Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

New to ISA: cant see the internet...

Posted on 2008-11-04
27
Medium Priority
?
415 Views
Last Modified: 2012-05-05
hello, i am very new to ISA 2006, i am playing with it in a test area, i have install, and set to edge firewall.
i have also set up a client to set the proxy, but i cant seem to access to the internet..

the logs say
denied connection, Default rule,
i have added the user to the allow group but not really sure what i have done wrong, also cant access internet on the ISA server, but can ping the internet, and i get the same thing in the log denied connection
0
Comment
Question by:KingsTheatre
  • 14
  • 11
  • 2
27 Comments
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 22878059
ISA out of the box comes locked down, as such you need to open up the features you require.
Open the management Console and select the Firewall Policy on the left hand side. You will probably only see the default rule. On the right hand side in the tasks "Create Access Rule"
Name: Web Access (Or Something like that..)
Action: Allow
Protocols: Selected (HTTP, HTTPS)
From: Internal
To: External
Users: All Users
This should give you the web access you need.
Regards
Steve
 
0
 

Author Comment

by:KingsTheatre
ID: 22878159
hello Steve,
               i did think of this one already, i have a few rules these being:
Web access, allow, all outbound, internal, External, all user, i also added the user its self
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 22878492
Are these rules above your default rule? If not the default rule will be processed first and instantly deny the traffic.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22878698
The fact you can ping the internet but cannot get web pages suggests that you have a DNS configuration issue or the proxy is wrong (your being denied by the default rule). I am really busy at the moment so maybe Steve can walk through this with you.

Keith
0
 

Author Comment

by:KingsTheatre
ID: 22878745
yes these rules are above, the default rule is fourth
0
 

Author Comment

by:KingsTheatre
ID: 22879090
too be fair, i have not really done anything to config the proxy itself, what should you do?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22879656
Have you also set a rule to allow dns from internal to external?
0
 

Author Comment

by:KingsTheatre
ID: 22879681
yes i have this is the second rule i have, have set to allow all, to all users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22879719
OK - and in the ie client - have you set the ip to the ISA server internal ip address and port 8080?
0
 

Author Comment

by:KingsTheatre
ID: 22879761
yes i have, and when i try and access the internet on it, get a page saying denied connection via proxy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22879794
Then you have a fundamental set up issue as this is all that is needed. The fact that you are being caught on the default rule (they are processed from top to bottom) means that the traffic being seen in ISA is not matching any of your criteria - ie it does not match any of the rules you have set. I assume you are NOT trying this from the ISA server itself lol?
0
 

Author Comment

by:KingsTheatre
ID: 22879841
lol no i have a XP client i am using for testing...
i think i might be missing a step or something, do you need to set up a link to AD? or something linking to DNS?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22880020
no.

Basics then - I assume you have read the setup guides and installation documents?

Post a print out of an ipconfig /all from the ISA Server please
What is the internal subnet(s) on your internal LAN?
What entries have you polaced in the LAT for the internal network? - configuration - networks - internal - addresses
0
 

Author Comment

by:KingsTheatre
ID: 22880165
C:\Documents and Settings\Administrator.KINGS-SOUTHSEA>ping www.yahoo.com

Pinging www.yahoo-ht3.akadns.net [87.248.113.14] with 32 bytes of data:

Reply from 87.248.113.14: bytes=32 time=41ms TTL=48
Reply from 87.248.113.14: bytes=32 time=41ms TTL=48
Reply from 87.248.113.14: bytes=32 time=38ms TTL=48
Reply from 87.248.113.14: bytes=32 time=39ms TTL=48

Ping statistics for 87.248.113.14:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 38ms, Maximum = 41ms, Average = 39ms

C:\Documents and Settings\Administrator.KINGS-SOUTHSEA>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : kngisa
   Primary Dns Suffix  . . . . . . . : kings-southsea.com
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : kings-southsea.com
                                       kings-southsea
                                       gateway.2wire.net

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . : kings-southsea
   Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (1
0/100)
   Physical Address. . . . . . . . . : 00-06-5B-39-3A-2D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.254.124
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.254.1
   DHCP Server . . . . . . . . . . . : 192.168.254.10
   DNS Servers . . . . . . . . . . . : 192.168.254.3
   Lease Obtained. . . . . . . . . . : 02 November 2008 07:38:53
   Lease Expires . . . . . . . . . . : 10 November 2008 07:38:53

Ethernet adapter Ext:

   Connection-specific DNS Suffix  . : gateway.2wire.net
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-06-5B-39-3A-2E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.76
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   Lease Obtained. . . . . . . . . . : 04 November 2008 07:39:50
   Lease Expires . . . . . . . . . . : 05 November 2008 07:39:50

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Description . . . . . . . . . . . : Intel(R) PRO/1000 F Server Adapter
   Physical Address. . . . . . . . . : 00-03-47-AD-62-3C

C:\Documents and Settings\Administrator.KINGS-SOUTHSEA>
0
 

Author Comment

by:KingsTheatre
ID: 22880203
subnet 192.168.254.***
config.jpg
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22880246
OK - here we go.
Only the external nic should have a default gateway - the internal card must NOT.
Only the internal nic should have a dns entry - the external card must NOT
These are basic setup issues...

What entries have you placed in the LAT for the internal network? - configuration - networks - internal - addresses
What is the internal subnet(s) on your internal LAN?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22880264
Ah - overtyped here. - see the subnnet

I won't open any attachments so can't see your config file.
Your internal lat should read as 192.168.254.0 - 192.168.254.255 assuming it is the only internal subnet you have.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22880274
Notyhing else should be listed in the lat UNLESS you have additional subnets which are INSIDE of ISA.
0
 

Author Comment

by:KingsTheatre
ID: 22880603
have done everything you send, but i still cant see the internet via the client but i do get a error code now "502 error proxy"
0
 

Author Comment

by:KingsTheatre
ID: 22880619
Technical Information (for support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 192.168.254.124
Date: 04/11/2008 20:45:00 [GMT]
Server: kngisa.kings-southsea.com
Source: proxy
0
 

Author Comment

by:KingsTheatre
ID: 22880780
ahhh sorted that, being a thick! and forgot to save the settings lol
0
 

Author Comment

by:KingsTheatre
ID: 22880819
it seems to be working, so just one last thing, how would i now block a site from a selected user list?

thank you for your help
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22883507
lol - I am only up the road from you in Horsham :) That said, I had an early night.....

It depends - Is ISA a domain member?

0
 

Author Comment

by:KingsTheatre
ID: 22883797
yes it is :)
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 22887534
Then you can either create ISA URL or domain sets and place an AD group in the User box. Alternatively you can get one of the add-on products such as GFI Web monitor which do it all for you.

Doing it manually can be a pain but you can get some basic assistance from Jim Harrisons site at http://www.isatools.org/tools.asp?Context=ISA2006
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22888185
Thanks :)
0
 

Author Comment

by:KingsTheatre
ID: 22888190
thanks for all your help :)
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question