Linglom's blog

Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type

54 Responses to “Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type”

1. vivek Says:
   June 15th, 2008 at 9:30 am

   this is very helpful blog ,
   i m sure, that blog banifit to all
   tnks

2. Qazzafi Says:
   July 29th, 2008 at 3:14 pm

   Dear Linglom.com Team,
   your web site is so nice and informatics that i never seen before it. Keep it up it really nice work you people have done.
   thanks

   Qazzafi,
   System and Network Administrator,
   Govt. of Punjab, Pakistan.

3. Qazzafi Says:
   August 1st, 2008 at 10:28 am

   Dear Luangaroon,
   After configure ISA 2006 enterprise edition according to your instructions. I cann’t ping and access internet from ISA server from any computer from network. So plz help.

4. linglom Says:
   August 4th, 2008 at 9:39 pm

   Hello, Qazzafi
   Have you configured gateway and DNS of the external network connection on the ISA Server to point to your ISP?
   I may have missed in the article.

5. Aaron Says:
   October 22nd, 2008 at 1:06 pm

   Dear,

   Let me know how to enable External Pop3 in ISA 2006 Servers.

   Note: When I select the All Outbound traffic From Internal To External – All Users —- This Rule the Pop3 is Working fine.

   2) When I select the Protocol HTTP, HTTPS, FTP – From Internal to External – Full Access User (I Created)the internal Users cannot access their External Pop3 Emails.

   What is the diffrent between the Protocols. Common Protocol, Infracture, mail, Remote terminal, All Protocols, Server Protocols — http is resides in all the Options. is it any Different.

6. linglom Says:
   October 24th, 2008 at 10:59 pm

   1. Why don’t you just add POP3 protocol to the rule? ISA Server has a predefined POP3 protocol.
   2. There is no different about protocols which are shown in many category. It makes you find them easily. You can click Edit on the selected protocol to see more detail and to compare on each category by yourself.

7. Naweed Qadir Says:
   December 24th, 2008 at 11:33 am

   Hi Linglom,

   I have setup ISA 2006 Standard according to your guideline and it works fine. My ISA is on Domain and it has been installed as member server. I want all users of Active Directory to autheticate when they want to connect to online services. Is it possible to ask them to authenticate by web form so that I can monitor every users. I have Mac users who are not part of the AD but will use Internet and I want them to authenticate as well.

   I really appreciate if you can help. Cheers.

8. linglom Says:
   December 24th, 2008 at 5:08 pm

   Hi, Naweed Qadir

   It is inferred that users in active directory are already authenticated when they’re logged in the domain so it is unnecessary to make them authenticate again when they want to use the Internet. And ISA Server has logging system to log every traffic pass in/out. So you can view users who are using the Internet and which website they surf.

   For about Mac, I’m not a Mac user so my advice may not work. I think you can configure the browser in Mac to use web proxy of your ISA Server. So when the user surf the Internet, it should ask for credential to authenticate on ISA Server. Then, let the user enter the account in active directory. It should works.

9. Marco Ziku Says:
   December 24th, 2008 at 10:04 pm

   Hi guys,

   I’m having the following error when I’ve installed ISA 2006 – Error Code 11001: Host not found.

   Any idea?

   Thanks

10. Naweed Qadir Says:
    December 30th, 2008 at 3:47 am

    Thanks Linglom. I really appreciate your feedback. I will be checking with Macs next week and will let you know whether it worked or not.

11. linglom Says:
    January 3rd, 2009 at 7:27 am

    Hi, Marco Ziku
    There are many forums talk about this problem. Most say that it’s about DNS related issue. Verify that you have configured DNS to query external properly. Second, try to update ISA Server 2006 SP1. It may solve the problem.

    To Naweed Qadir,
    You’re welcome.

12. sana Says:
    January 17th, 2009 at 5:44 pm

    hi,

    in our company we are planing to install isa 2006 enterprise, i have some book knowledge about isa 2006, i need one basic thing by defualt if i am right ISA using 8080 port for http, where i can edit this port, if anybody can show with graphic i will be really thankful.

13. sana (DNS) Says:
    January 17th, 2009 at 6:39 pm

    Hi linglom,

    Below link may be very useful for those who are facing problem with DNS.
    http://www.elmajdal.net/ISAServer/Internal_DNS_Forwarding.aspx

14. linglom Says:
    January 19th, 2009 at 9:10 pm

    Hi, Sana
    You can change ISA Server’s Web Proxy port by

    Microsoft ISA Server Management -> Expand Server Name -> Configuration -> Network -> Select Network tab -> Double-click on the network you want to configure. By default, it is Internal -> Select Web Proxy tab -> Change HTTP port as you want.

15. sana Says:
    January 22nd, 2009 at 11:11 am

    Hi,Linglon,

    Thanks a lot, for your good help. if you don’t maind i have one more quetion, if i want balock one particular site e.g http://www.rediffmail.com, how i can do this,can you please tell the steps.

    Regards,
    sana

16. linglom Says:
    February 1st, 2009 at 8:03 pm

    Hi, Sana
    You simply create a new Access Rule with rule action to Deny to that website.

17. sudhir Says:
    February 7th, 2009 at 9:02 pm

    Hi,

    it is a great site keep it up

    I have some different problem.I have configuration like this .Now my ISA is authenticating with DC and isa has one nic configured.Isa has configured with internal dns server which has a forwarder for ISP dns

    Now i have to configure one more card to external means to sonicwall

    pls help me out

    Sudhir
    India

18. linglom Says:
    February 8th, 2009 at 8:57 pm

    Hi, Sudhir

    On external, the IP should be in the same network with the sonicwall and gateway is the sonicwall’s IP. The DNS should be the DNS of the ISP (Your Internet provider).

19. sudhir Says:
    February 9th, 2009 at 2:13 pm

    Hi,

    Is it required to give internal dns server addresses for the internal card of isa server,if i give the isp dns server addresses to the external card

20. linglom Says:
    February 10th, 2009 at 9:04 pm

    Hi, Sudhir
    I recommend you to set it. You can think as if ISA Server is a router which can route traffic between a separate network. It may help you to configure the server easier.

21. Sudhir Says:
    March 3rd, 2009 at 7:35 pm

    Hi,

    Once again i am disturbing you,now i want to configure two nic in my isa2006 ,and isa is acting as a web proxy authentication is domain ,so how i configure the internal nic card .I am waiting for your solution

    Sudhir

22. linglom Says:
    March 6th, 2009 at 9:47 pm

    Below is the one configuration of mine that is working. You don’t have to follow exactly.

    On internal NIC,
    -IP Address and subnet mask as you want.
    -Gateway, leave as blank (only set gateway on external NIC).
    -DNS point to internal DNS server

    On external NIC,
    -IP Address and subnet mask as you want.
    -Gateway point to a router that connected to the external NIC.
    -DNS point to DNS server of the ISP (Internet Service Provider).

23. Fahad Afzal Says:
    July 21st, 2009 at 1:48 pm

    Hi Linglom

    I have a severe problem in ISA 2006 SE firewall.

    I am using Edge-Firewall template, following is the error comes up thrice in a second in event viewer.

    ISA Server detected a proxy server loop. There may be a problem in the configuration of the ISA Server Web chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and there are intermittent interruptions of intra-array connectivity, array member A may forward a request to array member B according to the CARP algorithm, and array member B may forward the request to array member A in an endless loop.

    what could be the reason?

24. linglom Says:
    July 21st, 2009 at 3:26 pm

    Hi, Fahad Afzal

    Have you installed any anti-virus software or another proxy software on the ISA Server? Sometimes it may conflict each other. If yes, try to uninstall them and see if the problem is cleared or not.

    Other solution, try to change these registry keys below, it might help. (Don’t forget to backup the registry first.)

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableRSS (set to 0)
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA (set to 0)
    • EnableTCPChimney and EnableSecurityFilters (both 0)

    Reference:
    ISA2006 – Problem Presents As Proxy Server Loop

25. Fahad Afzal Says:
    July 21st, 2009 at 4:09 pm

    Thanks for your prompt reply.

    I am running GFI web monitor along ISA 2006, does that making problem?

    I have checked all the specific registry keys, all of them are set to 0 which is fine.

    One thing I noticed is that I defined two default gateways for both NICs, but now I have removed my internal default gateway and kept default gateway on external Nic. Now i will observe if that works.

26. Fahad Afzal Says:
    July 22nd, 2009 at 3:17 pm

    Hey Linglom

    I hope you doing well. That error has been resolved by eliminating internal default gateway.

    I have a very important question to ask about ISA server 2006

    Currently i have been using ISA Server using NAT rule, Now I want to use Route rule in ISA and want to route all my subnets through ISA firewall which are then be NATed by my router. I have configured Policy Based Routing, that means router will check the source ip and will route packets to the next-hop accordingly. For this reason, I need to keep source IP as original.

    Moreover I am using Edge-Firewall template in ISA having two NICs in it.

    Please tell me is that possible to keep source IP as it is while passing through ISA firewall?

27. Fahad Afzal Says:
    July 27th, 2009 at 3:46 pm

    I have choosen Route rule at my ISA, now original source IPs are being gone through ISA 2006.

    But the biggest issue is, I can not filter out traffic, means now ISA see if it is HTTP traffic, it does not apply the defined policy on the packets and let them go through the firewall without filtering.

    Please help me to sort out the issue!

28. linglom Says:
    July 27th, 2009 at 4:29 pm

    Hi, Fahad Afzal
    I suggest you observe log on ISA Server to see if the traffic is passed ISA Server with the corrected rule.

29. ardalan Says:
    August 4th, 2009 at 11:49 am

    Dear Sir ,
    Your site is very helpful.I have question:1- I have ISA2006
    How I must know the configuration is?Securenat,firewall clinet or web proxy client??
    2- I have problem When add some IP in Isa that can use internet must set on that client Proxy otherwise does not work,How can solve this matter that my ISA work as securenat??

    Best Regards
    Ardalan

30. linglom Says:
    August 5th, 2009 at 11:38 am

    Hi, Ardalan

    1. I have shown how to configure these client types on this post.

    2. I’m not quite get about the question. If you want to configure client as secureNAT, you simply set the default gateway on your client computer point to the ISA Server. No need to configure web proxy or install firewall client.

31. ardalan Says:
    August 5th, 2009 at 7:42 pm

    Hi linglom,
    Thanks for your replay,I mean now we must set proxy on our clients that can visit sites but I don’t want this and wants that cliens goes to the internet without any setting.
    How I can set this??

32. Fahad Afzzal Says:
    August 6th, 2009 at 1:12 pm

    Hi Ardalan

    I do not exactly know about your infrastructure but let me tell you the concept.

    Your all internet traffic should pass through firewall, means the default gateway must be set to ISA firewall. If you have defined a switch or router as a default gateway in your network then put default route to ISA firewall on the switch or router.

    In my network, I am not using any proxy, packets from clients reach to my core switch where I have defined a default route point to my ISA firewall.

    Its all about Routing the traffic! once you achieve this, then everything must go smooth.

    Hope it helps you

    Regards

33. taha Says:
    October 7th, 2009 at 7:49 pm

    Hi , this post is very helpful , but im asking about
    - How can i block secureNAT clients to use internet connection ( browsing ) ,
    thanks

34. Najib Says:
    October 17th, 2009 at 12:49 pm

    Dear linglom,

    After I created the deny rules for some websites, now i cant get to any website from my ISA Sever , but the rules work fine for the clients.

    regards,

35. linglom Says:
    October 19th, 2009 at 8:05 am

    Hi, Najib
    Check Logging on ISA Server to see if the rule has also block traffic from your ISA Server or not.

36. Ardalan Says:
    October 25th, 2009 at 1:26 pm

    Dear linglom,
    I was setup ISA2006 and have just one rule any protocol from Internal to External Allow,Sfter this I have Ping but I can not visit any site then I must config my browser and set Internal ISA IP and port-no:8080 otherwise I can not visit any site,I remove check mark from check box in web-proxy but doesn’t work properly.
    Could you help me about this problem ASAP??
    BR
    Ardalan

37. linglom Says:
    October 26th, 2009 at 10:28 am

    Hi, Ardalan
    Did you install firewall client on client’s computer? Does it work properly?

    What client type you decide to use?

38. Ardalan Says:
    October 26th, 2009 at 11:26 am

    Hi,linglom
    I want use securenat I mean all the users just set Default Gateway ISA server then canuse internet, but it does not work properly, could you guide me how I can run it? and tell me anything that I must check??

39. linglom Says:
    October 27th, 2009 at 10:07 am

    Hi, Ardalan
    The drawback of SecureNAT client is that it cannot send credential to the ISA Server. So you have to check on the rule if it is allow anonymous access or not. But allow anonymous access may affect other rules which based on user credentials.

    Since secureNAT clients are not able to send credentials, all requests that require authentication will be dropped. The only solution for a secure environment that requires outbound access controls for HTTP is to configure the SecureNAT clients as Web Proxy clients.

40. faisu Says:
    November 4th, 2009 at 1:43 pm

    thanks for sharing valuable data,, i am infant in isa server .. i am installed isa 2006 ,want to install firewall client in each pcs in the network ????

41. linglom Says:
    November 9th, 2009 at 11:22 am

    Hi, Faisu
    You can deploy firewall client to multiple computers using group policy. See How to deploy the ISA Server 2004 Firewall Client program for more information.

42. Azeez Says:
    November 25th, 2009 at 3:44 am

    Hello Linglom,
    can you please advise , how i can give access to only one particular site for specific users or computers.
    Appriciate your advise

43. linglom Says:
    November 25th, 2009 at 3:15 pm

    Hi, Azeez
    You need to create an access rule to allow that. See Getting started with Microsoft ISA Server 2006, Part 8: Create Web Access Rule for an example of how to create an access rule for a specific user.

44. najam Says:
    January 24th, 2010 at 6:27 pm

    hi,
    can anyone help me regarding the configuration of HTTP filter, when i configure the http filter content to block online streaming it works fine, but iam not able to open some website, like hotmail email, yahoo email, etc.
    Regards

45. linglom Says:
    January 25th, 2010 at 11:04 am

    Hi, Najam
    I suggest you check on Logging on ISA Server to see if the connection is blocked by the HTTP rule the you have just configured or not.

46. Block downoading software Says:
    March 14th, 2010 at 11:20 am

    plz help me Block software
    and configuration vpn isa

47. linglom Says:
    March 22nd, 2010 at 3:15 pm

    See Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter for some examples about blocking application through ISA Server.

48. chetra Says:
    July 27th, 2010 at 5:06 pm

    i used ISA Server 2006 but i want control on IP address
    Ex. IP: 192.168.11.10 can access internet.

49. chetra Says:
    July 27th, 2010 at 5:10 pm

    i used ISA Server but i want control by IP address.
    Ex:
    IP: 192.168.11.5 can access internet
    IP: 192.168.11.10 can not access internet
    i dont want control by user

    could u help me?
    thank

50. chetra Says:
    July 27th, 2010 at 5:10 pm

    reply soon thank!!!

51. chetra Says:
    July 27th, 2010 at 5:11 pm

    or you have some e-book or document about this pls attach for me
    thank

52. linglom Says:
    July 30th, 2010 at 10:52 am

    Hi, Chetra
    I recommend you to read the update version of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction, see part 8 about how to create an access rule. You can create an access rule to allow or deny access by modify source to the specific IP address.

53. Sylvester Says:
    August 20th, 2010 at 5:17 pm

    Hi

    Im having a issue,everytime i access any microsoft website going through the firewale(isa 2006 sp1)i get this error message Error Code 11001: Host not found..
    But if i point a computer directly through the router it access this site successfully…I uninstalled and re-installed isa nothing helps..

54. linglom Says:
    August 23rd, 2010 at 9:10 am

    Hi, Sylvester
    Host not found could be some DNS problem. Can you describe your network configuration? Did you created rule to allow DNS query to DNS server?

Leave a Reply