RE: ISA 2004 Connectivity to Internal Web Servers

Hello,

Thank you for using newsgroup!

From your post, to enable internal clients access internal web servers, I
suggest you try the following steps to see if the internal clients can
access the internal web servers successfully:

1. Open ISA Server 2004 Admin Console
2. Point to Configuration\Networks
3. In the middle pane, right click Internal to select Properties to open
internal properties window
4. In Addresses tab, please confirm if all internal IP range has been added
in the list.
5. In Domains tab, please add your local domain name into the list.
6. In Web Browser tab, please check the following two options:
Bypass proxy for Web servers in this network
Directly access computers specified in the Domains tab
7. Sill in Web Browser tab, click Add button to open Add Server window. You
may add the internal IP range to the directly access or add domain and
computer on another option.

After finishing the steps above, when all internal clients attempt to
access the internal web servers, they will bypass ISA Server and access the
web servers directly.

Best Practices for Configuring Networks in ISA Server 2004
<http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bp_networks.mspx


If the issue still occurs, please help us collect the information:

1. When internal clients attempt to access the internal web server, what is
the exact error message?
2. How do you configure ISA server for internal access? What IPs of
internal NIC and external NIC on the ISA server are?
3. Are all internal clients firewall clients or S-NAT clients?
4. ISA Info 2004
-----------------------
1. Download the file:

http://isatools.org/isainfo/isainfo.zip

or you may search http://www.isatools.org to find ISAInfo for ISA 2004

2. Extract the file and run ISAInfo.js on ISA Server. It will generate two
files xml .log and please send them to me (v-kzhao@xxxxxxxxxxxxx).

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| Thread-Topic: ISA 2004 Connectivity to Internal Web Servers
| thread-index: AcbAmn93MFwIXm/FSV+J0XyLc/Pu5g==
| X-WBNR-Posting-Host: 209.217.222.70
| From: =?Utf-8?B?U211cmZtYW4=?= <smurfman@xxxxxxxxxxxxxx>
| Subject: ISA 2004 Connectivity to Internal Web Servers
| Date: Tue, 15 Aug 2006 11:42:02 -0700
| Lines: 45
| Message-ID: <82DC613B-27FE-411B-A0CE-9EDE2E9CEC02@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.isa
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:67587
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.isa
|
| I am having trouble getting my internal network clients to connect to
| internal web servers, well at least properly. It appears that the ISA
server
| is NAT'ing the internal address when going to a specific internal web
server.
|
| The web server is designed with an application that specifies what
| particular group a specific machine will belong to when connecting. For
| example, IT Department would connect to the web server, and depending on
the
| IP address of the machine connecting it will assign the allocated
programs
| for that group, etc etc. Accounting might have another group, and so
forth.
|
| By default install there was one Firewall Rule, a deny all, anywhere.
|
| I added an (All Access) rule that basically lets members of the User
Group
| Administrators (tied to the AD Domain Admins) go anywhere. The rule
specifies
| any outgoing protocol, from "Internal" and "Local Host" to the default
"All
| Networks (and Local)" and Administrators is allowed.
|
| With this rule in place I can hit the internal web server from my client,
| but instead of hitting it as my local ip address I am NAT'ed as the ISA
| server.
|
| I then tried to add a "Network Rule" the was specific to this Web Server,
| that basically said Anything Internal with a Destination to the
webserver, is
| "Routed" instead of NAT. I moved this above the default rule #3 which
was
| NAT all Internal to External.
|
| My old ISA 2000 server does not have this problem, in fact all I had to
do
| was add to the web browser to bypass proxy for the ip address of the web
| server and all was well.
|
| The old ISA 2000 client also did not have much config for web browsers,
and
| I note that change in the new 2004 version.
|
| Not sure what more I can share, but this is a test server, and I have
only
| that one rule, and one network rule that I have added.
|
| Also, by default when the server was installed, the second NIC card which
| points to the External Firewall as it's gateway, was added into the
Internal
| Network, but I removed that, in fact I simplified what I was seeing to
have
| only the 192.168.1.0 to 192.168.1.255 was the Internal Network definition.
|
| Much appreciated.
| J
|
|
|

.