Re: Can not access web from ISA Server
- From: "Marc Everlove" <techknow@xxxxxxxxxx>
- Date: Wed, 16 Nov 2005 20:53:34 -0800
Wow, I thought you had given up on me...
Ok, generally speaking, you have assumed correctly on basically all counts.
I do however have many websites using host headers. Beyond that I am running
a mail server and a stats server. I have a domain controller. I would like
to break my network down into 3 subnets. Currently I am accomplishing this
with routers. I have a network printer that I may or may not print to from
remotes (I can put this outside if easier...) There is another non-network
printer that I would like to access from 2 of the 3 subnets.
1 subnet needs to have internet access but other than that, be completely
quarantined from everything else. This subnet is the "bench" and is used for
repair and often virus remediation. As you can see I want this one as
sterile as possible.
Thank you for your patience with my security noobishness... I have been
dragged into the security arena kicking and screaming. I am a web developer
at heart and find myself thrown into all of this. I have my MCSE, but none
of my courses were security (beyond the basics) oriented... I am as you can
imagine lamenting my course selections...
Appently, I will have to become expert. Judging by the sophistication of the
malware I am seeing, it seems that is what everybody needs...
Marc Everlove
"Phillip Windell" <@.> wrote in message
news:uHCW5vt6FHA.3544@xxxxxxxxxxxxxxxxxxxxxxx
> Ok, so I will go on the assumption that the ISA is "on the edge" and there
> is no DMZ or other firewalls. Then I will assume you are looking for
> basic
> Internet access for users and will require user authentication and I am
> assuming that you are only intending to use the Web Proxy Service and not
> the Firewall Service or the SecureNAT Service. Then I assume you need to
> publish a web site that is behind the ISA. I am also forced to assume that
> the ISA was "generally" configured properly during the install.
> Still an awful lot of assumptions.
>
> Your rules for users would be like this:
>
> First create a "object" for the users (or group) in the Toolbox in the
> right-side of the MMC. Then the user's workstations need the proxy
> settings
> entered into the browser. These are unique to each user. Then:
>
> Action: Allow
> From: Internal
> To: External
> Users: <the object you created earlier>
> Protocols: HTTP, HTTPS, (FTP and Gopher optional)
> [no other protocols are handled by the Web Proxy Service]
>
> For publishing the web server I assume it is already behind the ISA on the
> LAN with private IP#s and fuctioning properly. *Note*: If the Web Server
> is
> poorly configured with respect to security (particularly the website
> design)
> ISA will *not* prevent it from being attacked,...if the attacks come in on
> port 80 via HTTP,...then they will still do so after it is published. The
> first line of defense for a web server is always the web server
> itself,...slapping a firewall in front of it does not help that.
>
> Right-click on Firewall Policy and choose New Web Publishing Rule. Follow
> the prompts. There is too much there for me to type all that stuff out.
>
> *Note*, by default you cannot sit at the ISA and "browse the Net". None
> of
> what I have described will change that,...you still won't be able to. ISA
> must become a "client of itself" and use its own proxy settings in its own
> browser and you must configure an Access Rule just for it. It will be just
> like the other Rule except that it will be "From: LocalHost" instead of
> "Fro
> m: Internal". You could also add LocalHost to the existing Rule under the
> "From:"
>
> There is considerable information in the links that are always in my
> signature in every message I post, particularly the "guidance" links.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>
>
> "Marc Everlove" <techknow@xxxxxxxxxx> wrote in message
> news:uDrMFet6FHA.2600@xxxxxxxxxxxxxxxxxxxxxxx
>> I suspected as much...
>>
>> It is on a clean install of Windows 2k3. It is a dedicated server.
>>
>> The server is fully patched and ISA has the service pack installed.
>>
>> I followed the wizard and pretty much left the default options in place
> due
>> to blinding ignorance.
>>
>> ISA is one of the final frontiers for me... I have been able to dodge the
>> bullet until now... Apparently I have some reading to do. I just wish I
> had
>> more time...
>>
>> At any rate, thanks for your response!!
>>
>> Marc Everlove
>> http://atkweb.com
>> http://victorsfunnies.com
>>
>>
>> "Phillip Windell" <@.> wrote in message
>> news:ubuJOFs6FHA.636@xxxxxxxxxxxxxxxxxxxxxxx
>> > With only three sentences it is impossible to know which of the half a
>> > dozen
>> > scenarios you could have installed it under and what you actually did
> when
>> > you configured it to even be able to make a wild guess at what you
> mmight
>> > have done wrong.
>> >
>> > We would need your environment & topology explained and a fairly clear
>> > explaination of what you did to ISA itself. "Out of the box" ISA does
> not
>> > allow anything.
>> >
>> > --
>> > Phillip Windell [MCP, MVP, CCNA]
>> > www.wandtv.com
>> > -----------------------------------------------------
>> > Understanding the ISA 2004 Access Rule Processing
>> > http://www.isaserver.org/articles/ISA2004_AccessRules.html
>> >
>> > Microsoft Internet Security & Acceleration Server: Guidance
>> > http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
>> > http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>> >
>> > Microsoft Internet Security & Acceleration Server: Partners
>> > http://www.microsoft.com/isaserver/partners/default.asp
>> > -----------------------------------------------------
>> >
>> >
>> >
>> > "Marc Everlove" <techknow@xxxxxxxxxx> wrote in message
>> > news:OjnnJok6FHA.2616@xxxxxxxxxxxxxxxxxxxxxxx
>> >> I recently installed ISA server and now I can not access the
> internet...
>> >>
>> >> I was working fine before I installed it. I had thought I configured
>> >> it
>> >> rather liberally...
>> >>
>> >> I am running a webserver and it is getting hacked relentlessly. I
>> >> would
>> >> REAAAALY like to get this sorted out...
>> >>
>> >> Thanks in advance!
>> >>
>> >> Best Regards
>> >> Marc Everlove MCSE/MCDBA
>> >>
>> >>
>> >
>> >
>>
>>
>
>
.
- Follow-Ups:
- Re: Can not access web from ISA Server
- From: A. Klimkin
- Re: Can not access web from ISA Server
- References:
- Can not access web from ISA Server
- From: Marc Everlove
- Re: Can not access web from ISA Server
- From: Marc Everlove
- Can not access web from ISA Server
- Prev by Date: Re: RDP connection breaks after connecting over VPN
- Next by Date: RE: SSL and Isa Server 2000
- Previous by thread: Re: Can not access web from ISA Server
- Next by thread: Re: Can not access web from ISA Server
- Index(es):
Relevant Pages
|
