Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Change Proxy at GP level
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Change Proxy at GP level - 24.Mar.2008 10:14:05 AM
|
|
|
jun1or
Posts: 27
Joined: 4.Jan.2008
Status: offline
|
Hello All
One of the IT guys deployed ISA2006 with minimum testing and this caused several issues, hence we reverted to our old proxy.
I have been given the task to deploy this now. What i would like to do is once i have tested this Change each department to the ISA proxy.
We currently have a group policy in place at top level which changes all users proxy. If i create a sub-group policy within the sub OU pointing to the ISA, will the top level policy (pointing to old proxy) overwrite this sub-policy?
Many Thanks
Jun1or
|
|
|
|
|
RE: Change Proxy at GP level - 24.Mar.2008 10:50:05 AM
|
|
|
paulo.oliveira
Posts: 927
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
this have nothing to do with ISA, itīs has to do with Windows Network-Infrastructure. Answering your question, no, it wonīt. Because the more internal GPO will win!
Regards.
|
|
|
|
|
RE: Change Proxy at GP level - 24.Mar.2008 5:13:17 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Stop using GPO for this. It is too rigid and cannot adjust to changing situations or adjust for mobile machines like laptops.
Configure the LAN to use Proxy Autodetection via WPAD. This should be done at both the AD/DNS and the DHCP Server. Base the auto-detection on your old proxy first,...assuming it is a true proxy and not a NAT box,...and that the old proxy is capable to using the industry standard auto-detection with WPAD. Configure it on DNS first and point the "wpad" CNAME to the A Record of the old proxy, then configure it on the DHCP and point the config in the DHCP to the CNAME you created in the DNS. Verify that it works correctly and that all Clients are configured to auto-detect (not GPO,..get rid of the GPO for this).
Test clients on the new ISA by manually configuring them. Once all testing is "good" then just change the "wpad" CNAME in DNS to point to the A Record of the new ISA and wait. Give if a few days. Monitor the old proxy to see when no other users are actually using it (meaning they are all using the ISA now). then power off the old proxy and wait a couple more days to verify nothing is broken. Then remove the old proxy from the LAN.
You can find articles virtually everywhere for configuring a LAN for autodetection with WPAD.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Change Proxy at GP level - 24.Mar.2008 11:12:57 PM
|
|
|
gbarnas
Posts: 151
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
A. I agree 110% - GPO configuration for this is a bad idea.
B. I just used the method Phillip recommends to migrate users from an old ISA 2K to a new ISA 2K6 EE array - ZERO issues related to ISA doing it this way. We manually configured the QA team to use the new proxy, then just changed the WPAD cname to point to the new array on "go-live day". We had two minor issues related to "band-aid" rules on the old proxy that we had to identify and provide a proper fix for, but nothing major. Migrated about 3K users at 260 sites in one morning.
The advantage of WPAD is that if a roaming user takes their laptop home, where there is no proxy, it will still work, since there is no hard configuration as there would be with a GPO or manual definition.
Glenn
|
|
|
|
|
RE: Change Proxy at GP level - 31.Mar.2008 9:30:38 AM
|
|
|
vuilverwerking
Posts: 26
Joined: 29.Dec.2006
Status: offline
|
And if i don't want the DHCP or DNS server(s) to 'shout' the ISA server address&config if someone plugs his/her laptop into my LAN.
GPO only applys on the Domain clients or am i wrong?
|
|
|
|
|
RE: Change Proxy at GP level - 31.Mar.2008 10:07:57 AM
|
|
|
gbarnas
Posts: 151
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
I've never seen either DNS or DHCP "shout" anything. These are network databases that respond to queries. They do not "broadcast" information indiscriminately.
Glenn
|
|
|
|
|
RE: Change Proxy at GP level - 31.Mar.2008 10:27:10 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
It isn't the job of the network to control what people bring into the building. It is Managements job to do that.
Don't leave unused RJ45 jacks "hot". Unplug them at the patch panel.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Change Proxy at GP level - 3.Apr.2008 4:38:49 AM
|
|
|
jun1or
Posts: 27
Joined: 4.Jan.2008
Status: offline
|
quote:
ORIGINAL: pwindell
Stop using GPO for this. It is too rigid and cannot adjust to changing situations or adjust for mobile machines like laptops.
Configure the LAN to use Proxy Autodetection via WPAD. This should be done at both the AD/DNS and the DHCP Server. Base the auto-detection on your old proxy first,...assuming it is a true proxy and not a NAT box,...and that the old proxy is capable to using the industry standard auto-detection with WPAD. Configure it on DNS first and point the "wpad" CNAME to the A Record of the old proxy, then configure it on the DHCP and point the config in the DHCP to the CNAME you created in the DNS. Verify that it works correctly and that all Clients are configured to auto-detect (not GPO,..get rid of the GPO for this).
Test clients on the new ISA by manually configuring them. Once all testing is "good" then just change the "wpad" CNAME in DNS to point to the A Record of the new ISA and wait. Give if a few days. Monitor the old proxy to see when no other users are actually using it (meaning they are all using the ISA now). then power off the old proxy and wait a couple more days to verify nothing is broken. Then remove the old proxy from the LAN.
You can find articles virtually everywhere for configuring a LAN for autodetection with WPAD.
Will this method change all users to the new proxy? I want to push out ISA to each subnet at a time so that any issues they have can be completed before changing for others?
Thanks
Jun1or
|
|
|
|
|
RE: Change Proxy at GP level - 3.Apr.2008 10:00:48 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Yes, it will change users to the new proxy.
Subnets are irrelavant,...it will change all users across the entire LAN when it changes.
Statically set several machines to use the new proxy to verify it works properly. Don't make the change until it is correct.
Leave the old proxy functioning. The change won't happen instantly. Leave the old proxy runing for a few days. Use the logs on the old proxy to determine at what point there are no clients using it anymore,...do not remove it until then.
Again,...Subnets are irrelavant,...they mean nothing,...nothing can be done "based on subnets".
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Change Proxy at GP level - 4.Apr.2008 11:37:24 AM
|
|
|
jun1or
Posts: 27
Joined: 4.Jan.2008
Status: offline
|
Thats great. Thanks for your help.
I am now in the process of planning to install ISA2006, i have been reading Dr.Tom.Shinders ISA Server 2006 Migration Guide and this has helped me.
Once
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
