Ok, this has been a little pain in my backside ever since last October . . . You load up SBS Standard, customize the companyweb main page with a couple web parts from the Online Gallery and everything is just peachy . . .
That is until you throw in your Premium Technologies CD and load ISA. Now your web parts aren’t working – so you decide that you’re going to try adding them again. Nice try – when you try browsing the Online Gallery, you either get a message that the gallery doesn’t exist, or that it doesn’t contain any web parts. Right – they were all there a few minutes ago . . . Take ISA out of the mix and voila! – the online gallery / web parts work as expected.
The official response from MS is to edit your web.config file for the Sharepoint site to include proxy information. This is fine & dandy – but it doesn’t work. Why? Because the problem why this isn’t working in the first place is that ISA is denying the requests due to an authentication failure (check your ISA web proxy logs and you’ll see a 12209 error after you edit your web.config file to point to ISA’s proxy) – and there’s no way (that I’ve found at least) to provide user credentials for the proxy service in the web.config file . . .
Ok, so I’ve tried the usual suspects – I disabled required authentication for outbound web requests, edited the HTTP redirector filter to forward requests from SecureNAT & Firewall clients directly to the requested web server instead of the web proxy service, and it still fails. I have a hunch on why this is – but haven’t taken the time to research it in depth and get proof. I’m thinking the root of the issue is that WSS and ISA are on the same machine. I’m guessing that if we had WSS on a member server behind ISA, we could get it to work either by having the firewall client running & editing the web.config file to use the proxy, or by configuring the member server as a SecureNAT client and tweaking the HTTP Redirector Filter as mentioned above. Since WSS is running on the ISA server, it isn’t a Firewall or SecureNAT client (it’s default gateway is set to either your router or ISP’s gateway – not the ISA server (itself)).
So – just how in the Sam – Freakin – Hell do you get this to work? A packet filter young grasshopper – a packet filter. Open ISA Management and expand Servers & Arrays | | Access Policy | IP Packet Filters. Create a new packet filter that allows outbound HTTP traffic (TCP | Local : All Ports | Remote : Fixed 80). VOILA! You can access your Online Gallery, and the web parts even work! :^)
Now, it is very important to note that there is a security consideration to this workaround. Allowing this packet filter allows any app running on your server go out on port 80 without providing user information. However, the traffic will still be logged in your ISA IP packet filter log. Assuming you make sure to leave IE configured to use the proxy and keep the locked down secure settings, limit browsing from you server as much as possible and follow general security guidelines, you shouldn’t have any problems. To put this in perspective, this workaround simply tweaks your SBS so that outbound traffic on port 80 acts just like it would on SBS Standard. All other traffic (inbound / outbound) is still subject to the more stringent ISA policies.