Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Firewall client auto detect through dns
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Firewall client auto detect through dns - 9.Jan.2006 1:51:09 PM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi all,
We use the firewall client on all machines and have enabled the WPAD using the DNS method but when i test the autodetect it takes sometime (excess of 10-12 secs) before detecting the isa server.
It is the same if i do this using the Firewall tool. From what i gather auto detect process seem to look at the WPADS entry in the 252 DHCP option which we haven't got enabled and then it does the DNS method. Is this normal?
We have an internal DNS server which has been correctly setup with wpad, CNAME, PTR etc.
One other thing i noticed is that say sometime you foget to type in the correct name in the address bar in IE, it takes some time and the browser just freezes for few seconds to say that domain name can't be found. Normally this should be instant. The DNS server has our ISP's DNS servers in the forwarders section and ISA is allow DNS outgoing traffic from our internal DNS server to external.
Also when users start IE sometimes it waits on the "Detecting proxy settings", i know there is fix for this and i've obtained this and installed it but it dosen't seem to fix it. Any ideas??
TIA,
Ashok.
|
|
|
|
|
RE: Firewall client auto detect through dns - 13.Jan.2006 5:11:31 PM
|
|
|
tshinder
Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ashok,
Do you have any network traces taken from the client machine? It sounds like an interesting problem.
Just for fun, you could try a HOSTS file entry on the client and enter wpad.domain.com and the correct IP address and see what happens.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Firewall client auto detect through dns - 14.Jan.2006 6:04:42 PM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi Tom,
Thanks for the reply.
I'll get the network traces and see if that reveals anything. I have enabled the DHCP option and this does make it faster but the problem with browser "detecting proxy settings" still exists as well as the user mistyping a url - th browser just freezes for few seconds. It should display page not found or similar.
I'll email you the network trace when i get this.
Ash.
|
|
|
|
|
RE: Firewall client auto detect through dns - 23.Jan.2006 11:33:26 AM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi Tom,
Sorry for not getting back. I've now taken the ethereal traces but completely stumped because i don't know how to interpret the results.
I'm trying to upload the files but appears that i don't have permission. I'll send you via an email.
ethereal trace = testing the autodetection
ethereal trace slow dns - is when the browser freezes for few seconds when typing in an incorrect url.
TIA,
Ashok.
PS: I think there are lots of other entries as well, i didn't know what to exclude in the trace so it may be full of all kidns of traffic.
|
|
|
|
|
RE: Firewall client auto detect through dns - 23.Jan.2006 10:53:49 PM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi Steffan,
i did check the articles, but what i can't understand is that we don't use the DHCP method so the hotfix is probably not going to help. However i did install it but it doesn't seem to cure it. I did a test of auto detection using the firewall client tool and it seems that its looking for DHCP 252 for quite sometime before moving into check the DNS. Of course onec it gets past that delay it detects the isa server using DNS.
If I do a http://wpad/wpad.dat in IE then this works straight away and i'm prompted to save the file, so DNS seem to be working fine!.
Like i stated in the orginal message we also notice that when a user incorrectly types in an URL in the browser (IE 6 Sp1) the browser seem to freeze for a few seconds before releasing control to user - never seen this.
I got the following selected in the Internal network's properties.
Enable firewall client support - ticked.
Automatically detect isa server - not ticked
Use a auto configuration script - ticked
User a proxy server - ticker and populated with as_isaserver.ashbygs.internal
I think the major problem comes if i place a tick in the Automatically detect settings, which the one i like to have selected but we are having this issue.
I have hosted the two ethereal files which shows the traces from a client.
Can I PM you with the details of the download site? I'm not hot on the packet tracing or using ethereal so don't know how to interpret the results.
TIA,
Ashok.
|
|
|
|
|
RE: Firewall client auto detect through dns - 24.Jan.2006 12:06:15 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Ashok,
please post first the result of the 'fwctool TestAutoDetect' with the option /type:DHCP and /type DNS.
Also, a nslookup of wpad, the *exact* content of DHCP option 252 and an ipconfig /all on an internal workstation could be helpful.
HTH,
Stefaan
|
|
|
|
|
RE: Firewall client auto detect through dns - 24.Jan.2006 12:29:13 AM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
quote:
Use a auto configuration script - ticked
User a proxy server - ticker and populated with as_isaserver.ashbygs.internal
Why both? I would just go with the autoconfig script.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Firewall client auto detect through dns - 24.Jan.2006 10:48:27 AM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi LLigetfa,
Yes i only had the auto config script selected before but because of the problem and experimenting to get to the bottom of this i enabled the proxy server option.
Staffan,
Here's the test of the auto config.
The normal method (Default - without specifying any type):
FwcTool version 4.0.3439
Firewall Client for ISA Server 2004 support tool
Copyright (c) Microsoft Corporation. All rights reserved.
Action: Test the auto detection mechanism
Type: Default
Detection details:
Timeout is set to 60 seconds
Locating WSPAD URL in DHCP Server
Locating option 252 in DHCP
Reading network adapters information
DHCP option for WPAD not found
WSPAD URL was not found in DHCP Server
Locating WSPAD URL in DNS Server
Locating domain name in registry
Opening registry key:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Querying registry value:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
Domain name found:
ASHBYGS.INTERNAL
Resolving address:
wpad.ASHBYGS.INTERNAL.
Domain name found:
wpad.ASHBYGS.INTERNAL.
WSPAD URL found in DNS Server:
http://wpad.ASHBYGS.INTERNAL/wspad.dat
Initializing Web server connection
Resolving IP addresses for wpad.ASHBYGS.INTERNAL
Resolved 1 address(es):
10.56.179.150
Connecting to address #1: 10.56.179.150:80
Waiting for address #1 to connect
Address #1 successfully connected
Requesting wspad.dat file
Web server is connected and ready to send WSPAD file
Downloading WSPAD file
WSPAD file was downloaded successfully
Detected ISA Server: as_isaserver.ashbygs.internal:1745
Result: The command completed successfully.
The DNS Method:
C:\Firewall Client Tool>fwctool TestAutoDetect /type:DNS
FwcTool version 4.0.3439
Firewall Client for ISA Server 2004 support tool
Copyright (c) Microsoft Corporation. All rights reserved.
Action: Test the auto detection mechanism
Type: DNS
Detection details:
Timeout is set to 60 seconds
Locating WSPAD URL in DNS Server
Locating domain name in registry
Opening registry key:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Querying registry value:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
Domain name found:
ASHBYGS.INTERNAL
Resolving address:
wpad.ASHBYGS.INTERNAL.
Domain name found:
wpad.ASHBYGS.INTERNAL.
WSPAD URL found in DNS Server:
http://wpad.ASHBYGS.INTERNAL/wspad.dat
Initializing Web server connection
Resolving IP addresses for wpad.ASHBYGS.INTERNAL
Resolved 1 address(es):
10.56.179.150
Connecting to address #1: 10.56.179.150:80
Waiting for address #1 to connect
Address #1 successfully connected
Requesting wspad.dat file
Web server is connected and ready to send WSPAD file
Downloading WSPAD file
WSPAD file was downloaded successfully
Detected ISA Server: as_isaserver.ashbygs.internal:1745
The DNS method was very quick < 1 second.
DHCP Method:
C:\Firewall Client Tool>fwctool TestAutoDetect /type:DHCP
FwcTool version 4.0.3439
Firewall Client for ISA Server 2004 support tool
Copyright (c) Microsoft Corporation. All rights reserved.
Action: Test the auto detection mechanism
Type: DHCP
Detection details:
Timeout is set to 60 seconds
Locating WSPAD URL in DHCP Server
Locating option 252 in DHCP
Reading network adapters information
DHCP option for WPAD not found
WSPAD URL was not found in DHCP Server
Failed to detect ISA Server
Result: The command failed and was not completed.
There was delay on this for a few seconds. > 7 seconds
IP Config of the workstation:
C:\Firewall Client Tool>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ITMANAGERLAPTOP
Primary Dns Suffix . . . . . . . : ASHBYGS.INTERNAL
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ASHBYGS.INTERNAL
local
Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200BG Network
Connection
Physical Address. . . . . . . . . : 00-0E-35-57-03-60
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : local
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Cont
roller
Physical Address. . . . . . . . . : 00-0A-E4-28-A9-32
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.56.177.124
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 10.56.179.150
DHCP Server . . . . . . . . . . . : 10.56.176.7
DNS Servers . . . . . . . . . . . : 10.56.176.7
10.56.176.8
10.56.176.12
10.56.176.13
10.56.176.14
Lease Obtained. . . . . . . . . . : 24 January 2006 08:59:46
Lease Expires . . . . . . . . . . : 23 February 2006 08:59:46
C:\Firewall Client Tool>
NSLOOKUP:
C:\Documents and Settings\a-karavadra@ASHBYGS.INTERNAL\Desktop>nslookup
Default Server: ags-svr-001.ashbygs.internal
Address: 10.56.176.7
> wpad
Server: ags-svr-001.ashbygs.internal
Address: 10.56.176.7
Name: as_isaserver.ASHBYGS.INTERNAL
Address: 10.56.179.150
Aliases: wpad.ASHBYGS.INTERNAL
>
There is no DHCP entry defined in the DHCP Server.
HTH,
Ashok.
|
|
|
|
|
RE: Firewall client auto detect through dns - 24.Jan.2006 8:32:26 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Ashok,
that looks all good!
The settings I recommend:
- on the Firewall Client: tab General: Automatically detect ISA Server, tab Web Browser: Enable Web browser automatic configuration.
- on the ISA Server, properties Internal network, tab Firewall Client: Enable Firewall client support for this network checked and in the Web browser configuration on the Firewall client computer part check Use automatic configuration script and do *not* check Automatically detect settings.
With this configuration the automatic detection process, whether it is through DHCP or DNS, happens during the boot process. IE use the automatic configuration script and that should work very fast because it is a normal DNS lookup and HTTP access.
If for some reason you want to use Automatically detect settings in IE, then make sure you have the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;en-us;907455.
BTW --- how are the DNS settings on the ISA server itself?
HTH,
Stefaan
|
|
|
|
|
RE: Firewall client auto detect through dns - 25.Jan.2006 11:52:56 AM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
HI Steffan,
This is what i had before but i only enabled the automatic settings to experiment. The firewall client has the options enabled which you mentioned.
I'll test out a few more stations to see how this goes.
The DNS settings on isa server is as follows:
The internal interfaces has a DNS server defined which points to our internal DNS server, which is also a DC. There is a rule on ISA server defined to allow DNS queries outbound from the Internal DNS server to to external.
DNS Server: 10.56.176.7
ISA's INternal DNS Servers Defined as:
10.56.176.7
10.56.176.8
On extenal interfaces there are DNS server defined.
Ashok.
|
|
|
|
|
RE: Firewall client auto detect through dns - 25.Jan.2006 12:12:29 PM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi Staffan,
One thing i forgot to add is that we disabled the access to firewall client icon on the tray. We created a rule to block this on the logon so i'm not sure if this is the cause of this. I have now enabled this so the icon shows and tested it one station using a different user account and this seems to work.
I'll test out a few more users to be completely sure.
Ashok.
|
|
|
|
|
RE: Firewall client auto detect through dns - 26.Jan.2006 10:12:02 AM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Got this corrected now, we disalloed the firewall client icon so this may have the problem because after going through what everyone said here i tested it out with the firewall client icon enabled and it worked fine. Now the message "detecting proxy settings" only comes up for < 1 second before loading the appropriate page.
These are the settings i now have:
ON the isa server in the Internal interface's properties.
---> Enable firewall client support - ticked
----> Automatically detect settings - not ticked
-----> use autoconfiguration script - ticked
-----> use default url - ticked
---> use a proxy server - not ticked.
On the client side we have the firewall client enabled and is set to automatically detect settings and also Enable automatic web browser configuration.
Everything is working fine.
Thanks for all your help.
Much appreciated as always!
Ashok.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
