ISA Server Blocking Remote Support Tools

I'm trying to get a network with ISA 2004 to allow us to use our remote supports tools, namely GoToAssist and uVNC.

I have use the ISA mmc to monitor the server I am using for testing and I can see the request attempt to connect over port 80 and then 443, both are being denied a connection by the Web Access rule.  We didn't configure ISA on this site, it is something we inherited.  I've looked at the Web Access rule and I can't see anything in there that would block access apart from it relying on a group of users for access.  The account I'm logged in as is in that group.

The log files for the Firewall and Web Proxy don't give any further details.

I'm guessing the issue is that the remote support tools don't have an option to use a proxy, but I thought they would just use the default connection details of the server.

Any help much appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1. There will always be tons of Denys, does not mean things are not working.  All traffic where User Authentication is required will be Denied on the first try because browsers always try Anonymous first,...then don't send the credentials till they are denied and credentials requested.  ISA is also going to always deny Broadcast Traffic just like any other firewall would.

2. The Apps don't need to know about the proxy and it is best if they are oblivious to the proxy.  Install the Firewall Client Software on the Client of the traffic requires Authentication.  If the traffic is allowed Anonymously then the ISA only needs to be in the routing path between the Client and the Internet.

3. On tools that do not use HTTP/HTTPS you will have to deal with on a case-by-case basis and may have to create Custom Protocols according to what the product uses.
klaus1013Author Commented:
Thanks pwindell. The Firewall Client Software sounds like it might be the best option, I'll have to see if it is already in use.  Could you expand on how we set the traffic to be allowed anonymously? The ISA is the default gateway for all clients, so I think the routing is correct.

Only SecureNAT Clients using the ISA/TMG by virtue of it being in the LAN's Routing Path to the Internet.
SecureNAT Client are not capable of authentication,...hence the Access Rule that they use must be Anonymous or they will not be allowed.

In ISA/TMG All Users = Anonyous.   So if your Access Rule uses "All Users" in the User Tab of the Rule is it anonymous.  Never mix "All Users" with anything else,..."All Users" must be listed by itself , or never listed at all.

Firewall Clients and Web Proxy clients do not care squat about where ISA is in the routing Path,..all they care about is that it is reachable.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

klaus1013Author Commented:
I created a new rule which allowed traffic to the specific remote control servers and used All Users as the only authentication group.  This has worked for one remote control app, but not the other, but this is enough for now.

Thanks for the help pwindell.

If the Remote Control App that still doesn't work,..uses HTTP,...but does not use RFC Compliant HTTP then it will not work.  As a firewall, ISA/TMG inspects the actual traffic itself and demands that the protocol (HTTP in this case) be properly RFC Compliant in its implementation.
klaus1013Author Commented:
pwindell put me on the right track, but using other sources I gathered I needed to create a new rule above the existing Web Proxy rule.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.