Question

Locked

ISA Server not blocking some clients.

By 1bn0 ·
We have ISA server installed.

Created user groups for Allowed Internet or Denied Internet and added users to the groups.

Defined rules in ISA Firewall for each group.

Everything seems to be working fine EXCEPT:

Some of the workstations don't seem to be hitting ISA AT ALL! They just connect straigh to the internet. There is no record in the monitoring , that ISA sees these machine at all. If I set filtering to capture the client IPs I am working on, I don't see any records. If I point the webrowser to HTTP://ISASERVER I then see a corresponding access request and access denied entry in the monitor.

Other workstations correctly control the internet access and I can see this happening in the monitor. I am using the same user accounts on all machines for testing.

I have checked the machines for some sort of proxy software or configuration change but I don't see anything like that.

I don't really know much about ISA or how the workstations are being routed to be controlled by it so I don't know what to look at from this point.

Can anyone point me in hte right direction.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Start by

by mafergus In reply to ISA Server not blocking s ...

Checking the border routers ( they should be logged and see what if any traffic is sitting there. I'd manually run a tracert or pathping from the affected machines to see how the packets are routed. Maybe there is an intermediary router that is pushing data to an alternate gateway.

Collapse -

what is the browser configured to do?

by CG IT In reply to ISA Server not blocking s ...

the browser should be configured to use the proxy.

There are a couple of types of clients in ISA. Secure NAT, Firewall and web proxy.

Secure net clients dont' use ISA as a proxy though all traffic though ISA is proxy traffic. What I mean by that is that the web proxy configurations aren't applied to secure NAT clients because they aren't web proxy clients.

I suggest you do some reading on ISA server client types and how each type works and how you configure each type.

If anything, the web proxy client need to have the browser configured to use a web proxy and you can do that through Group Policy.

Collapse -

Clarification - IE is not asking for wpad,dat from ISA

by 1bn0 In reply to ISA Server not blocking s ...

The clients are confiugred to automatically detect the web proxy.

The DHCP server is configured and has a wpad.dat file available.

It is working for almost all other client computers.

The computers I am having trouble with do not appear to e requesting the wpad information from the server.

I don't see them in the monitor on ISA unless I manually point the browser to the ISA server. When I do http://isaserver/wpad.dat they connect to the server and it offers to let them open or save the file. The file can be opened in notepad andthe contents are intact and correct. I can also see the connection in the monitor on the ISA server.

Other than the manual connection these machines don't hit the ISA server for anything else. The just appear top go directly to the internet no matter who is logged on.

I've been trying to find a way to determein what they are doing or findin information on why IE is not asking for wpad.dat but I mam not having much luck.

Collapse -

the browser must specify ISA server as a proxy

by CG IT In reply to Clarification - IE is not ...

for the client to be a web proxy client. That is done though either creating a group policy for the browser that specifies it use ISA as the proxy or you manually load it in, then hide from users the connection component in the browser setup.

This is the best way to make sure browsers use ISA and use it as a web proxy client.


if the client browser isn't configured to use a web proxy, the the client is Secure NAT. Secure NAT is simply a connection and rules in ISA allow secure NAT to connect and generally, content filters aren't applied to secure NAT clients. Same with firewall clients.


If the clients aren't reporting their status to ISA server, then something is blocking the traffic. Could be the windows firewall.

I can't off the top of my head give all the details, that's the overview of how ISA handles client computers and rules you create.

note: there are lots of other rules you can create in ISA. There are connection rules for both inbound and outbound traffic, group rules where you allow certain groups, deny certain groups. There's content rules.

ISAserver.org is a very good resource for ISA sever.

Collapse -

Group Policy is set to use Auto Detect via WPAD

by 1bn0 In reply to the browser must specify ...

Requirements for Web Proxy Automatic Detection (WPAD)are configured.

WPAD DNS entries exist and most of the 300 client dekstop computers that are set to use AutoDetect via WPAD are working just fine.

The problematic workstations are set to use Auto Detect as well, according to the settings in Internet Explorer. I can access the wpad.dat file on the isa server if I specify it manually. That file gives IE the proxy settings. They just seem to be ignoring the autodetect settings and never request the file. ?????


Normally these settings are not even visible to the users as the connection tab is also usually hidden via group policy.

GP setting to hide connections tab was reversed to allow troubleshooting.

Collapse -

might try manually setting the proxy on a client that doesn't work

by Screen Gems In reply to Group Policy is set to us ...

and see if that fixes the problem.

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Forums