LinkBack URL
About LinkBacks
Reply With Quotepantscat (25th November 2008)
Hi All,
I'm having a friday moment. My brain is winding down ready for the weekend...
Currently we have ISA 2006 setup as firewall and proxy (two NICs, one internal and one straight out to the 'net).
We have an access rule that currently allows the 'internal' network to get HTTP access to the 'external' network.
At present if a PC is configured with the ISA box as its default gateway it will happily get out to the internet without any proxy settings. I want this to stop.
Obvious answer is to remove the D/G from DHCP - but surely there must be a way to allow only proxy requests out to the internet?
I've tried changing the access rule to remove 'internal' and replace it with 'local host' but this doesn't work.
I'm sure I'm missing something really obvious... but I can't figure it out!
Any suggestions would be gratefully received...
Ta,
Ant
Hi,
Where is your router then? Is the ISa server acting as a router?
I assume you have the clients proxy server settings in IE set to your ISA server and the users cannot change the proxy settings?
If not I would do that firstly. If you could elaborate a bit more on your setup it would be useful to sugest a solution.
Cheers
Does this rule specifically allow only this (ie port 80 only) or is it a general NAT rule? Unfortunately, our copy of ISA is currently kaput, so I have no test net to play with (not that I am much cop at ISA.. RobF is the man for that!)Originally Posted by pantscat
If you have a web access rule like the one described here:
Configuring ISA Server 2006 Firewall Rules
you might edit it and rein in the "Internal" part to just IPs of your proxy.
@leegcvcc - Yep proxy settings are set by GPO - but teachers occasionally bring in their own devices and like to hop on our wifi now and again.
Yes the ISA box is acting as the router too.
@Tom - at the moment the rule allows all outgoing protocols, but I'm going to restrict it to just port 80 and 443 traffic. Your suggestion to edit the 'internal set' gives me an idea... I could create a custom 'network set' that only contains the IP of the proxy... it might work.
<strokes chin> Hmm... <\strokes chin>
You should configure your rule to use authenticated users and not All users. This way only active directory users will be able to use the internet.
Also you could segment your network by placing the isa internal nic on a seperate subnet. configure routing on your core switch. This way the internal client have a different ip as default gateway. Now you can use a GPO to configure the clients as proxy clients.
bio..
Have changed the firewall rule so that only the proxy is allowed through but I still get a 502 error from a proxying client.
Very odd...
Your proxy definitely has the ISA box set as its gateway?
Which proxy are you using right now? Might be able to point out some troubleshooting tools if I know the proxy.
ISA is the proxy... (same box).
can the ISA server itself still browse the web? Are there also rules for who may access the proxy?
The ISA server itself can still browse the web...
That's interesting... there aren't any specific access rules for who can access the proxy.
What type of rule would be required for that?
***invoke***
(I've just summoned RobF... he's better at ISA than me)
pantscat (25th November 2008)
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
