ISA Firewall 2004 – Blocks all clients?

ISA Server
ISA Server 2004
Threat management
Hello, I recently did a swing migration and we are now up and running on a premium windows 2003 Small Business Server. The server is the Domain Controller, exchange server, DHCP and DNS server. So everything was workig just fine and I went to install the ISA firewall which comes with the premium SBS 2003. The installation went through a wizard where I set everyting up as per our network setup and then restarted. Uppon the restart, every client on our network had no access to anything. The clients could not access the internet, the server, exchange server, etc... However I could ping the server from each client. I called another tech in and he coulnt figure out the probelm either. After a day of being confused I finally uninstalled the ISA firewall and everything went back to normal. What is going on? why is ISA blocking clients? I really need to have a firewall on this server, its just out there right now waiting to be owned. Adam

Answer Wiki

Thanks. We'll let you know when a new response is added.

You didn’t describe your network architecture. Is this server your gateway to the internet? How are you protecting your client systems?
To answer one of your questions, pings are often left open to allow for connectivity debugging. If pings work properly, then your problems are caused by filtering rules.

I can’t speak to specifics of ISA configuration, but in general, the firewall functions as a static router between the untrusted/external net and the internal net. Most modern firewalls default to allowing clients on the internal net to initiate connections to the outside but prevent external systems from reaching the internal net until you open specific ports/IPs to your public servers.

In your case, it almost sounds like this is an ordinary server with a single network connection. If you are using ISA as a “personal firewall” on this server then you will have to open the ports used by each service to the client IPs using these services, e.g. with exchange you will have to open port 25 to the world so you can send/receive emails from the outside and POP or IMAP to your clients depending on what they need.

Without knowing more about the architecture, my suggestion would be to put a separate appliance or linux firewall between your net and the ISP. Then you can open just the services you want to make public to the world. This removes much of the confusion I have seen when a server with a built-in firewall has to have different rules for the local net and the internet as a whole.

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: