Re: ISA 2004 and AOL 9 won't work right...

I'm, curious - why do you consider this a shortcoming of ISA? AOL broke its
ability to use a proxy server with version 7.0 - prior to AOL7, it worked
quite happily with MS Proxy 2.0. They are fully aware of the issue and
couldn't care less - I went through weeks on the phone with them and MS
trying to get a client working, and the only help I got from AOL was to
uninstall AOL7 and go back to AOL6. The only explanation I got was an
unintended admission that they did this in order to stop blackhats from
using proxies to hide their location when using stolen accounts for hacking
purposes.

Proxy 2.0 (and now ISA) plays quite nicely with pretty much every other app
I've ever needed to run, other than their crappy app - but yet you insist
it's ISA's fault... interesting point of view.

--
hth,
SusanV



"Andrew Meador" <ameador1@xxxxxxxxxxx> wrote in message
news:67f1161d-aedb-409d-8d4d-403fba22ca22@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Mar 4, 2:27 pm, "Steve" <newsgr...@xxxxxxxxxx> wrote:
Since you're determined to make AOL work with ISA 2004 rather than do the
sane thing of telling your clients you will not support AOL in a business
environment as others have suggested, then you need to look at your ISA
logging to determine what rule may be blocking that traffic. With that
info
then you have a reasonable chance of tweaking it to work.

"Andrew Meador" <amead...@xxxxxxxxxxx> wrote in message

news:1a6108dc-5da8-4ce4-a092-618437f53945@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Mar 4, 1:37 pm, "Cris Hanna [SBS-MVP]"





<crisnospamha...@xxxxxxxxxxxxxxxxxxxxx> wrote:
I understand this is your client, but at some point they need to
understand that they either want a business network or a home peer to
peer
network (thats all AOL is really...a huge peer to peer network)

They can get their mail via aol.com They don't need the AOL client.
Simply
tell them that the AOL client software is not compatible with network
security requirements.

But they have to make a choice...its not your choice.

Do they want secure? Or do they want AOL?

--
Cris Hanna [SBS - MVP]
-----------------------------------------------------------
MVPs Do Not Work for Microsoft
Please do not contact me directly regarding issues
"Andrew Meador" <amead...@xxxxxxxxxxx> wrote in
messagenews:43e19dcb-b748-4dc5-b9e1-e304e9f3b4ba@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have a client that has ISA Server 2004 on SBS 2003 Premium. ISA
was configured with the SBS Internet Access Rule to allow All Users to
get to the internet. This was to avoid having to setup the ISA
Firewall Client. Well, they have a wireless access point running that
somehow was reset to factory default. I had it set to allow only
certain comupters to connect and get IPs from the server.
However,since it was reset, about 60 people from the immediate
vacinity starting connecting and using the internet through this
access point. So, as a precaution, I pushed the ISA Firewall Client
down to the client computers and reconfigured ISA Internet Access Rule
to allow only SBS Internet Users. This will stop users from outside
the network from accessing the internet throught the T1, even in the
event the the wireless access point goes to factory defaults again.
Now, the new problem is that this company has always been AOL
junkies. They have a few AOL e-mail accounts that they are determined
to keep using and they are all very used to using AOL. I have tried my
best to get them to switch off and use their own e-mail system with
Outlook and OWA, but to no avail. As you have probably seen, AOL and
ISA don't get along. I have found and read the following:
http://www.microsoft.com/technet/isa/2004/plan/aol.mspxbutto get it
to work, I would have to remove/deactivate the ISA Firewall client,
which is a backwards security step and will put us back in the same
possition as before with wide access to the internet there again.
Does anyone have another solution, that will not compromise
security, to make AOL work fully? BTW, AOL does work as far as pulling
down e-mail in this state, but they cannot browse web pages and I'm
not sure about their IM features yet, or any other AOL crap I don't
know about. They want full AOL 9 use, without network compromise. What
to do?
I have even tried setting them up to have the AOL mail pulled into
their Outlook boxes, but they don't like that either - something about
some kind of folders they use in AOL that doesn't pull in right.
There has got to be some kind of fix to this stuff. I ran into
another application (McAfee virus scanner - home type version) that
can't update correcly and MS (or maybe McAfee) recommends in that case
to allow All users and such. It's a freakin firewall - why is
everyones solution to these thing to break it's functionality, can't
it be made to work correctly with these apps?
Please help frustrated me!!!

Thanks!
Andrew

True - I get it, I hate AOL - its a huge piece of crap and I have
always thought so. But, it comes down to the fact the ISA is doing
something to make it not work and I would think there would be some
way to keep it from blocking whatever it is that it's blocking so that
this could work. Plus, like I said, I do have another instance right
now where a client has a home based McAfee product on his computers
and it works great for what they want (filters viruses, spam, spyware,
etc...) but ISA is breaking it's automatic updating abilities. Again,
the suggested solution so far is "open up the firewall" instead of
setting some kind of rule to allow the traffic properly. I'll admit
that I'm not a guru at how to setup ISA which is why I'm posting, but
it seems inherently logical to me the if you have a highly
configurable firewall like this that configurations could be made to
solve the problem instead of opening it up like a tin can. What's the
point in having it if its going to be poped open like this?
My clients are small enough that they want SBS for the fact that is
full of features at a great overall price, but if you have to keep
opening things up to get it to play nice, it gets to be a liablilty.
The other option is to buy everything 'commercial version' which is
always more expensive and harder to configure (at least in my
experience). That may not be the case when you're dealing with large
deployments as the time put in is worth the time saved, but it's
hardly worth the time to learn to use the large commercial products to
deploy to 10 or 15 clients. In one case they have 5 clients - you
can't ever buy most commercial stuff for 5 users without having to go
with a minimum of 10 - then your cost per computer effectively doubles
on top of the config issues. Why not make ISA play nice so it doesn't
break stuff?
My thinking is that it can, but someone out there just hasn't
figured out the correct workaround yet. I wish it could be me, but I'm
not there yet.
Anyway, hopefully someone out there will find the solution, but I'm
concerned they won't. Most everyone has the "is AOL, don't fix it, ban
it" attitude. Believe me I would have taken them off AOL from day 1,
they are just too comfortable with it to change. I think they should,
and so does everyone else, but can you do? Maybe this will be the
issue that breaks them down. My concern is that they will go with
reducing security to keep their precious AOL alive and well. Whether
we like it or not, I think we should be able to config ISA to let it
work without reducing security.

Andrew- Hide quoted text -

- Show quoted text -

I guess sane is a matter of perspective. I don't expect high end
apps - especially ones that require all traffic to go through it to
cause jams that have no solution other then to effectively neuter
them.

I've already said, I would have them switch if it were up to me,
but it's not. So I can either loose an otherwise good customer or make
MS-ISA work properly. I'de rather keep they paycheck and make ISA not
break things.

I have already checked the logs and ISA says it is not blocking the
AOL web requests. I see where the web request is made and the site
requested, ISA says it is allowed, but the client doesn't receive a
page. With ISA Internet Access Rule set to allow ALL users - AOL is
ok. With ISA Internet Access Rule Set to allow only SBS Internet Users
group, AOL is broken. So, some kind of authenitication issue? I know
ISA breaking McAfee I spoke of is an authenitcation issue as well, but
the solution in both cases is to open'er up. I don't think that makes
sense. How about an rule for opening the path for computer accounts
and specific application? Or, a rule for the particular application
and an authenticated user? There could be ways to do this logically,
but ISA can't be configured this way? What's the change that MS never
thought that some software app out there would try to do stuff through
the internet without passing user credentials, or whatever is going on
here? It's not like this is ISA v1.0.

Yep, I'm agrivated. Don't take this as me gripping at you, I'm
just gripping!

Thanks,
Andrew


.

Loading