RE: ISA 2004 Rules

Dear Jeff:
Thank you for posting here.

>From your description, I understand that you cannot access a particular
page of a banking site from the internal workstations, but you can do that
from the ISA server. If I am off base, please feel free to let me know.

Generally speaking, there is a little difference when you access the
internet website from the ISA server itself. In SBS environment, by default
HTTP requests from ISA2004 server are allowed to all destination sites. The
rule is involved in "System Policy Rules" (different from the Access Rule).
This rule will be automatically created after we run the CEICW Wizard.

Here I would like to provide the following suggestion:
1. Create an Allow access rule for the workstation as following:
Action: Allow
Protocols: All Outbound Traffic
From: Internal
To: External
Condition: All Users or SBS Internet Users

2. Open ISA2004 Management Console, in the left panel, expand to
Configuration->Networks. Under "Networks panel", double click "Internal".
Switch to "Web Proxy" panel, click "Authentication¡­". Uncheck the "Require
all users to authenticate" option.

3. Configure this particular site for direct access.

a. Open ISA management console, expand the server name. Expand the
Configuration node and click the Networks node.

b. In the details pane, click the Networks tab and then double click the
Internal Network.

c. In the Internal Properties dialog box, click the Web Browser tab. On the
Web Browser tab, click the Add button.

d. In the Add Server dialog box, select the Domain or computer option and
enter the name of the site that you want Direct Access to be used. In this
example, one of the sites that we require Direct Access is the
www.banking.com domain. Enter *.banking.com in the text box (you may also
add the domain name of the PDF file). Click OK. Click Apply to save the
changes and then update the firewall policy.

e. Restarting the client computer to update the configuration, or you can
use the Firewall client application to force the update.

Then can you access this problematic page from the workstation side this
time?

If the problem persists, please help me gather the following information:
1. What's the detailed error information when you access this page from the
workstation? Please capture a screen shot of the error page and save it as
a .JPG file. Please also capture a screen shot when you successfully access
this page from the ISA server side. Because I suspect that a non-standard
port is used for this page.

2. Have you configured all your clients as Web Proxy clients? Is firewall
client installed on your workstation?
(To configure the client as a Web Proxy client, we need to use ISA server
as the Proxy Server in IE.)

3. Please help to ISA Info:

1) Download the file from the following URL:

http://www.isatools.org/isainfo/ISAInfo.zip

2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.

4. Please also help to gather the ISA logs:

1) Schedule a down time.

2) Open ISA 2004 management console.

3) Expand the server node and highlight 'Monitoring'.

4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.

5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

6) Switch to the 'Fields' tab, click 'Select All', and then click OK.

7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

8) Switch to the 'Fields' tab, click 'Select All', and then click OK.

9) Click 'Apply' to save changes and update the configuration.

10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.

11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.

12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.

13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.

14) Please also let me know the IP address of the testing client/server so
that I can filter the data.

You can send the .JPG file and the ISA Info/log directly to my mailbox:
v-edtian@xxxxxxxxxxxxx

I appreciate you taking time to gather the above information.
Please feel free to let me know if you have any questions or concerns, I am
standing by to help you.

Have a nice day! :)

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Jeff Teel" <jdteel@xxxxxxxxxxxx>
| Subject: ISA 2004 Rules
| Date: Mon, 22 Aug 2005 17:07:23 -0500
| Lines: 22
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| Message-ID: <OidygX2pFHA.2952@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 206.230.187.18
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:146776
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| This is a two fold question which I think at least part of it should have
a
| simple answer. The first question is how much (if any) effect does ISA
2004
| have when using Internet Explorer on the server? Before you scold me for
| browsing from the server I do have a reason for doing so and that brings
me
| to the second question. When accessing a banking site I can navigate all
of
| the site except one area. They have one part of their site where they
have
| past months statements (in PDF format). The page will load from the
server
| but will not load from the workstations. The page is not loading a PDF
| document it just has links that lead to PDF documents. I talked to
support
| at the bank and they said the error that they were seeing on their side
was
| that my firewall would not allow the connection. That was all I could get
| from them and I don't know if they knew any more than that. Is there any
| firewall settings that would be keeping me from accessing cross-domain
| pages? I ask that because it looks like the PDF files are on a different
| domain than the one the banking data is on.
|
| Thanks
| Jeff
|
|
|
|
|

.