Re: SBS 2003 R2 w/ISA Server 2004 Preventing Desktop Internet Acce

Hi Ed -

The big question is: Do you have the ISA Firewall Client installed on your workstations?

By default, SBS uses the SBS Internet Users group to control access to the internet through ISA. By default, only members of this group are allowed to access the internet. The kicker is that you have to have the ISA Firewall Client installed on your workstations for this to work. The Firewall Client on the workstation is how the user's credentials actually get passed to the ISA server, allowing the ISA server to check if the user is a member of the SBS Internet Users group in order to grant access. If you don't have the firewall client installed on your workstations, the ISA server never gets user credentials from the desktop, meaning it is unable to check if the user is a member of the SBS Internet Users group. Since by default the only allow rules are for members of the SBS Internet Users group, and ISA can't determine if the user is a member of that group, it fails the request and blocks internet access.

By adding the All Users group to the outbound allow rule in ISA, you are effectively negating the SBS Internet Users group. The All Users group basically tells ISA that you aren't controlling access per user, so it doesn't need to validate users trying to access the internet - which is why this works after you add the All Users group to the allow rule.

So this isn't a bug per se - the product worked exactly as it was designed & intended to work. The default ISA configuration on SBS 2003 Premium requires the ISA Firewall Client be installed on your workstations, or for you to manually edit your access rules (as you have) to not validate users trying to access the internet.

HTH!

--

Chad A. Gross
http://www.msmvps.com/blogs/cgross


"Ed Podowski" <EdPodowski@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:D271D9D9-0CCA-4E23-9F2A-07032356FA92@xxxxxxxxxxxxxxxx
Hello Chad,

Thank you for your response. Everyone is a member of the SBS Internet Users
Group. You have the correct idea.

I could not remember how i corrected this issue in the past. I remember
having rule out of sequence in the past, but was it this time. I was
checking permissions and saw All Users Group was not assigned to this
Internet Access Rule as in the other rules. I assigned all users and the
Internet Access was restored.

First I don't understand why it lost this permission. Second, we are using
the standard groups without changes and why do we need to add the All Users
group for Internet Access. Why doesn't the wizard configure this correctly?
It’s another one of those Microsoft bugs.

Microsoft, please do not respond to the bug issue. I know what you are
going to say before you say it. I could have used your help before I solved
the problem and before Chad took his time to respond.

I am going to vent...I always find it interesting that a newer request for
help recieves a responses from Micrsooft before an older post. It's like you
decide who's requests is more important than someone elses or you just blow
it off. If it is your requests, it is always important. I am glad I do not
treat my clients that way.

Again, please do not write me, but maybe you will consider the importance of
everyone's post here their frustration when their Microsoft program just
stops working. I'll get off my soapbox now.

In any event the problem is solved. I sincerely appreciate your help Chad.

Ed Podowski

"Chad A. Gross" wrote:

Hi Ed -

Do you have the ISA Firewall Client installed on your workstations? Are
users members of the Internet Users security group on your SBS?

--

Chad A. Gross
http://www.msmvps.com/blogs/cgross


"Ed Podowski" <EdPodowski@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CB1BA995-00C4-48A0-8E4B-2553506F6C8B@xxxxxxxxxxxxxxxx
> We made a change on the server which required us to run CEICW. I > selected
> "Enabled Firewall" and the wizzard completed successfully. Now we > cannot
> access the Internet for any desktop in our network. the server can > access
> the Internet which is how I am posting this message. Emil is working > ok.
> We
> can access CompanyWeb, etc.
>
> Here is the message we are receiving on the desktops:
>
> Explanation: There is a problem with the page you are trying to reach > and
> it cannot be displayed.
>
> Try the following:
> • Refresh page: Search for the page again by clicking the Refresh > button.
> The timeout may have occurred due to Internet congestion.
> • Check spelling: Check that you typed the Web page address correctly. > The
> address may have been mistyped.
> • Access from a link: If there is a link to the page you are looking > for,
> try accessing the page from that link.
> If you are still not able to view the requested page, try contacting > your
> administrator or Helpdesk.
>
> Technical Information (for support personnel)
> • Error Code: 403 Forbidden. The ISA Server denied the specified > Uniform
> Resource Locator (URL). (12202)
> • IP Address: 74.125.91.147
> • Date: 4/17/2009 12:51:51 PM
> • Server: servername.domain.local
> • Source: proxy
>
>
> I remember this happening once before and one of the ISA rules was not > in
> the correct order, but I cannot remember which one. Any suggestions?
>
> Thanks,
> Ed Podowski


.

Loading