Wednesday, August 15, 2012 1:01 PM
We have ISA Sever 2004 with two NICs (virtual server on ESX server). Network configuration was set-up using the Back-Firewall template in ISA. Standard NIC configuration applies: Internal (no GW, internal DNS set); External (GW, no DNS set). There are several VLANs configured, so we created some persistent routes as well.
Created one single rule: Allow HTTP and HTTPS from Internal to External for all users just for testing purposes....now, when I set proxy settings in the client (WinXP pc) to ISA IP address and the default port (8080) I cannot access the Internet. When I create those same settings on the ISA server itself, it all works fine.
I created a logging rule to log attempts from that pc and this is what it reports:
There is no "Denied Connection" action at all...it simply closes the connection and that is it...I am worried about the "Unidentified IP Traffic" under protocol - shouldn't it say http or similar? Any help would be greatly appreciated!
Wednesday, August 15, 2012 1:46 PM
Webproxy Client Support is activated in the ISA Server network and is set to port 8080?
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
Wednesday, August 15, 2012 1:47 PM
yes it is...I forgot to add that detail...
Wednesday, August 15, 2012 11:18 PM
Make sure IIS doesn't run on these ISA machines.
I would point the ISA's internal IP as the default Gateway IP on one of the clients and try.
Thursday, August 16, 2012 8:22 AM
I already tried setting ISA server as the default gateway on one of the machines but that didn't help...IIS is not running on ISA
Its frustrating that ISA is not giving more information and not throwing any errors - it simply said the connection has been gracefully closed! The only odd thing I can see is in the Event Viewer there is an event ID 1053 - source: Usernev - description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted. Off course, RPC service is running and I assume this is due to the fact that the GW is not set on the internal network (or am I wrong?)...
Monday, August 20, 2012 7:15 AMModerator
Thank you for the post.
“There are several VLANs configured,” – please add the internal vlan subnets to the network definition for “Internal” in ISA server. if you have the L3 switch to route the vlan traffic, the vlan client’s gateway should be point to L3 switch.
Nick Gu - MSFT
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Thursday, August 30, 2012 4:14 AM
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Monday, September 03, 2012 2:18 AM
- Unmarked As Answer by DINO13 Thursday, September 06, 2012 2:45 PM
- Unproposed As Answer by DINO13 Thursday, September 06, 2012 2:47 PM
Thursday, September 06, 2012 2:47 PM
I appologise for a late reply...vlan subnets are indeed added to the internal network definition and the L3 switch is the gateway...
Thursday, September 06, 2012 2:57 PM
Seems like an RPC issue.... In TMG edit system policy, under Authentication Services REMOVE the check mark for "Enforce Strict RPC Compliance". Ok and apply the changes, after that, right click the access rule that allows traffic to flow for internal traffic, select "configure rpc protocol" then remove the check mark from "enforce strict RPC compliance". Ok it and apply changes... Then, try again.
- Edited by 01Blackerado Thursday, September 06, 2012 2:58 PM
Friday, September 07, 2012 7:33 AMDid what you suggested - no change, still the same issue....
Friday, September 07, 2012 12:42 PM
Sorry, I read the post regarding the RPC Event Error which is what lead me to that. I noticed you said you used the backend firewall template instead of the edge firewall. Essentially they will acomplish the same thing except backend is typically used in conjunction with Front End Firewall. If you dont have a Front End firewall, and your current firewall is directly connected to the ISP, then try setting a public DNS on the external NIC, like google 184.108.40.206 and or 220.127.116.11.
Aside from that, I'm out of ideas without a little more data from you.
-Show the rule that you set for the access
-Show the Network Rules
Friday, September 07, 2012 12:57 PMI tried that earlier too (setting the public DNS on the external NIC) but no luck. The reason I'm using the back firewall template is because we indeed have front end firewall - Cisco ASA. Originally, I did deploy the edge firewall template but it had the same issue...I scheduled an extensive meeting with network guys to go over ASA configuration to check if there are some issues there...will report back
Friday, September 07, 2012 1:19 PMOh nice! Ok sounds good