Welcome to the Forefront Edge Security Installation, Upgrade, and Setup Forum!
Welcome to the Forefront Edge Security Installation, Upgrade, and Setup Forum!
In this space you can post ideas, questions, or issues that you encounter when installing, upgrading or setting up ISA Server.
A broad range of IT professionals, Microsoft employees, and MVPs will take part in these discussions, which we expect to be interesting and helpful. We look forward to your participation.
All Replies
Nathan;
i just purchased isa 2006. i installed it and was unhappy with the client access response time when we request web pages from the internet. i tried again, but i am still not convinced i am getting the configuration correct. my first problem is that i cannot configure my allow rule using the built in networks internal and external. i must use all networks or i don't get any access at all. i would like to start with this problem and then move on to creating a rule that restricts all access to certain ip address's. finally i still have the issue of sluggish response when my clients use the internet.
thanks
rick
Hi Rick,
in order to create a rule to access the internet, for HTTP and HTTPS for example, it needs to look something like this:
From: Internet
To: External
Protocols: HTTP, HTTPS
Users: All Users
That will give you a basic outbound access rule.
Then, within that rule in your destination or TO tab, you can create a list of IP's/Domains/URL's which can be an exception to the rule, in which case access to those IP's will be denied. I would also suggest that you turn on authenticcation for a browsing rule, makes it easier to track who is doing what from a logging point of view.
Let me know how it goes!
Dave.
i tried your example above. if i try to use the internal network in the from tab and the external network in the to tab, i get no access. the only way i get access is to use all networks in the from tab and all networks in the to tab. then i have access.
i think this is a problem i need to resolve. i have tried several things that have not worked. do you have any suggestions?
rick
Firstly, lets discuss how your isa is setup.
Do you have 2 nics?
The internal network is everything you should define as 'behind' the isa firewall, external represents everything that is not defined. the problem with the way you have made it work is that it is basically an any <-> any rule, which is obviously not a good thing from a security point of view.
In my opinion, there is something wrong one of two things.
1. either your internal network is not defined correctly.
2. you have somehow changed your NAT rules.
But lets discuss further once you have mentioned your ISA setup.
Thanks,
Dave.
i have 2 nic's. the internal network is setup with a range of ip addresses starting with 172.23.51.2 and ending with 172.23.51.254. the internal nic does not have any gateway or dns configured. the external nic has a public IP address, gateway, and dns server designations.
dave, is it possible to correspond through my company email address? its rlorentz@siimex.com . this would be better for me. i am also willing to do a live meeting if required.
thanks
rick
