ISA Server uses access rules to grant internal users access to Internet resources. In some cases, you may need to troubleshoot these access rules to ensure that a user can access the required resources. Use the following guidelines to troubleshoot Internet access issues:
1- Check DNS name resolution If the client cannot resolve the DNS name of the Internet resource, the client will not be able to connect to the resource. To check if the client can resolve the DNS name, ping the FQDN of the Internet resource. Even if you can not ping the server, you can use the ping to determine if the client resolved the FQDN to the correct IP address. If the client did not resolve the DNS name correctly, then check the client DNS configuration and the DNS server used
by the client. Also check the access rules on ISA Server to ensure that DNS queries from the internal network can be forwarded to the Internet DNS servers.
2- Determine the extent of the problem An important troubleshooting step is to attempt to identify the cause of the problem by isolating who is affected by the problem. For example, if only one user or group of users is affected then the issue is likely a configuration error on an ISA Server access rule. If only one Web site is inaccessible, then the problem may be with an access rule configuration, or the
Web site may be unavailable. If all computers are affected, then you must check the ISA Server configuration and network connectivity. If only one computer is affected, then check the network connectivity and client configuration on that one computer.
3- Review access rule objects and access rule configuration After determining the extent of the problem, review the access rule configurations that specifically relate to the affected users. For example, if a group of users is affected, then look for access rules or access rule elements that apply specifically to that group.
4- Review access rule order ISA Server evaluates access rules in the order listed in ISA Server Management. The first rule that matches the client request is applied to the request. For example, if an access rule that allows access to all Web sites using HTTP is listed first, other access rules that set restrictions on which Web sites can be accessed will not be evaluated.
5- Check access rule authentication If an access rule requires authentication,then ensure that the ISA Server clients support the authentication protocol configured for the access rule. Also ensure that all users are using Web Proxy or Firewall clients because SecureNAT clients do not support authentication. The access rule order is also important when using access rules that require authentication. For example, if an access rule that allows Internet access using all protocols but only
for members of a particular group is evaluated first, all users that are not members of that group will not be able to access the Internet.
One of the useful tools provided with ISA Server for troubleshooting access to resources on other networks is the logging feature. By default, ISA Server logs all Web Proxy and Firewall client connections to the Internet. You can use these logs to determine which access rules are allowing or blocking access.
To view the information logged by ISA Server, complete the following steps:
1. In ISA Server Management, click Monitoring.
2. Click the Logging tab.
3. To view the information being logged at the current time, click Start Query. To use this option, start the query and then attempt to access the Internet resource from the client computer. You can view the client connection attempts in the log viewer.
4. To view archived information or to limit the number of entries in the log viewer, configure a filter to view specific information contained within the log files. For example, you could configure a filter that allowed you to view all the client connection attempts from a specific client computer over a specified period.
1- Check DNS name resolution If the client cannot resolve the DNS name of the Internet resource, the client will not be able to connect to the resource. To check if the client can resolve the DNS name, ping the FQDN of the Internet resource. Even if you can not ping the server, you can use the ping to determine if the client resolved the FQDN to the correct IP address. If the client did not resolve the DNS name correctly, then check the client DNS configuration and the DNS server used
by the client. Also check the access rules on ISA Server to ensure that DNS queries from the internal network can be forwarded to the Internet DNS servers.
2- Determine the extent of the problem An important troubleshooting step is to attempt to identify the cause of the problem by isolating who is affected by the problem. For example, if only one user or group of users is affected then the issue is likely a configuration error on an ISA Server access rule. If only one Web site is inaccessible, then the problem may be with an access rule configuration, or the
Web site may be unavailable. If all computers are affected, then you must check the ISA Server configuration and network connectivity. If only one computer is affected, then check the network connectivity and client configuration on that one computer.
3- Review access rule objects and access rule configuration After determining the extent of the problem, review the access rule configurations that specifically relate to the affected users. For example, if a group of users is affected, then look for access rules or access rule elements that apply specifically to that group.
4- Review access rule order ISA Server evaluates access rules in the order listed in ISA Server Management. The first rule that matches the client request is applied to the request. For example, if an access rule that allows access to all Web sites using HTTP is listed first, other access rules that set restrictions on which Web sites can be accessed will not be evaluated.
5- Check access rule authentication If an access rule requires authentication,then ensure that the ISA Server clients support the authentication protocol configured for the access rule. Also ensure that all users are using Web Proxy or Firewall clients because SecureNAT clients do not support authentication. The access rule order is also important when using access rules that require authentication. For example, if an access rule that allows Internet access using all protocols but only
for members of a particular group is evaluated first, all users that are not members of that group will not be able to access the Internet.
One of the useful tools provided with ISA Server for troubleshooting access to resources on other networks is the logging feature. By default, ISA Server logs all Web Proxy and Firewall client connections to the Internet. You can use these logs to determine which access rules are allowing or blocking access.
To view the information logged by ISA Server, complete the following steps:
1. In ISA Server Management, click Monitoring.
2. Click the Logging tab.
3. To view the information being logged at the current time, click Start Query. To use this option, start the query and then attempt to access the Internet resource from the client computer. You can view the client connection attempts in the log viewer.
4. To view archived information or to limit the number of entries in the log viewer, configure a filter to view specific information contained within the log files. For example, you could configure a filter that allowed you to view all the client connection attempts from a specific client computer over a specified period.