Access Policy Issues
Access Policy issues relate to problems with outbound access. When you look in the ISA Management console, you’ll see the nodes:
- Site and Content Rules
- Protocol Rules
- IP Packet Filters
While each of these is primarily related to outbound access issues, they are not necessarily limited to them. For example, Site and Content rules can be configured to control content for inbound access (i.e., accessing published sites), and IP Packet Filters are used to control inbound access as well as outbound. Nevertheless, its more convenient to think of problems with Access Policies as primarily outbound access issues.
Common questions regarding Access Policies:
I just installed ISA Server and now I cannot connect to the Internet!
The reason why you can’t connect to the Internet right after you install ISA Server is that ISA’s default configuration is “locked down”. You cannot connect to any Internet resources until you configure a Protocol Rule that allows outbound access.
You do not need to create any Site and Content Rules because the default Site and Content Rule allows access to all sites, for all users, at all times, and to all content. You also do not need to create any Packet Filters to allow internal clients outbound access (with the exception of PPTP, which requires a Packet Filter to allow the Generic Routing Protocol outbound access from the internal network).
I can’t connect to my POP3 Server, or use RealAudio or mIRC
The most common reason for these problems is that there is not Protocol Rule in place that allows access to these protocols. However, there have been a number of reports of POP3 access problems existing when a Protocol Rule has been defined and there are no other explanations. When this is the case, uninstalling and reinstalling ISA Server fixes the problem.
RealAudio problems might be related to requiring authentication on the Outgoing Web Requests listener. In order to get RealAudio to work, you might have to disable the authentication option on the Outgoing Web Requests listener.
Many mIRC problems can be fixed by installing the IdentD simulation service. For instructions on how to do this, search for IdentD in the ISA Help File. However, installing the IdentD simulation service will not allow DCC to work. DCC is an non-secure protocol and you should not allow it on your network.
I have whacked a Protocol Rule or Site and Content Rule, but the users can still access the Site or Protocol!
The problem is that the user still has an active session with the ISA Server. Go to the ISA Management console, expand the Monitoring node and click on the Sessions Node. Right click on the sessions you need to disconnect and click Abort Session. If you have many sessions that you need to disconnect, click on the Services node and right click on each server and click Stop and then right click on them and click Start.
I have enabled a Protocol Rule to allow outbound access to FTP sites. However, I am not able to upload or download content.
If you are using the Web Proxy service and IE to access FTP sites, and you do not have any other ISA Server (SecureNAT or Firewall) client configured on the computer, and if IE is configured to use Folder View, you will see the following message:
When folder view is enabled, IE is put into PASV mode. When folder view is not enabled, IE is in PORT mode. Either way, you will not be able to upload files to the FTP site using only the Web Proxy client. You must configure the machine as a SecureNAT or Firewall client to upload content. You can still use IE after configuring the machine as a SecureNAT or Firewall client because it is able to detect that the machine is able to use the Firewall service to upload.
If you are having problems downloading from an FTP site, you may need to change the FTP Mode. You have seen how to change the mode in IE. If you use other FTP clients, you will have to make the appropriate configuration in your application to support an alternative FTP mode.
Note: you cannot configure the command line FTP client included with Microsoft operating systems to work in PASV mode.
Another common issue relates to when FTP clients try to access FTP servers published by an ISA Server. It appears that some “foreign” firewalls do not get along very well with the FTP Application Access Filter. The problem seems to be limited to clients that access the FTP server using the PORT command. If they switch to PASV mode, they are able to connect. If you do not want to use PASV mode clients, or cannot use them, you can publish the FTP server by installing the Firewall client on the FTP server and configuring a wspclnt.ini file in the same way you did it with Proxy 2.0.
I can get to the Web using the browser, but I can’t get email or go to newsgroups!
Whenever I hear that the Web Proxy client is working, but nothing else is working, I figure that the clients SecureNAT clients. The Web Proxy client is able to use the ISA Server to resolve Internet host names on its behalf. You do not need to configure the client with the IP address of a DNS server because the ISA Server handles name resolution for the client.
The SecureNAT cannot use the ISA Server to resolve names on its behalf. The SecureNAT client must be configured with the IP address of a DNS server that can resolve Internet host names.
There are a couple of ways you can approach this problem. First, you can create a Protocol Rule that allows outbound access for DNS queries, which opens up UDP port 53. However, if the clients need to use DNS for internal name queries (such as Windows 2000 clients), you must configure the client with the IP address of an internal DNS server that can resolve both internal and external host names. In that case, you need to configure a DNS server on the internal network that can perform recursion, or use a Forwarder to perform this duty.
My Exchange 2000 SMTP server can receive mail OK after I publish it, but it can’t send mail. All the mail is stuck in the queue!
If the Exchange 2000 server is responsible for resolving mail domain names, it will use TCP port 53 for DNS queries. This protocol is typically used for zone transfers because all the data will not fit into a single UDP packet. However, Exchange 2000 leverages the features of the IIS 5.0 SMTP service, and the IIS 5.0 SMTP service always uses TCP port 53 for mail domain queries.
You can solve this problem by creating a Protocol rule that allows the mail server outbound access to TCP port 53. If you cannot or do not want to do this, you can configure the SMTP service to use an external DNS server. Another option is to configure the mail server to use a Smart Host. The internal mail server will forward all SMTP messages to the Smart Host and it becomes the Smart Host’s job to resolve the mail domains.
I have just installed ISA Server and created Protocol Rules that allow outbound access to FTP and HTTP. When I’m at the ISA Server, I can’t access anything through the web browser or the FTP client!
The ISA Server itself cannot be a Firewall or SecureNAT client. Therefore, the protocol rules you created will not work unless you configure the ISA Server to be a Web Proxy client, or until you create Packet Filters to support outbound access.
Web Proxy client configuration is tricky if you are using a dial-up interface on the ISA Server. If the ISA Server is using a dial-up interface, you must configure the browser to use the proxy for that dial-up interface. Check out my article on this issue at www.isaserver.org/shinder.
If you don’t want to configure the browser as a Web Proxy client, or you need access to other protocols, then you need to create Packet Filters. You can create a Packet Filter for outbound TCP port 80. Do the same for other protocols that you need to support applications and services you want to access the external interface of the ISA Server.
When I create a Site and Content Rule to limit users from accessing a particular site, it does not work! All users can still access the site.
If you are trying to prevent access to certain sites, you need to understand how the Web Proxy client handles authentication. The Web Proxy client is able to respond to a request for credentials, but does not send them automatically with every request. If there is a Site and Content Rule that allows the Web Proxy client access to the Site, it will use it.
What might seem confusing is that Deny rules are always processed before Allow rules. The missing part of the equation is that Anonymous access rules (rules that do not require any sort of authentication) are processed before any other rules. Therefore, for you HTTP requests we have the following order of precedence:
- Anonymous Access Rule – DENY
- Anonymous Access Rule – ALLOW
- Authentication Required Access Rule – DENY
- Authentication Required Access Rule – ALLOW
Once you understand his, your Site and Content rules will make more sense.
Note that the Default Site and Content rule, which is enabled by default, allows everyone access to everything at all times. If you do not want this, you can disable the Default Site and Content Rule. This can have some serious consequences if you do not create other Site and Content Rules that will allow outbound access for users and computers that need access. Remember that computers will need outbound access for certain protocols when there is no logged on user.
Summary
Access Policy issues are focused primarily on issues of outbound access. I covered some of the more common questions that come up regarding outbound access policies. Keep in mind that ISA Server is locked down after it is installed and that you will have to create policies to allow outbound access. Remember that the ISA Server itself cannot be a SecureNAT or Firewall client and you must configure it to be a Web Proxy client or create packet filters to allow outbound access for applications and services running on the ISA Server itself.
Next week we’ll cover common Authentication Issues. If you have questions related to Authentication problems, write to me at [email protected] and I’ll include them in the article. Thanks! -Tom
|
I have ISA Server 2000 running windows server 2003 sp3 all rules and policy working successfully
little bit issue is that I want to Map and access sharing folder another broadband staic IP of branch but but cant access and cant ping. As compare same iP can access remote desktop kindly resolve my problem.