A veritable conundrum

Hello all,

I have a question which I am stumped on. I have a unix box which needs to access the internet through an ISA server.

The IP address of the unix machine falls within the local range set up on the ISA server, which appears to be correctly configured.

When you attempt to connect to any web page, the browser status bar says "website found, waiting for reply" and then the status bar shows "connecting to XXXX (ISA server name)".

TCP traffic is going out, because I am able to use a chat program and connect with external IP's. I am just not sure what would be blocking my HTTP, when everything looks good in the ISA server.

I am new to ISA servers, and any help like a checklist to go down or pointers in the right direction would be immensely appreciated.

Tech Info:
Unix machine running HP-UX 10.20
ISA Server version is 2004
Running on Windows Server 2003

Thanks for any help,
Phelan

What is routing to the internet? ISA server is a firewall, not a router. Going 'through' ISA server kind of implies your unix machine is connected to a LAN network interface, and a 2nd interface is in the ISA server connected to the internet, and the ISA server machine is also doing the Internet sharing.

Thanks for the quick reply Doug-

Yes, the unix machine is on the LAN and is set to connect out through the ISA server- can the ISA server also be a proxy server? In this case, would the traffic go something like this:

unix box > switch > ISA (Proxy) > gateway > internet?

Thanks for bearing with me, I am trying to get it all layed out in my head.

-Phelan

I'm sorry, beyond what I already mentioned I don't have any idea what capabilities ISA server offers. It may also have proxy capabilites, ISA server showed up about the time Microsoft killed Proxy Server.

Nowdays I use either external hardware routers or linux machines for any networking stuff.

Make sure you have a network rule that allows trafic from internal network to the internet network (external)
Also if your nating and not routing

Check your firewall policy rules to make sure your not blocking port 80 traffic

thanks for the replies-

yeah, I have no idea about the proxy server. I have a sneaking suspicion that there might be a layer I have yet to peel back in the ISA server.

Also, that rule is configured for the range the unix machine falls into. The traffic is going out to the proxy server (wherever that is, my current network admins are not entirely competent) and summarily internet via port 8080.

I went ahead and did a traffic capture while i attempted to connect to the internet on the unix box. I got an access denied packet pack, so I am assuming that I'm not providing the right credentials, which is kind of weird...

So my question now is, do I need to setup an account for the unix machine, or should I be able to provide my own network credentials to connect?

Yeesh! I may, of course, be on the completely wrong track...

I could be wrong here, but most web browsing is done over port 80, this could be part of the problem if 80 is blocked or no rule is setup?

You are certainly correct- http runs over port 80 generally. However I believe they have 8080 set up as a the port for the traffic requests to come into the Proxy Server, not the actual external internet.

Port 8080 is normally used as an alternate http port, in fact it's listed as such in the list of well known ports. For example, I use a linux web control panel ispconfig and it runs a 2nd webserver for it's own use on port 8080. So on that server I need to have both port 80 and 8080 open through the firewall and router.

If I am not mistaken all traffic in the ISA is blocked by a firewall rule. So unless acted on by a Network rule or another firewall rule the port is blocked. If you need 8080 open you would need to create a new Firewall rule for that.

Cool, did not know that about port 8080 being an http alternate. However, I believe my port 8080 is open, as other machines in the network can browse traffic just fine.

Look here for the iana list of well-known ports http://www.iana.org/assignments/port-numbers, but keep in mind there are no hard and fast rules that force ports to be used by a particular service, developers can pretty much put any service on any port they want.

You can also find Microsoft's abridged wkp list in \windows\system32\drivers\etc\services, at least on my W2003 server.

What are you using to access HTTP on the unix box? If it's a browser is it configured to use the ISA as a proxy and to send requests on port 8080? If it's not a browser, is it proxy aware? You generally have to tell the spplications manually to use a proxy & port.

I am using netscape on the unix box- i have the ISA proxy and port 8080 specified in the settings. I even set up a new account and input the settings from scratch, but still no dice.

Hi all,

Don't mean to resurrect this thread, but I though someone might be interested in the solution.

I had to go ahead and configure a rule in the ISA server firewall that allowed anonymous connections through the firewall from the unix box IP address to external and internal address (outside and inside the firewall). This bypassed the need for authentication (which, for whatever reason, I was unable to configure correctly). Now the box can browse through the proxy without problems.

Thanks for all the help and ideas, glad I got it licked finally!