Re: ISA 2004 & companyweb

Dear Danny,

Thanks for your update.

I think we have found the root case. As I mentioned before, if the "Bypass
proxy server for local addresses" option is enabled in IE, the client
computer will not send the HTTP request to the ISA firewall. Instead, it
will perform the DNS resolution by itself and send the HTTP request
directly to the website. However, since the companyweb is built on the SBS
Server, the traffic will still be handled by the ISA Server because the
traffic is between two different networks: Internal and Local Host.

Note: If the website is hosted on a member server which is also located in
the internal network, then the HTTP request will be sent directly to the
member server other than the ISA. In that case, ISA will never have the
chance to inspect the traffic because all the traffic is transferred in the
Internal Network.

In your case, since the companyweb is hosted on the SBS Server itself, the
HTTP GET request will be sent to the ISA Server. Due to the fact that the
"Bypass proxy server for local addresses" option is disabled, web proxy
client is not responsible for sending the credential to the ISA proxy
engine. Instead, the SecureNAT client will take the responsibility to
forward the HTTP request to the ISA's firewall service. (The firewall
service will then redirect the traffic to the ISA's web proxy engine)

The most significant thing here is that the SecureNAT client is unable to
forward the credential to the ISA Server, the HTTP GET request will be
regarded as ANONYMOUS by the ISA Server. Since the authentication is
enabled on the ISA and no credential can be provided, the request will be
denied by the ISA and HTTP 403 access denied error occurred.

The reason why compenyweb is accessible when un-checking the "Bypass proxy
server for local addresses" option is that: The web proxy client can send
the user credential to the ISA's web proxy engine so that the request can
be authenticated by the ISA and allowed to pass through.

As I mentioned, to access an internal website, the recommended
configuration on the client computer is enabling the proxy and checking the
"Bypass proxy server for local addresses" option. Here, the "internal
website" means the website which is hosted on the internal member server
other than the ISA firewall.

Hope the above clarification addresses your concern.

I notice that you meet a new problem regarding the access to an internal
website. If you prefer, could you create a new thread on that issue? This
will help to make the thread clean and my colleagues and I can work on the
new issue with you on that thread. Thanks for your understanding!

Please let me know if you have further concerns.

Have a nice day!

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Danny Liberty" <dliberty@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: ISA 2004 & companyweb
| Date: 4 Jan 2006 11:37:32 -0800
| Organization: http://groups.google.com
| Lines: 15
| Message-ID: <1136403452.256726.229700@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1135454205.630378.211550@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <1136327019.808510.96440@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <e3Mgh0PEGHA.1888@xxxxxxxxxxxxxxxxxxxxx>
| <1136400534.453102.117880@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 80.178.209.188
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1136403457 21465 127.0.0.1 (4 Jan 2006
19:37:37 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Wed, 4 Jan 2006 19:37:37 +0000 (UTC)
| In-Reply-To: <1136400534.453102.117880@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| User-Agent: G2/0.2
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
InfoPath.2; .NET CLR 2.0.50727),gzip(gfe),gzip(gfe)
| X-HTTP-Via: 1.1 Cache-LNS-PT-Stack-1 (NetCache NetApp/5.6.2R1)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: g44g2000cwa.googlegroups.com; posting-host=80.178.209.188;
| posting-account=u8AvCA0AAAD1liAqRATfkseTNIBPzfpY
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!postnews.google.com!g44g2000cwa.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:234074
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Ok I think I've made some progress understand this issue. Looking at
| the ISA logs, I notice that when trying to access http://companyweb and
| Bypass Web proxy is CHECKED, I see that the connection is closed by ISA
| since the user is anonymous.
| The only question is, how could it be ISA is evening logging the
| request if IE is configured to bypass the web proxy?
| The same happens with other browsers (such as firefox) even when I
| don't configure any proxy at all!
| The way I see it, it should be a direct connection i.e. internal client
| -> server. Why is ISA still in the middle???
|
| Thanks,
|
| Danny
|
|

.

Relevant Pages

  • Re: ISA server 2004 and Bluecoat proxy
    ... i want to mention that we have configured a backup rout (backup bluecoat ... i want to ask about event 14130 that related to web proxy chain fauilire. ... If you were able to work around the upstream proxy server, ... upstream ISA Server, you might want to change it back. ...
    (microsoft.public.isa.configuration)
  • RE: Proxy Server in SBS 2000
    ... sites through port 443. ... If you install ISA 2000 on the SBS 2000 server, ... Connections->LAN Settings, tick the Use proxy server for your LAN, and then ... Is ISA 2000 installed on the SBS Server? ...
    (microsoft.public.windows.server.sbs)
  • Poor client web browsing performance
    ... I've switched all our users from an old proxy 2.0 server to ISA 2004, ... That DNS server is configured with the ISA server's internal NIC ... The first firewall policy rule is called "unrestricted internet ...
    (microsoft.public.isa.configuration)
  • Re: Need help with ISA setup.
    ... Key in your SBS (ISA) Server's NetBIOS name and port 8080 in the Proxy Settings boxes. ... Click the Action tab and choose Routing them to a specified upstream server. ... Point the default gateway to the ISA Server and the clients will be a SecureNAT client. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot access Intranet Page
    ... I also went into the Proxy Settings within IE and entered ... The ISA Server denied the specified Uniform ... > what you just mentioned I think you did not bypass ISA2004 in fact. ...
    (microsoft.public.isaserver)