RE: Unable to allow Internet Access from ISA Server Machine

OK, I see. So no matter what I do the the Local Host network, it's really
going to look at the Internal Network for the settings.

If I have two nics, would the scenario be different? Also, I've done some
reading on how IE 7 works with ISA and Kerberos. Some users have found that
if they un-check the NT Authentication box, in IE, they don't have the
repeated authentication prompts. Do you have any ideas on this one?
--
Sandy Wood
Orange County District Attorney


"Ash" wrote:

With a unihomed scenario, you cannot set different auth methods per network
(which usually works) since there is pretty much only one proxy listener for
all the outgoing traffic through the ISA.
thats where the source and destination always appear to be the internal
network

"Sandy Wood" wrote:

Thanks for the info. I've got my ISA Server setup exactly this way. I would
love to be able to allow Basic Auth only on the Local Host and get it to work
for traffice from the ISA Server itself. It doesn't seem to be able to.
--
Sandy Wood
Orange County District Attorney


"Ash" wrote:

Maybe this can explain this.

http://www.microsoft.com/technet/isa/2004/plan/single_adapter.mspx#EGC

Configuring ISA Server with a Single Network Adapter
When you install ISA Server on a computer with a single network adapter, ISA
Server is only aware of two networks: the Local Host network that represents
the ISA Server computer itself, and the Internal network, which includes all
unicast Internet Protocol (IP) addresses that are not part of the Local Host
network. In this configuration, when an internal client browses the Internet,
ISA Server sees the source and destination addresses of the Web request as
belonging to the Internal network.

HTH

"Sandy Wood" wrote:

I've got an app on my ISA server (unihomed) that needs to access the web to
download database updates nightly. It requires Basic Authentication.

On our ISA 2004 SP3, we've got the Internal network configured with NT
Authentication only. The app we're using needs Basic but we don't want Basic
turned on for our Internal network.

I configured the Local Host network to enable Web Proxy client connections
to allow the ISA Server web access. I've configured authentication with Basic
only, Basic and NT and I cannot get out. The logs show two entries:

Denied Connection ISASERVER 5/25/2007 2:58:32 PM
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request.
Access to the Web Proxy service is denied.
Rule:
Source: ( 172.23.4.34:0)
Destination: ( 172.23.4.34:80)
Request: POST http://ddsdom.websense.com/cgi-bin/nph-wsget20.exe
Filter information: Req ID: 123641ee
Protocol: http
User: anonymous


If I turn on Basic Authentication on the Internal Network, I get in, the
logs show:

Denied Connection ISASERVER 5/25/2007 2:58:32 PM
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request.
Access to the Web Proxy service is denied.
Rule:
Source: ( 172.23.4.34:0)
Destination: ( 172.23.4.34:80)
Request: POST http://ddsdom.websense.com/cgi-bin/nph-wsget20.exe
Filter information: Req ID: 123641ee
Protocol: http
User: anonymous

Allowed Connection ISASERVER 5/25/2007 3:00:12 PM
Log type: Web Proxy (Forward)
Status: 200 OK
Rule: Default DA Access
Source: Local Host ( 172.23.4.34:0)
Destination: External ( 204.15.67.80:80)
Request: POST http://ddsdom.websense.com/cgi-bin/nph-wsget20.exe
Filter information: Req ID: 12364d25
Protocol: http
User: my.domain.com\my.loginname@xxxxxxxxxxxxxxxxx

Do I need to take the ISA Server out of the Internal network to make this
work? It seems like traffic from the ISA Server is always getting routed to
the Internal Network despite what I configure in the Local Host network.

--
Sandy Wood
Orange County District Attorney
.

Relevant Pages

  • Re: ISA Configuration question
    ... Exchange SMTP,..so mail works in the first place ... Microsoft ISA Server Partners: Partner Hardware Solutions ... My internal network is a 10.65.x.x network. ...
    (microsoft.public.isa.configuration)
  • Re: ISA Server detected routed through adapter
    ... within the definition of the internal network, ... ISA server has associated with each interface etc? ... You are using the same range for it as your internal network. ... PPP adapter RAS Server Interface: ...
    (microsoft.public.isaserver)
  • Re: cannot even ping outside from 2004 with All Open policy?
    ... ISA2004 world you should consider "Local Host" object as another dedicated ... network in which all the ISA server apps and services are running. ... on the Internet. ...
    (microsoft.public.isa)
  • RE: Unable to allow Internet Access from ISA Server Machine
    ... Configuring ISA Server with a Single Network Adapter ... When you install ISA Server on a computer with a single network adapter, ... the ISA Server computer itself, and the Internal network, which includes all ...
    (microsoft.public.isaserver)
  • RE: Unable to allow Internet Access from ISA Server Machine
    ... you cannot set different auth methods per network ... Configuring ISA Server with a Single Network Adapter ... the ISA Server computer itself, and the Internal network, which includes all ... I configured the Local Host network to enable Web Proxy client connections ...
    (microsoft.public.isaserver)