RE: ISA blocking some client internet access?
- From: v-edtian@xxxxxxxxxxxxxxxxxxxx (Edward Tian)
- Date: Fri, 30 Sep 2005 02:39:28 GMT
Hi:
Thanks for posting here.
>From the description, I understand that after you applied the SBS 2003 SP1
and installed ISA Server 2004, the internal clients cannot browse the
internet except for some web pages on the Microsoft web site. If I have
misunderstood your concern, please do let me know.
Based on the ipconfig information you provided, I find that the internal IP
address and external IP address of the SBS Server are in the same subnet
schema. Both of they are using the 192.168.1.x/255.255.255.0 subnet.
Technically speaking, if we have multiple network adapters on one machine,
we should separate them into different subnet in order to avoid unexpected
problems. For example, allocate 192.168.1.1/255.255.255.0 to the external
NIC and 192.168.2.1/255.255.255.0 to the internal NIC.
Regarding the current situation, I would like to suggest you change the IP
address of either the internal NIC or the external NIC.
You can choose one of the following methods:
Method 1:
To change the IP address of the external NIC, you can follow the steps
below:
1. Open the Network Connections, double click the external network adapter,
and manually change the IP address to a different subnet (e.g.
192.168.2.1/255.255.255.0).
Note: Since a router is deployed at the SBS end and using the IP address of
192.168.1.1 which is the in the same subnet of the internal NIC, you may
need to manually change the IP address of the router to 192.168.2.2
Please do not change the IP address of the DNS Servers/Primary WINS Server
on the external NIC because they should point to the internal NIC of the
SBS box. Please also double check the DNS Server on the SBS box to see if
the DNS Forwarder is pointed to the ISP's DNS server (This step will be
done by the CEICW Wizard).
2. Open the Server management console, navigate to "Internet and E-mail",
on the right pane, click "Connect to the Internet", and then follow the
instructions in this KB article to complete the CEICW Wizard:
825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763
Method 2:
To change the IP address of the internal NIC, please try the following
steps:
1. Open the Server management console, navigate to "Internet and E-mail",
on the right pane, click "Change Server IP Address".
2. Change the internal IP address from 192.168.1.12 to
192.168.2.1/255.255.255.0 which doesn't belong to the same subnet as the
original IP address.
3. After that you can go to the client side, type "ipconfig/release" and
then type "ipconfig/renew" to obtain a new IP address from the DHCP Server.
Try accessing the internet again, is the problem fixed?
If the problem persists, we may need to gather more information to make
sure whether the problem resides in the ISA rules or the network
connectivity. Please help me collect the following information:
1. First please re-run the CEICW Wizard, it will help to automatically
configure the internet connection. If you have completed this wizard in the
method 1, please just skip this step. To run CEICW Wizard, you can refer to
this article:
825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763
2. On the client side, type NSLOOKUP from the command prompt, then input
some internet websites such as www.microsoft.com and www.google.com, does
name resolution work fine?
3. Does this problem occur on all the client computers? Besides some web
pages on the Microsoft site, can you browse any other web sites from the
internal clients?
4. Make sure the internal client is configured as both the Web Proxy client
and Firewall client.
To be a Web Proxy client, please open IE, click Tools->Internet Options,
and click Connections->LAN Settings, configure ISA server as your Proxy
server (you can enter either the computer name or the internal IP of the
ISA server, port 8080 by default.)
To be a Firewall client, the workstation needs to have the ISA Firewall
Client software installed.
5. Go to the ISA Server management console, on the left panel, expand to
Configuration->Networks. Under "Networks panel", double click "Internal".
Switch to "Web Proxy" panel, click "Authentication", and then uncheck the
"Require all users to authenticate" option. Can you browse the internet
this time?
If the problem persists, please help to gather the ISA log and ISA info.
(If the traffic was block by ISA Server, the record will be logged into the
ISA log files.)
Please help to gather the ISA Info:
1) Download the file from the following URL:
http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.
Please also help to gather the ISA logs:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
14) Please also let me know the IP address of the testing clients so that I
can filter the data.
You can send all the files directly to my mailbox: v-edtian@xxxxxxxxxxxxx
I appreciate you taking time to perform the test. If you have any questions
or concerns, please feel free to let me know, I am glad to be of the
assistance.
Enjoy your weekend! :-)
Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: ISA blocking some client internet access?
| thread-index: AcXE0VuBvcBLe9jWSNu5C5uMPWq3ig==
| X-WBNR-Posting-Host: 80.176.169.121
| From: "=?Utf-8?B?U2Vhbg==?=" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: ISA blocking some client internet access?
| Date: Thu, 29 Sep 2005 01:39:51 -0700
| Lines: 115
| Message-ID: <A4DA081C-429C-4212-8543-3B5D2A9EF152@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:157389
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have just set up a new server running SBS2003 premium edition with
service
| pack 1, and cannot access the internet from any client computers.
| The users have been added to the internet users group and the server can
| access the internet fully.
| Some of the web pages on the Microsoft web site can be accessed from
client
| computers, but no other pages can be accessed.
| The server is set up with 2 NIC's one for the external interface and one
for
| the internal interface. Like this
|
| internet
| |
| Router
| |
| sbs2003
| |
| switch
| ||||||
| Client computers
|
| The exchange email is working perfectly, and I am able to access the
| sharepoint and other internal web pages from the clients.
|
| The following is the "ipconfig /all" for one of the client computers
############################################################################
####################
| Microsoft Windows XP [Version 5.1.2600]
| (C) Copyright 1985-2001 Microsoft Corp.
|
| Z:\>ipconfig /all
|
| Windows IP Configuration
|
| Host Name . . . . . . . . . . . . : sean
| Primary Dns Suffix . . . . . . . : RegalDomain.local
| Node Type . . . . . . . . . . . . : Hybrid
| IP Routing Enabled. . . . . . . . : No
| WINS Proxy Enabled. . . . . . . . : No
| DNS Suffix Search List. . . . . . : RegalDomain.local
| RegalDomain.local
|
| Ethernet adapter Local Area Connection:
|
| Connection-specific DNS Suffix . : RegalDomain.local
| Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
| Connecti
| on
| Physical Address. . . . . . . . . : 00-30-05-4A-BA-34
| Dhcp Enabled. . . . . . . . . . . : Yes
| Autoconfiguration Enabled . . . . : Yes
| IP Address. . . . . . . . . . . . : 192.168.1.10
| Subnet Mask . . . . . . . . . . . : 255.255.255.0
| Default Gateway . . . . . . . . . : 192.168.1.12
| DHCP Server . . . . . . . . . . . : 192.168.1.12
| DNS Servers . . . . . . . . . . . : 192.168.1.12
| Primary WINS Server . . . . . . . : 192.168.1.12
| Lease Obtained. . . . . . . . . . : 28 September 2005 11:14:52
| Lease Expires . . . . . . . . . . : 06 October 2005 11:14:52
|
| Z:\>
|
| The following is the ipconfig /all for the sbs2003 server
############################################################################
#####################
| Microsoft Windows [Version 5.2.3790]
| (C) Copyright 1985-2003 Microsoft Corp.
|
| C:\Documents and Settings\Administrator>ipconfig /all
|
| Windows IP Configuration
|
| Host Name . . . . . . . . . . . . : python
| Primary Dns Suffix . . . . . . . : RegalDomain.local
| Node Type . . . . . . . . . . . . : Unknown
| IP Routing Enabled. . . . . . . . : No
| WINS Proxy Enabled. . . . . . . . : Yes
| DNS Suffix Search List. . . . . . : RegalDomain.local
|
| Ethernet adapter Server Local Area Connection:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
| Connection #
| 2
| Physical Address. . . . . . . . . : 00-14-22-14-5B-90
| DHCP Enabled. . . . . . . . . . . : No
| IP Address. . . . . . . . . . . . : 192.168.1.12
| Subnet Mask . . . . . . . . . . . : 255.255.255.0
| Default Gateway . . . . . . . . . :
| DNS Servers . . . . . . . . . . . : 192.168.1.12
| Primary WINS Server . . . . . . . : 192.168.1.12
|
| Ethernet adapter Network Connection:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connection
| Physical Address. . . . . . . . . : 00-14-22-14-5B-8F
| DHCP Enabled. . . . . . . . . . . : No
| IP Address. . . . . . . . . . . . : 192.168.1.13
| Subnet Mask . . . . . . . . . . . : 255.255.255.0
| Default Gateway . . . . . . . . . : 192.168.1.1
| DNS Servers . . . . . . . . . . . : 192.168.1.12
| Primary WINS Server . . . . . . . : 192.168.1.12
| NetBIOS over Tcpip. . . . . . . . : Disabled
|
| C:\Documents and Settings\Administrator>
############################################################################
######################
| The connection out to the internet is on the 192.168.1.13 IP address NIC
on
| the server.
|
| The error I receive when attempting to connect to the internet from a
client
| computer is :- Error Code: 403 Forbidden. The ISA Server denied the
specified
| Uniform Resource Locator (URL). (12202)
|
| I have checked the ISA server rules, and web access is enabled for SBS
| internet users.
|
| Does anyone have any ideas?
|
.
- References:
- ISA blocking some client internet access?
- From: Sean
- ISA blocking some client internet access?
- Prev by Date: RE: CRM and SBS 2003 do we need to have SBS Premium
- Next by Date: Re: SBS 2003 Incoming Fax causes Server to freeze
- Previous by thread: ISA blocking some client internet access?
- Next by thread: RE: Strange Exchange problem...
- Index(es):
Relevant Pages
|
