New to ISA: cant see the internet...

hello, i am very new to ISA 2006, i am playing with it in a test area, i have install, and set to edge firewall.
i have also set up a client to set the proxy, but i cant seem to access to the internet..

the logs say
denied connection, Default rule,
i have added the user to the allow group but not really sure what i have done wrong, also cant access internet on the ISA server, but can ping the internet, and i get the same thing in the log denied connection
KingsTheatreAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Stephen MandersonSoftware EngineerCommented:
ISA out of the box comes locked down, as such you need to open up the features you require.
Open the management Console and select the Firewall Policy on the left hand side. You will probably only see the default rule. On the right hand side in the tasks "Create Access Rule"
Name: Web Access (Or Something like that..)
Action: Allow
Protocols: Selected (HTTP, HTTPS)
From: Internal
To: External
Users: All Users
This should give you the web access you need.
Regards
Steve
 
0
KingsTheatreAuthor Commented:
hello Steve,
               i did think of this one already, i have a few rules these being:
Web access, allow, all outbound, internal, External, all user, i also added the user its self
0
Stephen MandersonSoftware EngineerCommented:
Are these rules above your default rule? If not the default rule will be processed first and instantly deny the traffic.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Keith AlabasterEnterprise ArchitectCommented:
The fact you can ping the internet but cannot get web pages suggests that you have a DNS configuration issue or the proxy is wrong (your being denied by the default rule). I am really busy at the moment so maybe Steve can walk through this with you.

Keith
0
KingsTheatreAuthor Commented:
yes these rules are above, the default rule is fourth
0
KingsTheatreAuthor Commented:
too be fair, i have not really done anything to config the proxy itself, what should you do?
0
Keith AlabasterEnterprise ArchitectCommented:
Have you also set a rule to allow dns from internal to external?
0
KingsTheatreAuthor Commented:
yes i have this is the second rule i have, have set to allow all, to all users
0
Keith AlabasterEnterprise ArchitectCommented:
OK - and in the ie client - have you set the ip to the ISA server internal ip address and port 8080?
0
KingsTheatreAuthor Commented:
yes i have, and when i try and access the internet on it, get a page saying denied connection via proxy
0
Keith AlabasterEnterprise ArchitectCommented:
Then you have a fundamental set up issue as this is all that is needed. The fact that you are being caught on the default rule (they are processed from top to bottom) means that the traffic being seen in ISA is not matching any of your criteria - ie it does not match any of the rules you have set. I assume you are NOT trying this from the ISA server itself lol?
0
KingsTheatreAuthor Commented:
lol no i have a XP client i am using for testing...
i think i might be missing a step or something, do you need to set up a link to AD? or something linking to DNS?
0
Keith AlabasterEnterprise ArchitectCommented:
no.

Basics then - I assume you have read the setup guides and installation documents?

Post a print out of an ipconfig /all from the ISA Server please
What is the internal subnet(s) on your internal LAN?
What entries have you polaced in the LAT for the internal network? - configuration - networks - internal - addresses
0
KingsTheatreAuthor Commented:
C:\Documents and Settings\Administrator.KINGS-SOUTHSEA>ping www.yahoo.com

Pinging www.yahoo-ht3.akadns.net [87.248.113.14] with 32 bytes of data:

Reply from 87.248.113.14: bytes=32 time=41ms TTL=48
Reply from 87.248.113.14: bytes=32 time=41ms TTL=48
Reply from 87.248.113.14: bytes=32 time=38ms TTL=48
Reply from 87.248.113.14: bytes=32 time=39ms TTL=48

Ping statistics for 87.248.113.14:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 38ms, Maximum = 41ms, Average = 39ms

C:\Documents and Settings\Administrator.KINGS-SOUTHSEA>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : kngisa
   Primary Dns Suffix  . . . . . . . : kings-southsea.com
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : kings-southsea.com
                                       kings-southsea
                                       gateway.2wire.net

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . : kings-southsea
   Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (1
0/100)
   Physical Address. . . . . . . . . : 00-06-5B-39-3A-2D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.254.124
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.254.1
   DHCP Server . . . . . . . . . . . : 192.168.254.10
   DNS Servers . . . . . . . . . . . : 192.168.254.3
   Lease Obtained. . . . . . . . . . : 02 November 2008 07:38:53
   Lease Expires . . . . . . . . . . : 10 November 2008 07:38:53

Ethernet adapter Ext:

   Connection-specific DNS Suffix  . : gateway.2wire.net
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-06-5B-39-3A-2E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.76
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   Lease Obtained. . . . . . . . . . : 04 November 2008 07:39:50
   Lease Expires . . . . . . . . . . : 05 November 2008 07:39:50

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Description . . . . . . . . . . . : Intel(R) PRO/1000 F Server Adapter
   Physical Address. . . . . . . . . : 00-03-47-AD-62-3C

C:\Documents and Settings\Administrator.KINGS-SOUTHSEA>
0
KingsTheatreAuthor Commented:
subnet 192.168.254.***
config.jpg
0
Keith AlabasterEnterprise ArchitectCommented:
OK - here we go.
Only the external nic should have a default gateway - the internal card must NOT.
Only the internal nic should have a dns entry - the external card must NOT
These are basic setup issues...

What entries have you placed in the LAT for the internal network? - configuration - networks - internal - addresses
What is the internal subnet(s) on your internal LAN?
0
Keith AlabasterEnterprise ArchitectCommented:
Ah - overtyped here. - see the subnnet

I won't open any attachments so can't see your config file.
Your internal lat should read as 192.168.254.0 - 192.168.254.255 assuming it is the only internal subnet you have.
0
Keith AlabasterEnterprise ArchitectCommented:
Notyhing else should be listed in the lat UNLESS you have additional subnets which are INSIDE of ISA.
0
KingsTheatreAuthor Commented:
have done everything you send, but i still cant see the internet via the client but i do get a error code now "502 error proxy"
0
KingsTheatreAuthor Commented:
Technical Information (for support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 192.168.254.124
Date: 04/11/2008 20:45:00 [GMT]
Server: kngisa.kings-southsea.com
Source: proxy
0
KingsTheatreAuthor Commented:
ahhh sorted that, being a thick! and forgot to save the settings lol
0
KingsTheatreAuthor Commented:
it seems to be working, so just one last thing, how would i now block a site from a selected user list?

thank you for your help
0
Keith AlabasterEnterprise ArchitectCommented:
lol - I am only up the road from you in Horsham :) That said, I had an early night.....

It depends - Is ISA a domain member?

0
KingsTheatreAuthor Commented:
yes it is :)
0
Keith AlabasterEnterprise ArchitectCommented:
Then you can either create ISA URL or domain sets and place an AD group in the User box. Alternatively you can get one of the add-on products such as GFI Web monitor which do it all for you.

Doing it manually can be a pain but you can get some basic assistance from Jim Harrisons site at http://www.isatools.org/tools.asp?Context=ISA2006
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
0
KingsTheatreAuthor Commented:
thanks for all your help :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.