yes can you specify the hosts IPs?
Alan Huseyin Kayahan

a rule with "Local Host" in source and "Local Host" again in destination has no effect.
ASKER
mustekkzn

Hi there
Attached is a print screen of the changes I have. With these changes I am able to browse the internal network and go on the internet, but (there are always but's) I feel now with the permissions changes I have made, it is to "open".
Am I correct in thinking so? Or can I leave it at that?
Regards
mustekkzn
ISA---Firewall-Policy.JPG
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mustekkzn

I thought to just send through the link of my next question for you guys.
Thanks so much.

https://www.experts-exchange.com/index.jsp?qid=23424574
Alan Huseyin Kayahan

No you shouldnt leave it like that, as you remember, I have stated your rule as "OK for now!" in your previous question. We moved so open for troubleshooting purposes, now time for restrictions.
   First of all, for internet access, change the "protocols" from "All outbound traffic" to "Http" . Try to be as specific as possible while setting access rules.
   Second and most important, your Number 2 Policy completely (except inbound) eliminates the implict rule. Temporarily disable that rule and see what is going wrong. Define exactly which traffic from - to which host is denied and essential for you, then we create a specific rule for that access. Then completely delete No 2 rule
   Watch your network users closly if they report any issues.
   In your previous question, you wanted to Publish your mail server. Have you done that yet?
Keith Alabaster

Mr Husy - you are mis-informed. A web service running on ISA will require a localhost - localhost rule if accessed from the ISA itself. Localhost - localhost may not be a specific requirement in this case but it does perform a function. By all means add your view, but please don't discount my comments unless you are factually correct.

It just causes confusion for the asker.

Keith
ISA MVP
ISA MCT
Your help has saved me hundreds of hours of internet surfing.
fblack61
Alan Huseyin Kayahan

Dear Keith,
    Maybe you wont believe but with all my honesty, I didnt see that this was suggested by you. I have read your comment untill the local host to local host part, but didnt read that part.
    I havent seen a mention of a Web service by the asker and I was focused on the internal network browsing and internet connectivity, thats why I said localhost to localhost has no effect.
   I have previously participated in questions you participated and read your suggestions, have read comments by you in other threads, and I know how knowledgeable and humble expert you are, so my intend would never ever be discounting your comments, either I am factually correct or not. Please accept my apologizes.

Regards
Keith Alabaster

Thank you for that - and I apologize to you too :)

Regards
Keith
ASKER
mustekkzn

Hi Guys, I just wanted to drop in quickly to let
you know that I am still here and just busy finishing of my next post.
Speak to you guys soon.
Regards
mustekkzn
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mustekkzn

Hi experts
I got to say, I am a bit lost at the moment with regards to get this working like it should.
The last post I made, 05.22.2008 at 04:34PM SAST, ID: 21624148, is basically how far I am at the moment. I dont want to sound ungracious in anyway, but the last 3 posts from you guys just got me a bit confused to how my Firewall Policy is suppose to look like.
I am very grateful for what we have accomplished up to now, without your help, I dont think I would have been able to be this far at all.
--
Second and most important, your Number 2 Policy completely (except inbound) eliminates the implicit rule. Temporarily disable that rule and see what is going wrong. Define exactly which traffic from - to which host is denied and essential for you, then we create a specific rule for that access. Then completely delete No 2 rule--
--

With regards to above, if I disable the second policy, I am not able to browse the network nor am I able to go on the internet off the ISA server, but the clients side of things seems to be working 100%.
 So, with that said, we know now that we need to modify/edit that rule for me to be able to do what I need to do.

Thanks once again for all your help.
Regards
mustekkzn
ASKER
mustekkzn

Hi Guys

I think I am one step closer now.

1. I am able to browse the internal network now
2. Accessing the internet off this server
3. Giving internet access to clients

Could I please just ask that you guys have a look at the attached print screen of my Firewall Policy.
I am just not totally happy about Policy number 2, where it says All Outbound traffic under Protocols.
How can I restrict that more?
Also, do you think the order of them is okay, or does that not really matter?

Thanks so much.
Regards
mustekkzn
ISA---Firewall-Policy.JPG
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mustekkzn

Cool, so if you are happy, I am happy.
I have been playing with that rule, especially with the protocols side of things and for some reason I can only get it work as it is sitting now.
I will be closing the question then now.
If I could just ask that you dont forget about my other question please.
https://www.experts-exchange.com/Microsoft/Windows_Security/Microsoft_ISA/Q_23424574.html
Thanks once again for you guys help. It is much appreciated. I got to say that ISA 2004 was this mountain in front of me, which with the help of you guys made it a little hill now.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Keith Alabaster

Just got in from work - certainly agree :)
ASKER
mustekkzn

I will be posting my next question for you guys on Monday, please have a look out for it please.
It will probably be something todo with OWA.
Thanks once again for help out.
It is much appreciated.
Have a great weekend.
Regards
mustekkzn