Solved

Proxy (ISA server 2006) is blocking my url

Posted on 2014-12-11
27
242 Views
Last Modified: 2014-12-30
Hi there,

I have a problem with an address that is being block by ISA, even though the user has an unrestricted access to the internet. When I disable the ISA server client on the User´s pc I can access the http://... address but I´m not able to access google for example, but when I enable the ISA client then I can get to google and stop being able to get to the http address.
The http://  address points to a server on the VPN tunel we have. I´m able to ping and tracert to the ip address but http gets an error 500 from the ISA server, tried to create an access rule allowing everything to connect to that http address but still nothing,

anybody can help?
0
Comment
Question by:Windindi
  • 14
  • 13
27 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40494843
Is the http:\\... address added to the browser exceptions list so that ISA knows not to forward this to the default ISA location?
0
 

Author Comment

by:Windindi
ID: 40495929
each time I had the address to the exception list and then close and reopne the browser it disappears from the list, only when i close the ISA client the link works,
0
 

Author Comment

by:Windindi
ID: 40499927
Maybe I´m not doing the right access rule in ISA. In my ISA I have (starting from botton):
-deny access to internet
-allow access to internet
-access rule to this url

what´s the best way to create a rule to allow this page to open on every user?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40501118
Are you REALLY still using ISA Server rather than FTMG?
If so, quickly confirm the version of ISA you are using please.
Is your ISA server based with two network cards or just one? If two, confirm that the default gateway of your network points to the ISA server internal nic ip address.

The sequence ISA uses is from the top down and ISA stops processing ALL rules after the first network rule it finds that applies to the traffic it receives from a client.

The method has a number of options and partly depends if the ISA follows best practice which is for it to be a member of the Windows domain.

so the easiest is to 'allow all protocols from internal to external all users' - which allows everything from inside to out
and normally follows your standard infrastructure rules i.e. allow outbound dns & smtp etc assuming you have two nics

You can decide whether to be more restrictive by changing one or more aspects such as
Allow http, https from internal to {specific web domains : URLs } all users
Allow http from internal to external {ad group} and so on

Just remember to action them with the most restrictive first.
0
 

Author Comment

by:Windindi
ID: 40511070
HI there, I still have the issue, i where offline for a few days so sorry for the delay responding.

My ISA is ISA Server 2006
It is configured with two NICs
and the gateway points all traffic to the outside to the internal ISA NIC.

Could you please simulate a rule that would allow the access to the URL keeping in mind that I have already configured an access rule allowing only a list of Windows AD users to access the internet. Where should I put this new rule before or after the internet access rule?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40511113
I do not think this is going to help you in respect to a rule - if a rule was the issue then you would not be able to get to URL at anytime, regardless of whether you have enabled the ISA client software package or not but thanks for the clarifications.

So, you have ISA 2006 with two nics, and the ISA internal nic is the default gateway for all inside devices.
Where is the VPN being created from? Are you using ISA server itself as the VPN host or a vpn device outside of ISA, such as the external firewall or concentrator?

Without a diagram this may take a few questions/answers to get a full picture.
0
 

Author Comment

by:Windindi
ID: 40511124
Ok,
I have a ISP that has configured a cisco gateway with the internal IP address 10.10.10.254 (thats the default gateway for all devices), then this router forwards any internet request to 10.10.10.1 (ISA server) to check credentials and see if the user can access the net then it goes to the internet thru the external NIC (196.xxx.xx.xx). The VPN is configured on the cisco router, so even if we do not have access to the internet the VPN still works (point to point connection), hope it helps you understand the schema
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40511146
Ok - that helps in the right direction.
So client devices point to the 10.10.10.254 address regardless - in respect to their own nic default gateway settings, and they would use this route to get to the VPN.

When you enable the ISA client you will have pointed it at the ISA server so now any traffic from the client machine that is within the Proxy arena such as http/https etc will actually be sent, by default, directly to 10.10.10.1 (rather than the router) because the default gateway setting no longer applies to the proxy traffic i.e. this 'proxyable' traffic now has a defined route to take instead although any other form of traffic will still go directly to the router.

So the objective is to inform the ISA client software that proxyable traffic destined for this specific URL should NOT be sent to ISA for redirecting OR we tell ISA that this particular URL traffic should NOT be sent to the External network but instead should actually be redirected back inside to the router's IP at 10.10.10.254 for onward routing.

First questions then. On the ISA server itself, from a command prompt do an nslookup on the machine name that hosts the URL you want the client to get to - does it resolve the IP address correctly and give the internal address across the VPN?

If yes, have you added a specific route via the command prompt and a suitable route -p add etc command so ISA knows out of which interface it should forward the request on to?

and third, you would need an allow all protocols from internal to internal all users (this is the simplest rule just to test with initially)
0
 

Author Comment

by:Windindi
ID: 40514532
Hi there,

I created a rule that allows all outbound protocols from internal to internal (internal NIC IP range is 10.10.10.0 to 10.10.10.255) and put this rule right after the internet access rule (counting from bottom), restarted the server and the pcs to have new connections but still, the problem accessing the url persists.

Sorry for the delay answering
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40514635
OK - the internal to internal has to come first - remember it works from top-downward.

As a reminder from the above also, when operating from the ISA server, what happens when you do the nslookup to the url from a command prompt? Which IP address does it return?

and the route command, what route does the ISA think it needs to take to get to the URL?
0
 

Author Comment

by:Windindi
ID: 40514642
I executed the nslookup command and it goes first to our internal DC (10.10.10.4) and then gives back an error saying that the dns could not be found. When i use the tracert command it tries to get to the External NIC because the first IP address it tries to reach is the (196.xxx.xx.xx) instead of searching thru the internal NIC
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40514661
Ah. OK - on the ISA server, it is a requirement that the INTERNAL nic is registered first. I am assuming that the rest of your ISA is configured correctly already but an old article I wrote a few years back may help on the ISA Setup position. One of the most common issues was setting up the DNS on both ISA nics - an absolute no-no :)

http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html

On the ISA box, get to another command prompt.
Type in 'route print' - look at the output.
Can you see a specific entry that shows a route to the vpn-accessible subnets that points its gateway to the VPN router's ip address at 10.0.0.1? If not, you need one :)
0
 

Author Comment

by:Windindi
ID: 40514693
I read your article and if I can understand maybe I should add a route using:

route add -p 10.11.x.xx (URL ip address) mask 255.255.255.0 10.10.10.254 (cisco router where the VPN is configured internal IP) to make ISA select this route when dealing with that url request?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40516148
:)  No need to obfuscate the 10.11.0.0. address as these are private, pretty much most networks in the world have a 10.something address, it's just the public ones you need to hide.

But yes that is exactly right, if the subnet you need to access is 10.11.11.0/24 then on the ISA you would add
route -p add 10.11.11.0 mask 255.255.255.0 10.10.10.254 (the -p ensures the ISA remembers the routé following a reboot)

The one other issue we may have to address is the fact that ISA cannot resolve the URL (ISA fails the nslookup of the ip address of the server hosting the URL over the VPN.

You mention that when you are NOT using the ISA client this works - which suggests that the windows client machines CAN resolve the IP address correctly? (run the nslookup of the server hosting the url from a workstation - does it get the right IP?)

If the work station does get the right ip, and the ISA server does not, then as a starter check on the ISA Server, ONLY the internal ISA nic should have a dns server listed and it should only point to the INTERNAL dns server. i.e. the ISA relies upon the internal DNS server to resolve internal and external IP addresses.
0
 

Author Comment

by:Windindi
ID: 40516163
Hi I did a nslookup to the server name and when the ISA client is on it responds:

non-authoritative answer:
(and the name of the server) and IP 216.21.xx.xx

when ISA is off:

I receive the name of the server and an IP 216.21.xx.xx
0
 

Author Comment

by:Windindi
ID: 40516259
The ISA server internal NIC has no gateway configured and when i try to ping to the 10.11.1.52 IP from a pc (that has 10.10.10.254 as the gateway) it responds but from the ISA internal NIC (10.10.10.1) i get destination unreachable
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40516298
Makes sense.
So on the ISA, it needs to know that to get to the 10.11.1.0 subnet, it has to use its internal nic and forward the traffic to the 10.10.10.254 (cisco) device rather that use its only default gateway which would be the ISA's external nic.

i.e. route -p add 10.11.1.0 mask 255.255.255.0 10.10.10.254
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40516302
PS I assume you already have a rule at the top that allows localhost to internal - all protocols - all users?
0
 

Author Comment

by:Windindi
ID: 40521491
I there, I didn´t have the rule allowing localhost to internal all protocols. This rule should be placed above the internet access rule?
0
 

Author Comment

by:Windindi
ID: 40521566
Is it possible to define a gateway to the ISA internal NIC? or would this generate a loop and malfunction?
0
 

Author Comment

by:Windindi
ID: 40521573
I created the route but still I´m not able to ping to that host 10.11.1.52 from ISA server
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40521806
1) yes, the localhost to internal should be at the top-ish. This allows ISA itself to access the internal AD, DNS etc
2) Again, to be sure you have ISA setup correctly, can you confirm that the 10.11.1.0 subnet IS actually associated with the internal network?

When you look at the internal network from within the ISA console does it include the 10.11.1.0 - 10.11.1.255 ip address range?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40521809
In addition, PING uses the ICMP protocol - must sure you have enabled ICMP from localhost in the ISA system rules. This is in addition to the ISA firewall rules.
0
 

Author Comment

by:Windindi
ID: 40523284
Hi,
from ISA I can ping to any IP address from the internet (ex: google) any internal IP address but the IP addresses on the VPN I´m not able to ping from ISA only from PCs on the network that have 10.10.10.254 as the gateway.

How can I check if the range is associated?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 40523305
Must be frustrating for you doing this essentially by email like this as the whole thing takes less than 5 minutes from start to end to accomplish. Maybe I'll write this up later as a video training article :)

Just to check that the route is in place, on the ISA box - cmd prompt - perform a tracert to the VPN ip address on the 10.11.1.0 subnet.
You can also perform a 'route print' cmd to show that you have added the route -p command successfully.

In the ISA console, what is the listed IP address range that is shown against the 'internal' network? You can look in any rule that has INTERNAL object used, right-click it the INTERNAL object and show its properties or use the Toolbox. If, for example, you have set the whole class A (10.0.0.0 - 10.255.255.255) then you know that the 10.11.1.0 subnet is already included within the INTERNAL network object but if you only assigned a portion to the internal such as 10.10.10.0 - 10.10.10.255 then the 10.11.1.0 subnet will NOT have been included. Anything that is NOT specifically included within the INTERNAL network object is AUTOMATICALLY included in the EXTERNAL network object.

i.e. ISA treats as internal only the network subnets it is told about - everything is treated as unfriendly and external.
0
 

Author Comment

by:Windindi
ID: 40523327
Hi,

I add the range to the internal NIC and everything is connecting now. I´m now able to get to the URL. Thank you very much!!!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 40523331
More than welcome - glad you have it addressed - no pun intended!!

Keith
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
C# Get Networked Computers (SQL Servers) 2 38
Windows 7 home sp1 updates 9 78
VPN speed and 3rd party service 13 33
sync conflicts 1 27
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now