ISA SERVER being bypassed?

[kellygirl01]

Ok, Here's the problem,

We have users that are blocked on the ISA SERVER from viewing Unauthorized webpages, the problem is when there's a power failure the client stations reboot before the ISA SERVER is turned back on. For some reason the users have full access to the internet until they reboot their PC's

What could be causing this?

 

[schtek]

sounds to me like the clientsare nto using the isa for access to the internet, i trialed your situation by booting the clients before the isa box there is no internet until client re-locked..

can i ask do u use a client wpad script for proxy connection
hope this helps


"Research is what I'm doing when I don't know what I'm doing."

 

[kellygirl01]

The clients will always turn on first beause they are not on a UPS, therefore once the power returns all the PC's boot. We then go and start the servers.

The client are all configured to use a proxy.pac script which points them to the ISA server.

 

[mobyduck]

Another possibility is that DHCP is allocating a default gateway that is letting users through...

 

[schtek]

not being rude ... have u thought about sorting the power outage first to stop the loss of power if it happens a lot..

and my question would be why are they not being routed through the ISA server for internet? have you got 2 nics on the server holding ISA, DHCP and check DNS for loop holes..
pointing to the ISP's gateway address???



"Research is what I'm doing when I don't know what I'm doing."

 

[kellygirl01]

Any other possibilities? Both our default gateways are never turned off and allows on UPS.

 

[kellygirl01]

Schtek,

1st, We can control the crappy power grid we're on, Hydro is usuall responsibe for the power failures.

2nd -They are routed throught the ISA Server with rules.

Only 1 NIC on ISA server, DHCP is a Contivity VPN box.

What type of loop holes could i find in DNS?

 

[schtek]

it is advisable to have more than 1 nic on the ISA, 1 to the router(Contivity VPN box) 1 to the switch to feed your network, the reason why the xp machines are getting to the internet is that the router (Contivity VPN box) is supplying addresses when your servers are down.

If you were to set the router(Contivity VPN box) to the ISA box when that server is down NO internet.

i ment by power supply are the pc's overloading your fuzes internally?? hence tripping servers!

hope this helps you




"Research is what I'm doing when I don't know what I'm doing."

 

[kellygirl01]

I was thinking that, but our proxy.pac points to the ISA server, will the connection go direct if the ISA server is down?

The last line of proxy.pac says this

else
return "PROXY 10.7.135.13:8080";

 

[schtek]

xp some times suprises us all. times it dont do what u ask, times it searches for the answers for you!!! if the proxy.pac cant find what it is looking for ..ie the answer from isa it wont work then xp finds a way to log on and use a connection to the internet....this is what i think ures are doing..

i would investigate the second nic theory as your best answer, then you can be certain if isa down NO internet good luck


"Research is what I'm doing when I don't know what I'm doing."

 

[dput]

I don't know what the capabilities of your VPN box are, but in our situation we have a hardware based firewall in front of the ISA Server. We placed a rule on the hardware firewall saying that it will not accept anything from anybody but the ISA server.

Dan

 

[pgaliardo]

We are set up similar to dput. We have a Cisco in front of the ISA server with a rule that only allows traffic out from the ISA IP Address. Everything else is dropped.

This way, even is a user is savy enought ot bypass ISA, they can't get any further than the local LAN.

 

[schtek]

but my question to you would be how many nic's have you got in your ISA server???


"Research is what I'm doing when I don't know what I'm doing."

 

[dput]

We are using only one NIC.

Dan