Re: ISA 2004 and AOL 9 won't work right...

They can get their AOL email via the aol website mail client - I wouldn't
think the bosses would want the users in chat rooms anyways at work. Perhaps
that will help your case. Good luck - I fought that battle a few years back
and it was NOT fun.
=(

SusanV

"Andrew Meador" <ameador1@xxxxxxxxxxx> wrote in message
news:75ecadba-c270-4b44-ad30-2fc07b93434c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Mar 4, 3:05 pm, "SusanV" <svanal...@xxxxxxxxxxxxxxx> wrote:
I'm, curious - why do you consider this a shortcoming of ISA? AOL broke
its
ability to use a proxy server with version 7.0 - prior to AOL7, it worked
quite happily with MS Proxy 2.0. They are fully aware of the issue and
couldn't care less - I went through weeks on the phone with them and MS
trying to get a client working, and the only help I got from AOL was to
uninstall AOL7 and go back to AOL6. The only explanation I got was an
unintended admission that they did this in order to stop blackhats from
using proxies to hide their location when using stolen accounts for
hacking
purposes.

Proxy 2.0 (and now ISA) plays quite nicely with pretty much every other
app
I've ever needed to run, other than their crappy app - but yet you insist
it's ISA's fault... interesting point of view.

--
hth,
SusanV

"Andrew Meador" <amead...@xxxxxxxxxxx> wrote in message

news:67f1161d-aedb-409d-8d4d-403fba22ca22@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Mar 4, 2:27 pm, "Steve" <newsgr...@xxxxxxxxxx> wrote:





Since you're determined to make AOL work with ISA 2004 rather than do
the
sane thing of telling your clients you will not support AOL in a
business
environment as others have suggested, then you need to look at your ISA
logging to determine what rule may be blocking that traffic. With that
info
then you have a reasonable chance of tweaking it to work.

"Andrew Meador" <amead...@xxxxxxxxxxx> wrote in message

news:1a6108dc-5da8-4ce4-a092-618437f53945@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Mar 4, 1:37 pm, "Cris Hanna [SBS-MVP]"

<crisnospamha...@xxxxxxxxxxxxxxxxxxxxx> wrote:
I understand this is your client, but at some point they need to
understand that they either want a business network or a home peer to
peer
network (thats all AOL is really...a huge peer to peer network)

They can get their mail via aol.com They don't need the AOL client.
Simply
tell them that the AOL client software is not compatible with network
security requirements.

But they have to make a choice...its not your choice.

Do they want secure? Or do they want AOL?

--
Cris Hanna [SBS - MVP]
-----------------------------------------------------------
MVPs Do Not Work for Microsoft
Please do not contact me directly regarding issues
"Andrew Meador" <amead...@xxxxxxxxxxx> wrote in
messagenews:43e19dcb-b748-4dc5-b9e1-e304e9f3b4ba@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have a client that has ISA Server 2004 on SBS 2003 Premium. ISA
was configured with the SBS Internet Access Rule to allow All Users to
get to the internet. This was to avoid having to setup the ISA
Firewall Client. Well, they have a wireless access point running that
somehow was reset to factory default. I had it set to allow only
certain comupters to connect and get IPs from the server.
However,since it was reset, about 60 people from the immediate
vacinity starting connecting and using the internet through this
access point. So, as a precaution, I pushed the ISA Firewall Client
down to the client computers and reconfigured ISA Internet Access Rule
to allow only SBS Internet Users. This will stop users from outside
the network from accessing the internet throught the T1, even in the
event the the wireless access point goes to factory defaults again.
Now, the new problem is that this company has always been AOL
junkies. They have a few AOL e-mail accounts that they are determined
to keep using and they are all very used to using AOL. I have tried my
best to get them to switch off and use their own e-mail system with
Outlook and OWA, but to no avail. As you have probably seen, AOL and
ISA don't get along. I have found and read the following:
http://www.microsoft.com/technet/isa/2004/plan/aol.mspxbuttoget it
to work, I would have to remove/deactivate the ISA Firewall client,
which is a backwards security step and will put us back in the same
possition as before with wide access to the internet there again.
Does anyone have another solution, that will not compromise
security, to make AOL work fully? BTW, AOL does work as far as pulling
down e-mail in this state, but they cannot browse web pages and I'm
not sure about their IM features yet, or any other AOL crap I don't
know about. They want full AOL 9 use, without network compromise. What
to do?
I have even tried setting them up to have the AOL mail pulled into
their Outlook boxes, but they don't like that either - something about
some kind of folders they use in AOL that doesn't pull in right.
There has got to be some kind of fix to this stuff. I ran into
another application (McAfee virus scanner - home type version) that
can't update correcly and MS (or maybe McAfee) recommends in that case
to allow All users and such. It's a freakin firewall - why is
everyones solution to these thing to break it's functionality, can't
it be made to work correctly with these apps?
Please help frustrated me!!!

Thanks!
Andrew

True - I get it, I hate AOL - its a huge piece of crap and I have
always thought so. But, it comes down to the fact the ISA is doing
something to make it not work and I would think there would be some
way to keep it from blocking whatever it is that it's blocking so that
this could work. Plus, like I said, I do have another instance right
now where a client has a home based McAfee product on his computers
and it works great for what they want (filters viruses, spam, spyware,
etc...) but ISA is breaking it's automatic updating abilities. Again,
the suggested solution so far is "open up the firewall" instead of
setting some kind of rule to allow the traffic properly. I'll admit
that I'm not a guru at how to setup ISA which is why I'm posting, but
it seems inherently logical to me the if you have a highly
configurable firewall like this that configurations could be made to
solve the problem instead of opening it up like a tin can. What's the
point in having it if its going to be poped open like this?
My clients are small enough that they want SBS for the fact that is
full of features at a great overall price, but if you have to keep
opening things up to get it to play nice, it gets to be a liablilty.
The other option is to buy everything 'commercial version' which is
always more expensive and harder to configure (at least in my
experience). That may not be the case when you're dealing with large
deployments as the time put in is worth the time saved, but it's
hardly worth the time to learn to use the large commercial products to
deploy to 10 or 15 clients. In one case they have 5 clients - you
can't ever buy most commercial stuff for 5 users without having to go
with a minimum of 10 - then your cost per computer effectively doubles
on top of the config issues. Why not make ISA play nice so it doesn't
break stuff?
My thinking is that it can, but someone out there just hasn't
figured out the correct workaround yet. I wish it could be me, but I'm
not there yet.
Anyway, hopefully someone out there will find the solution, but I'm
concerned they won't. Most everyone has the "is AOL, don't fix it, ban
it" attitude. Believe me I would have taken them off AOL from day 1,
they are just too comfortable with it to change. I think they should,
and so does everyone else, but can you do? Maybe this will be the
issue that breaks them down. My concern is that they will go with
reducing security to keep their precious AOL alive and well. Whether
we like it or not, I think we should be able to config ISA to let it
work without reducing security.

Andrew- Hide quoted text -

- Show quoted text -

I guess sane is a matter of perspective. I don't expect high end
apps - especially ones that require all traffic to go through it to
cause jams that have no solution other then to effectively neuter
them.

I've already said, I would have them switch if it were up to me,
but it's not. So I can either loose an otherwise good customer or make
MS-ISA work properly. I'de rather keep they paycheck and make ISA not
break things.

I have already checked the logs and ISA says it is not blocking the
AOL web requests. I see where the web request is made and the site
requested, ISA says it is allowed, but the client doesn't receive a
page. With ISA Internet Access Rule set to allow ALL users - AOL is
ok. With ISA Internet Access Rule Set to allow only SBS Internet Users
group, AOL is broken. So, some kind of authenitication issue? I know
ISA breaking McAfee I spoke of is an authenitcation issue as well, but
the solution in both cases is to open'er up. I don't think that makes
sense. How about an rule for opening the path for computer accounts
and specific application? Or, a rule for the particular application
and an authenticated user? There could be ways to do this logically,
but ISA can't be configured this way? What's the change that MS never
thought that some software app out there would try to do stuff through
the internet without passing user credentials, or whatever is going on
here? It's not like this is ISA v1.0.

Yep, I'm agrivated. Don't take this as me gripping at you, I'm
just gripping!

Thanks,
Andrew- Hide quoted text -

- Show quoted text -

I don't doubt you, but I had found no posts, prior this comment,
making the point that is was an issue with AOL having a bug that would
keep it from working. Everyone has just said, disable ISA
functionality. I have been searching for this issue for a few days
now, thus part of my agrivation. The whole proxy thing has me kind of
irritated too. I don't understand why ISA can't do it's thing without
it. I've dealt with other firewalls that are able to do sofisticated
firewall functions without the use of a proxy/firewall client. This
issue has just been frosting me, because I had to push the client out
(and couldn't find a way to do it without the install having admin
rights), the configuration of proxy settings (at least I was about to
configure the firewall client to handle that), then AOL is causing
trouble, and everyone is saying to unhinge ISA... I need duct tape
before my head explodes!
I will take your information about AOLs bug to my client, like I
said, maybe this can be used to get them to move off of AOL... I won't
hold me breath - die hard AOLers they are!
Sooo many times it just seems like MS stuff goes 90% of the way and
then that last 10% breaks you. I just though that this was where ISA
was hitting that 90% point. Like the Client Applications feature of
SBS, pushing out an app as an icon on the users desktop to start the
real install (where they also have to have admin rights to even get
and install it) is rediculous. Then I could use GPO, but the user
loggin still had to have admin rights for the install to work, etc...
It's like everything is a most of the way there thing that has to be
hacked to get it the rest of the way there. Anyway...
Thanks for you information. I would have still been searching, but
you don't sound like you're confused about the issue here. 8)
I have heard of a linux proxy that doesn't require any kind of
client configuration - it is transparent to the clients. I would
expect something like that would solve some of these kinds of problems
too. But, I'm still a Microsoft guy. No linux for me - yet.

Again, thanks!
Andrew


.