RE: MAC client cannot access web site via ISA 2004

Hi Fernando,

Thank you for posting in SBS newsgroup.

>From the description, I understand the issue to be: MAC client cannot
browse the web site on web server which you have published. If I have
misunderstood your concerns, please do not hesitate to let me know.

Generally speaking, for the SBS 2003 domain with MAC clients, some
particular settings need to be configured. We need to configure the
networking settings on the MAC; modify the directory service options; also,
some settings on the SBS server need to be changed. However, please
understand that some SBS 2003 features may still not be supported on a MAC
client. For the MAC in the SBS domain, please refer to the steps of the
following:

You can check the white paper and ensure both the server and the clients
are properly configured:

Connecting Mac OS X 10.3 and Higher Clients to a Windows Small Business
Server 2003 Network
http://download.microsoft.com/download/5/3/c/53c9bd6b-6927-43ca-8871-f3b60db
13968/SBSMacDoc.doc

In addition, you may also need to modify the ISA configurations. The
predefined ISA access rules only allow the authenticated users to access
the Internet. Since the Firewall client cannot be installed on the MAC
clients, you also need to change the ISA configurations to allow the access
from the MAC computers.

By default, SBS allows only the SBS Internet User Groups to access
Internet. Since the non-Windows client doesn't support the NTLM
authentication so the Mac client is unable to pass the authentication on
the SBS/ISA.

To work around this issue, we may try the following steps to allow the MAC
clients to connect to the Internet through ISA:

1. Make sure that you have run CEICW on the SBS server to configure the
internet connections:

825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763

2. We need to configure non-Windows client as the SecureNAT clients so that
they will treat ISA as the router. It means that the client's default
gateway must be the internal NIC of the SBS. Please do not configure any
proxies in Internet browser applications. Go to the MAC computers. Check
the TCP/IP configurations. Make sure that the default gateway is pointing
to the ISA's internal NIC.
3. Configure Mac clients to use the static IP addresses. If you still want
to use the DHCP, we need to configure the DHCP Reservation. To do that,
please refer to the following document:


http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows
2000/en/server/help/sag_DHCP_pro_AddReservation.htm

4. Create a Computer Set on ISA, and then add the IP addresses range of the
non-Windows client as following:

1) Click "Start", point to "Programs", point to "Microsoft ISA Server", and
then click "ISA Server Management".
2) In "ISA Server Management", expand "<ISA_Server_Name>", where
<ISA_Server_Name> is the name of your ISA Server computer, and then click
"Firewall Policy".
3) In the right pane, click the "Toolbox" tab, and then click "Network
Objects".
4) On the "Network Objects" menu bar, click "New", and then click "Computer
Set".
5) In "New Computer Set Rule Element", type a name in the "Name" field. In
the "Computer, address rangers and subnets included in this computer set:"
field, click Add Address Range.

5. Create a Firewall Policy to allow outgoing traffic and then apply to the
Computer Set as following:

1) Click "Start", point to "Programs", point to "Microsoft ISA Server", and
then click "ISA Server Management".
2) In "ISA Server Management", expand "<ISA_Server_Name>", where
<ISA_Server_Name> is the name of your ISA Server computer. Expand "Firewall
Policy", click the "Tasks" tab, and then click "Create New Access Rule".
3) On the "Welcome to the New Access Rule Wizard" page, type a name in the
"Access rule name" field, and then click "Next".
4) On the "Rule Action" page, click the "Allow" option, and then click
"Next".
5) On the "Protocols" page, select "All outbound traffic" and then click
next.
6) In "Access Rule Sources", click "Add".
7) In "Add Network Entities", expand "Computer Sets", and then click the
Computer sets that you have created earlier. Click "Add", click "Close",
and then click "Next".
8) Follow the wizard to finish it.

6. In ISA Management, make sure "Require all users to authenticate" is not
selected as following:

1) Click "Start", point to "Programs", point to "Microsoft ISA Server", and
then click "ISA Server Management".
2) In "ISA Server Management", in the right pane, click the "Toolbox" tab,
and then click "Networks".
3) Right click Internal and select Properties.
4) In Web Proxy tab | Authentication button, make sure "Require all users
to authenticate" is not selected.

I hope the above information helps. If you have any questions or concerns,
please feel free to let me know.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: MAC client cannot access web site via ISA 2004
| | From: "=?Utf-8?B?RmVybmFuZG8=?=" <Fernando@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: MAC client cannot access web site via ISA 2004
| Date: Mon, 21 Nov 2005 06:16:18 -0800
| | Newsgroups: microsoft.public.windows.server.sbs
| |
| Good afternoon:
| I am using ISA 2004 on Windows Server SBS 2003 SP1.
| We have some XP SP2 clients and MAC clients in the LAN. We also have a
web
| server which has been published to the public via the web publishing
rule.
| Internet users can access this web site via http://www.webserver.com.
| However, MAC client cannot browse this web site (The XP client doesn't
have
| this problem). To troubleshoot, I use the nslook on the MAC and the URL
can
| be resolved to the public IP of the ISA Server without any problem. So I
| think this is not the DNS issue, am I right? Any help is appreciated.
|
| ----
| Fernando
|
|

.