ISA 2004 Question

I have had ISA 2004 installed on my SBS 2003 server every since it was put
into service and it has never allowed LAN workstations to access the
Internet without having proxy settings in the web browser. I had to do a
restore recently and after that was completed I noticed that if I unchecked
the use proxy check mark in my browser I could still access Internet pages
and of course my restricted web page settings were being ignored because of
not using the server proxy. The proxy is working because when I have the
proxy in the browser check to use it does block the web pages in my "denied"
list. Can anyone give me a place to look for something that may have changed
that would cause this symptom?

The restore was done from a full server backup that was only a few days old.

Thanks for your suggestions.

Jeff

Jeff Teel wrote:

> I have had ISA 2004 installed on my SBS 2003 server every since it
> was put into service and it has never allowed LAN workstations to
> access the Internet without having proxy settings in the web browser.
> I had to do a restore recently and after that was completed I noticed
> that if I unchecked the use proxy check mark in my browser I could
> still access Internet pages and of course my restricted web page
> settings were being ignored because of not using the server proxy.
> The proxy is working because when I have the proxy in the browser
> check to use it does block the web pages in my "denied" list. Can
> anyone give me a place to look for something that may have changed
> that would cause this symptom?
>
> The restore was done from a full server backup that was only a few
> days old.

Possibilities:

* there's another route to the internet (that doesn't involve going
through the SBS/ISA),
* there's a higher-priority rule that says "Allow any HTTP for all
Users"
* the Firewall Client is installed (it automatically handles proxying
for non-proxy-aware/configured applications), and there's a rule that
says "Allow any HTTP for <some set of Authenticated Users>".

How did/Could workstations reach the internet while you were restoring
the SBS?

--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net

During the restore I replaced the server with a simple router that had the
same IP address on both sides as the server did while it was in service. I
did that so the clients could still have Internet access while I was working
on the server. I have cleared the DNS cache on one of the workstations
connected to the SBS network to see if that was causing this but am still
able to access WAN web content instead of getting ISA's generic page of not
able to view web page. ISA was restored as a part of the backup as well so
it should be exactly like it was before I had to do the restore. I do have
other rules in ISA but they were there before all of this too. Right now I
suspect the firewall client but I'm not sure just what to do to it to fix
it. Is there something I need to look for in that area or am I going in the
wrong direction?

Thank you for your input Steve. I appreciate it very much.

Jeff


"Steve Foster" <> wrote in message
news:...
> Jeff Teel wrote:
>
>> I have had ISA 2004 installed on my SBS 2003 server every since it
>> was put into service and it has never allowed LAN workstations to
>> access the Internet without having proxy settings in the web browser.
>> I had to do a restore recently and after that was completed I noticed
>> that if I unchecked the use proxy check mark in my browser I could
>> still access Internet pages and of course my restricted web page
>> settings were being ignored because of not using the server proxy.
>> The proxy is working because when I have the proxy in the browser
>> check to use it does block the web pages in my "denied" list. Can
>> anyone give me a place to look for something that may have changed
>> that would cause this symptom?
>>
>> The restore was done from a full server backup that was only a few
>> days old.
>
> Possibilities:
>
> * there's another route to the internet (that doesn't involve going
> through the SBS/ISA),
> * there's a higher-priority rule that says "Allow any HTTP for all
> Users"
> * the Firewall Client is installed (it automatically handles proxying
> for non-proxy-aware/configured applications), and there's a rule that
> says "Allow any HTTP for <some set of Authenticated Users>".
>
> How did/Could workstations reach the internet while you were restoring
> the SBS?
>
> --
> Steve Foster
> For SSL Certificates, Domains, etc, visit.:
> https://netshop.virtual-isp.net

Jeff Teel wrote:

> During the restore I replaced the server with a simple router that
> had the same IP address on both sides as the server did while it was
> in service. I did that so the clients could still have Internet
> access while I was working on the server. I have cleared the DNS
> cache on one of the workstations connected to the SBS network to see
> if that was causing this but am still able to access WAN web content
> instead of getting ISA's generic page of not able to view web page.
> ISA was restored as a part of the backup as well so it should be
> exactly like it was before I had to do the restore. I do have other
> rules in ISA but they were there before all of this too. Right now I
> suspect the firewall client but I'm not sure just what to do to it to
> fix it. Is there something I need to look for in that area or am I
> going in the wrong direction?
>
> Thank you for your input Steve. I appreciate it very much.

You need to review the ISA rules, and use ISA logging to figure out how
they're getting out. The live query view can be very helpful here
(providing you configure and limit it appropriately).

--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net

On our SBS2003 it has always allowed both proxy and non-proxy IE access as
long as the ISA firewall client was installed on the PC. I think that is
how it is setup out of the box but I may be wrong. If you later installed
the firewall client on those PC's then that could be the difference.
Disabling it would prevent access, but FTP and other protocols would no
longer work from the clients.

--
Allan Williams




Jeff Teel wrote:
> I have had ISA 2004 installed on my SBS 2003 server every since it
> was put into service and it has never allowed LAN workstations to
> access the Internet without having proxy settings in the web browser.
> I had to do a restore recently and after that was completed I noticed
> that if I unchecked the use proxy check mark in my browser I could
> still access Internet pages and of course my restricted web page
> settings were being ignored because of not using the server proxy.
> The proxy is working because when I have the proxy in the browser
> check to use it does block the web pages in my "denied" list. Can
> anyone give me a place to look for something that may have changed
> that would cause this symptom?
> The restore was done from a full server backup that was only a few
> days old.
> Thanks for your suggestions.
>
> Jeff

For as long as I can remember I have never been able to access the WAN from
my LAN without having the proxy configured on the workstations. When I
purchased the hardware/software it came with SBS Premium and I installed ISA
2000 along with the firewall client on each workstation. When SBS SP1 came
out I installed that service pack and upgraded to ISA 2004. I like that
behavior because it keeps someone from connection a non-domain PC to the
network and being able to access the Internet even if they do have domain
credentials.

You mentioned disabling the Firewall client and I have tried that but am
still able to access the Internet with the proxy disabled. I'll do some more
digging around and see what I can find this evening. Thanks Allan and Steve
for your input.

Jeff




"Al Williams" <> wrote in message
news:OUY%...
> On our SBS2003 it has always allowed both proxy and non-proxy IE access as
> long as the ISA firewall client was installed on the PC. I think that is
> how it is setup out of the box but I may be wrong. If you later installed
> the firewall client on those PC's then that could be the difference.
> Disabling it would prevent access, but FTP and other protocols would no
> longer work from the clients.
>
> --
> Allan Williams
>
>
>
>
> Jeff Teel wrote:
>> I have had ISA 2004 installed on my SBS 2003 server every since it
>> was put into service and it has never allowed LAN workstations to
>> access the Internet without having proxy settings in the web browser.
>> I had to do a restore recently and after that was completed I noticed
>> that if I unchecked the use proxy check mark in my browser I could
>> still access Internet pages and of course my restricted web page
>> settings were being ignored because of not using the server proxy.
>> The proxy is working because when I have the proxy in the browser
>> check to use it does block the web pages in my "denied" list. Can
>> anyone give me a place to look for something that may have changed
>> that would cause this symptom?
>> The restore was done from a full server backup that was only a few
>> days old.
>> Thanks for your suggestions.
>>
>> Jeff
>
>

Al Williams wrote:

>
> On our SBS2003 it has always allowed both proxy and non-proxy IE
> access as long as the ISA firewall client was installed on the PC. I
> think that is how it is setup out of the box but I may be wrong. If
> you later installed the firewall client on those PC's then that could
> be the difference. Disabling it would prevent access, but FTP and
> other protocols would no longer work from the clients.

The key point about the Firewall Client is that it provides for
*authenticated* access for non-proxy-aware applications (or "dumb"
proxy-aware ones that can't do access credentials). It handles this
transparently (normally).

If you modify or relax the stock SBS ISA rules to allow unauthenticed
access, the Firewall Client and proxy settings are optional.

--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net

As Steve indicated, check your ISA firewall rules. For some LINUX systems I
had to add a rule a while back for non-authenticated access but restricted
it to only certain IP's. Perhaps you have a similar rule or have loosened
your rules to allow "All Users" rather than "SBS Internet Users" in your
internet access rules.

--
Allan Williams




Jeff Teel wrote:
> For as long as I can remember I have never been able to access the
> WAN from my LAN without having the proxy configured on the
> workstations. When I purchased the hardware/software it came with SBS
> Premium and I installed ISA 2000 along with the firewall client on
> each workstation. When SBS SP1 came out I installed that service pack
> and upgraded to ISA 2004. I like that behavior because it keeps
> someone from connection a non-domain PC to the network and being able
> to access the Internet even if they do have domain credentials.
>
> You mentioned disabling the Firewall client and I have tried that but
> am still able to access the Internet with the proxy disabled. I'll do
> some more digging around and see what I can find this evening. Thanks
> Allan and Steve for your input.
>
> Jeff
>
>
>
>
> "Al Williams" <> wrote in message
> news:OUY%...
>> On our SBS2003 it has always allowed both proxy and non-proxy IE
>> access as long as the ISA firewall client was installed on the PC. I
>> think that is how it is setup out of the box but I may be wrong. If you
>> later installed the firewall client on those PC's then that
>> could be the difference. Disabling it would prevent access, but FTP
>> and other protocols would no longer work from the clients.
>>
>> --
>> Allan Williams
>>
>>
>>
>>
>> Jeff Teel wrote:
>>> I have had ISA 2004 installed on my SBS 2003 server every since it
>>> was put into service and it has never allowed LAN workstations to
>>> access the Internet without having proxy settings in the web
>>> browser. I had to do a restore recently and after that was
>>> completed I noticed that if I unchecked the use proxy check mark in
>>> my browser I could still access Internet pages and of course my
>>> restricted web page settings were being ignored because of not
>>> using the server proxy. The proxy is working because when I have
>>> the proxy in the browser check to use it does block the web pages
>>> in my "denied" list. Can anyone give me a place to look for
>>> something that may have changed that would cause this symptom?
>>> The restore was done from a full server backup that was only a few
>>> days old.
>>> Thanks for your suggestions.
>>>
>>> Jeff

Thanks for the suggestion Al. I have cheked my Internet Access Rule and it is
set for SBS Internet Users and not All Users. The odd thing about this is
that the server was restored via a omplete back up of the OS. The backup was
done from when ISA had been working normally so I'm not sure just what
changed the servers behavior!

Thanks again

"Al Williams" wrote:

> As Steve indicated, check your ISA firewall rules. For some LINUX systems I
> had to add a rule a while back for non-authenticated access but restricted
> it to only certain IP's. Perhaps you have a similar rule or have loosened
> your rules to allow "All Users" rather than "SBS Internet Users" in your
> internet access rules.
>
> --
> Allan Williams
>
>
>
>
> Jeff Teel wrote:
> > For as long as I can remember I have never been able to access the
> > WAN from my LAN without having the proxy configured on the
> > workstations. When I purchased the hardware/software it came with SBS
> > Premium and I installed ISA 2000 along with the firewall client on
> > each workstation. When SBS SP1 came out I installed that service pack
> > and upgraded to ISA 2004. I like that behavior because it keeps
> > someone from connection a non-domain PC to the network and being able
> > to access the Internet even if they do have domain credentials.
> >
> > You mentioned disabling the Firewall client and I have tried that but
> > am still able to access the Internet with the proxy disabled. I'll do
> > some more digging around and see what I can find this evening. Thanks
> > Allan and Steve for your input.
> >
> > Jeff
> >
> >
> >
> >
> > "Al Williams" <> wrote in message
> > news:OUY%...
> >> On our SBS2003 it has always allowed both proxy and non-proxy IE
> >> access as long as the ISA firewall client was installed on the PC. I
> >> think that is how it is setup out of the box but I may be wrong. If you
> >> later installed the firewall client on those PC's then that
> >> could be the difference. Disabling it would prevent access, but FTP
> >> and other protocols would no longer work from the clients.
> >>
> >> --
> >> Allan Williams
> >>
> >>
> >>
> >>
> >> Jeff Teel wrote:
> >>> I have had ISA 2004 installed on my SBS 2003 server every since it
> >>> was put into service and it has never allowed LAN workstations to
> >>> access the Internet without having proxy settings in the web
> >>> browser. I had to do a restore recently and after that was
> >>> completed I noticed that if I unchecked the use proxy check mark in
> >>> my browser I could still access Internet pages and of course my
> >>> restricted web page settings were being ignored because of not
> >>> using the server proxy. The proxy is working because when I have
> >>> the proxy in the browser check to use it does block the web pages
> >>> in my "denied" list. Can anyone give me a place to look for
> >>> something that may have changed that would cause this symptom?
> >>> The restore was done from a full server backup that was only a few
> >>> days old.
> >>> Thanks for your suggestions.
> >>>
> >>> Jeff
>
>
> .
>

JT wrote:

> Thanks for the suggestion Al. I have cheked my Internet Access Rule
> and it is set for SBS Internet Users and not All Users. The odd thing
> about this is that the server was restored via a omplete back up of
> the OS. The backup was done from when ISA had been working normally
> so I'm not sure just what changed the servers behavior!

If the ruleset hasn't changed, then the behaviour won't have done
either. You've simply not been aware of the fact.

You need to use the monitoring capabilities to see which rule is
allowing access.

--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net