Troubleshooting (SE Quick Start Guide)

  • Article

The procedures described in this Quick Start Guide are designed to provide a quick and reliable method for creating a secure firewall configuration while allowing a rich Internet experience for internal network clients. However, there are some common problems you might encounter that are related to the type of Internet connection you use on the external interface of the ISA Server 2004 firewall.

Troubleshooting Cable Connections

Cable modem connections with non-permanent IP addresses on the external interface of the ISA Server 2004 firewall computer usually work fine when the System Policy is configured to allow DHCP responses from External DHCP servers. However, some cable providers use variants of the DHCP protocol that might not work correctly with the ISA Server 2004 firewall’s DHCP client settings.

If you find the connection to the Internet stops after it has been functional for a period of time, perform the following steps to confirm the problem:

  1. Open a command prompt and enter ipconfig /all, then press ENTER
  2. If you see that the IP address for your Internet connection is 0.0.0.0, this indicates that the ISA Server 2004 firewall was not able to renew its IP address because the cable company is using an incompatible DHCP method.
  3. Close the command prompt window.

If you encounter this problem, put a cable router in front of the ISA Server firewall and use an Ethernet connection on the external interface of the ISA Server 2004 firewall computer. Configure the external interface of the ISA Server 2004 firewall to use the internal IP address of the cable router as its default gateway.

Troubleshooting DSL Connections

DSL connections using ATM routers almost never introduce problems for ISA Server 2004 firewalls. However, there are often issues with using a Point-to-Point Protocol over Ethernet (PPPoE) dial-up connectoid. The most common issue is related to the MTU (Mean Transfer Unit) setting on the clients and server. You can learn more about the problem and how to fix it at https://www.isaserver.org/tutorials/ISA\_Server\_2000\_and\_DSL\_by\_David\_Fosbenner.html

If you prefer not to change the MTU settings on all your computers, you can put a DSL router in front of the ISA Server firewall and use an Ethernet connection on the external interface of the ISA Server 2004 firewall computer. Configure the external interface of the ISA Server 2004 firewall to use the internal IP address of the DSL router as its default gateway. This configuration allows the ISA Server 2004 firewall to have a permanent IP address on its external interface.

Troubleshooting Name Resolution

Your caching-only DNS server on the ISA Server 2004 firewall handles all Internet name resolution. This caching-only DNS server is configured to use your ISP’s DNS server as a forwarder. If you find that you can reach Web sites using an IP address, but not using the name of the Web site, there might be problems with your ISP’s DNS server. If you suspect that there is a problem with your ISP’s DNS sever, you can reverse the forwarder configuration you set when you configured the caching-only DNS server and allow your DNS server to perform recursion. If disabling the forwarder fixes the problem, contact your ISP to find out if there is a problem with their DNS server or if they have changed their DNS server’s IP address.

Unable to use Specific Applications

The SecureNAT client can access a wide range of protocols that allow it work with the most popular Internet applications. However, there are some Internet applications that do not work with the SecureNAT client configuration. The most common types of applications that do not work with the SecureNAT client configuration are Internet games, voice/video, and some “custom” applications. These applications do not work because they are complex protocols that require secondary connections. While the SecureNAT client can work with complex protocols, an application filter must be installed on the ISA Server 2004 firewall to enable the SecureNAT client to work with these applications.

The Firewall client software is required to enable ISA Server 2004 client machines to access complex protocols and applications. The Firewall client can manage the connections and does not require a special application filter to be installed on the ISA Server 2000 firewall machine.

In addition to providing access to complex protocols, the Firewall client software provides powerful per user based outbound access controls. These per user access controls allow you to provide access to some sites to one group of users, and other sites to another group of users. The ISA Server 2004 Firewall client greatly increases the level of security and flexibility of your ISA Server 2004 firewall.

For more information about how to install and configure the Firewall client software, please refer to the ISA Server 2004 Help file.

[Topic Last Modified: 02/26/2008]