+ Post New Thread
Results 1 to 12 of 12
Windows Thread, ISA 2006 - proxy/default gateway question in Technical; Hi All, I'm having a friday moment. My brain is winding down ready for the weekend... Currently we have ISA ...
  1. #1

    Join Date
    Oct 2005
    Posts
    768
    Thank Post
    49
    Thanked 99 Times in 89 Posts
    Rep Power
    61

    ISA 2006 - proxy/default gateway question

    Hi All,

    I'm having a friday moment. My brain is winding down ready for the weekend...

    Currently we have ISA 2006 setup as firewall and proxy (two NICs, one internal and one straight out to the 'net).

    We have an access rule that currently allows the 'internal' network to get HTTP access to the 'external' network.

    At present if a PC is configured with the ISA box as its default gateway it will happily get out to the internet without any proxy settings. I want this to stop.

    Obvious answer is to remove the D/G from DHCP - but surely there must be a way to allow only proxy requests out to the internet?

    I've tried changing the access rule to remove 'internal' and replace it with 'local host' but this doesn't work.

    I'm sure I'm missing something really obvious... but I can't figure it out!

    Any suggestions would be gratefully received...

    Ta,

    Ant

  2. #2

    Join Date
    May 2008
    Location
    Devon
    Posts
    22
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hi,

    Where is your router then? Is the ISa server acting as a router?

    I assume you have the clients proxy server settings in IE set to your ISA server and the users cannot change the proxy settings?

    If not I would do that firstly. If you could elaborate a bit more on your setup it would be useful to sugest a solution.

    Cheers

  3. #3


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,447
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194
    Quote Originally Posted by pantscat View Post
    Hi All,


    We have an access rule that currently allows the 'internal' network to get HTTP access to the 'external' network.

    Ant
    Does this rule specifically allow only this (ie port 80 only) or is it a general NAT rule? Unfortunately, our copy of ISA is currently kaput, so I have no test net to play with (not that I am much cop at ISA.. RobF is the man for that!)

  4. #4


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,447
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194
    If you have a web access rule like the one described here:
    Configuring ISA Server 2006 Firewall Rules
    you might edit it and rein in the "Internal" part to just IPs of your proxy.

  5. #5

    Join Date
    Oct 2005
    Posts
    768
    Thank Post
    49
    Thanked 99 Times in 89 Posts
    Rep Power
    61
    @leegcvcc - Yep proxy settings are set by GPO - but teachers occasionally bring in their own devices and like to hop on our wifi now and again.
    Yes the ISA box is acting as the router too.

    @Tom - at the moment the rule allows all outgoing protocols, but I'm going to restrict it to just port 80 and 443 traffic. Your suggestion to edit the 'internal set' gives me an idea... I could create a custom 'network set' that only contains the IP of the proxy... it might work.

    <strokes chin> Hmm... <\strokes chin>

  6. #6
    bio
    bio is offline
    bio's Avatar
    Join Date
    Apr 2008
    Location
    netherlands
    Posts
    520
    Thank Post
    16
    Thanked 130 Times in 102 Posts
    Rep Power
    37
    You should configure your rule to use authenticated users and not All users. This way only active directory users will be able to use the internet.
    Also you could segment your network by placing the isa internal nic on a seperate subnet. configure routing on your core switch. This way the internal client have a different ip as default gateway. Now you can use a GPO to configure the clients as proxy clients.

    bio..

  7. #7

    Join Date
    Oct 2005
    Posts
    768
    Thank Post
    49
    Thanked 99 Times in 89 Posts
    Rep Power
    61
    Have changed the firewall rule so that only the proxy is allowed through but I still get a 502 error from a proxying client.

    Very odd...

  8. #8


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,447
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194
    Your proxy definitely has the ISA box set as its gateway?
    Which proxy are you using right now? Might be able to point out some troubleshooting tools if I know the proxy.

  9. #9

    Join Date
    Oct 2005
    Posts
    768
    Thank Post
    49
    Thanked 99 Times in 89 Posts
    Rep Power
    61
    ISA is the proxy... (same box).

  10. #10


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,447
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194
    can the ISA server itself still browse the web? Are there also rules for who may access the proxy?

  11. #11

    Join Date
    Oct 2005
    Posts
    768
    Thank Post
    49
    Thanked 99 Times in 89 Posts
    Rep Power
    61
    The ISA server itself can still browse the web...

    That's interesting... there aren't any specific access rules for who can access the proxy.

    What type of rule would be required for that?

  12. #12


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,447
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194
    ***invoke***

    (I've just summoned RobF... he's better at ISA than me)

  13. Thanks to tom_newton from:

    pantscat (25th November 2008)

SHARE:
+ Post New Thread

Similar Threads

  1. Hp Procurve default gateway help
    By Andi in forum Wireless Networks
    Replies: 14
    Last Post: 13th October 2008, 02:01 PM
  2. Set Default Gateway for all users
    By link470 in forum Wireless Networks
    Replies: 2
    Last Post: 15th January 2008, 10:30 AM
  3. No Default Gateway for curriculum
    By Lipjam in forum Network and Classroom Management
    Replies: 4
    Last Post: 10th June 2007, 04:13 PM
  4. Default gateway settings etc. help please.
    By tickmike in forum Wireless Networks
    Replies: 21
    Last Post: 17th September 2006, 03:44 PM
  5. Question about redirection of default ISA url
    By tosca925 in forum Windows
    Replies: 0
    Last Post: 9th September 2006, 09:29 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •