ISA Firewall 2004 – Blocks all clients?

0 pts.
Tags:
Firewalls
ISA Server
ISA Server 2004
Threat management
Hello, I recently did a swing migration and we are now up and running on a premium windows 2003 Small Business Server. The server is the Domain Controller, exchange server, DHCP and DNS server. So everything was workig just fine and I went to install the ISA firewall which comes with the premium SBS 2003. The installation went through a wizard where I set everyting up as per our network setup and then restarted. Uppon the restart, every client on our network had no access to anything. The clients could not access the internet, the server, exchange server, etc... However I could ping the server from each client. I called another tech in and he coulnt figure out the probelm either. After a day of being confused I finally uninstalled the ISA firewall and everything went back to normal. What is going on? why is ISA blocking clients? I really need to have a firewall on this server, its just out there right now waiting to be owned. Adam
ASKED: September 29, 2006  10:11 AM
UPDATED: February 4, 2009  10:07 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Adam:
You didn’t describe your network architecture. Is this server your gateway to the internet? How are you protecting your client systems?
To answer one of your questions, pings are often left open to allow for connectivity debugging. If pings work properly, then your problems are caused by filtering rules.

I can’t speak to specifics of ISA configuration, but in general, the firewall functions as a static router between the untrusted/external net and the internal net. Most modern firewalls default to allowing clients on the internal net to initiate connections to the outside but prevent external systems from reaching the internal net until you open specific ports/IPs to your public servers.

In your case, it almost sounds like this is an ordinary server with a single network connection. If you are using ISA as a “personal firewall” on this server then you will have to open the ports used by each service to the client IPs using these services, e.g. with exchange you will have to open port 25 to the world so you can send/receive emails from the outside and POP or IMAP to your clients depending on what they need.

Without knowing more about the architecture, my suggestion would be to put a separate appliance or linux firewall between your net and the ISP. Then you can open just the services you want to make public to the world. This removes much of the confusion I have seen when a server with a built-in firewall has to have different rules for the local net and the internet as a whole.
rt

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following