Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA 2004, IE and Proxy settings
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA 2004, IE and Proxy settings - 17.Dec.2005 1:55:20 AM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Ok, I thought i had this figured out, but guess not.
The problem:
When I configure my clients Internet Explorer browser to autodetect the proxy settings, it takes 10-20 seconds for it to autodetect and keep going. This is driving me and my users nuts.
What is going and how can I fix this?
This is absolutely critical that I fix this because we need this to work in order for Surfcontrol (which we are currently evaluating) will work properly.
I am completely at a loss here and frustrated.
I've tried putting the settings in, undoing them, putting them back in.
I've tried rebotting the computer.
I created a WPAD file for DHCP.
I don't know.
I need some help if anyone can help me out here.
Thanks,
thecoffeeguy
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 17.Dec.2005 3:21:25 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Stefaan (spouseele) troubleshot the heck out of this and eventually opened a case with MS' PSS. See his article - http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html under Section 6 (last sentence).
There is a hotfix for this issue. It's mentioned in Tom's blog. Look under 'Update to WPAD issue' and also the next one under it 'DHCP versus DNS WPAD' all the way at the bottom of the page.
The fix is under MS KB article 906055 but that one doesn't appear to be public yet. You might consider calling MS' PSS at (800) 936-4900 to get the fix - it will be free since it's only for a hotfix. Just tell them you need a grace case in order to obtain a hotifx. I worked in MS' PSS and this is how it's done.
< Message edited by ClintD -- 17.Dec.2005 3:28:12 AM >
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 17.Dec.2005 2:28:38 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hey guys,
yep, I spend a lot of time in diagnosing that problem and trying to convince MS PSS to do something about it. I even created a business case. The latest status can be found at http://forums.isaserver.org/m_350016600/mpage_2/tm.htm . I have the KB906055 fix operational and it is working great. However it is only applicable to Windows XP SP2.
If you can't get the fix or don't use Windows XP SP2, the best workaround I have is to let the Firewall client 2004 automatically detect the ISA server *and* automatically configure Internet Explorer to use a configuration script. The beauty of this solution is that this is only done if the Firewall client can detect the ISA server. In other words, if no ISA server can be detected than the default Internet Explorer settings apply.
HTH,
Stefaan
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 17.Dec.2005 9:00:47 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Thanks for the input guys. I'll see what I can come up with.
Just a few things:
1.) I currently do not have the firewall client rolled out to everyone. We were not sure if that is what we were going to do. BUT, if it solves the problem of long auto detection everytime a browser opens, we just might go that route. Being that we are going to use Surfcontrol, we also did not think we would need the firewall client for everyone either, since Surfcontrol can do name resolution.
2.) You metnion this hotfix and it only applies to Windows XP SP2. Does that mean if im using Windows 2000 Pro, im out of luck?
Looks like i have a few things I need to take into consideration.
I'll be back and post my results.
Cheers,
thecoffeeguy
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 17.Dec.2005 9:04:41 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
ORIGINAL: ClintD
There is a hotfix for this issue. It's mentioned in Tom's blog. Look under 'Update to WPAD issue' and also the next one under it 'DHCP versus DNS WPAD' all the way at the bottom of the page.
Interesting, especially DHCP versus DNS.
Since I currently setup WPAD in DHCP, would moving to DNS help the delay issue?
Is there a walkthrough on the proper way to set this up in DNS?
Thanks,
thecoffeeguy
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 17.Dec.2005 11:07:20 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Create a CNAME alias called WPAD for your ISA server.
On my network we share the same DNS suffix across a large organization and cannot use the DNS WPAD because there are many ISA servers at different divisions. While it is possible to host WPAD externally and to script it to be subnet aware, our CorpIT does not have the will to do so. I rely on DHCP only and use the FWC to push the routing script to IE. FWC is nice to have on the clients as it solves a lot of shortcomings with apps that do not do WP well.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 18.Dec.2005 5:43:29 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
ORIGINAL: LLigetfa
Create a CNAME alias called WPAD for your ISA server.
On my network we share the same DNS suffix across a large organization and cannot use the DNS WPAD because there are many ISA servers at different divisions. While it is possible to host WPAD externally and to script it to be subnet aware, our CorpIT does not have the will to do so. I rely on DHCP only and use the FWC to push the routing script to IE. FWC is nice to have on the clients as it solves a lot of shortcomings with apps that do not do WP well.
Just a simple CNAME for my ISA server called WPAD? That's pretty straightforward and easy.
Anything else?
Also, I still might roll out the FWC. However, since im fairly new to ISA the the client piece, I have been doing a lot of testing to make sure everything works properly.
Thanks,
thecoffeeguy
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 22.Dec.2005 6:42:20 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Thought I would post my results.
Like ClintD suggested, I put the ISA Server into the trusted zones in IE for all my clients via GPO.
Now it works great. Everyone is NOT getting a logon box and now I can get name resolution to work in SurfControl.
Working well so far.
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 23.Dec.2005 5:33:27 PM
|
|
|
keastland
Posts: 3
Joined: 10.Nov.2005
Status: offline
|
This is exactly what I'm trying to resolve. My problem is that we still have several NT machines on our network and therefore can't use GPO's. Is there any way to rectify this issue with with a network running NT, W2K, and XP machines ...other than upgrading all of the NT macines. That, or course, is the ultimate goal. But, unfortunately, I don't control the finances of our company.
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 23.Dec.2005 5:48:04 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
quote:
This is exactly what I'm trying to resolve
What exactly? This thread covers several issues and most of them have solutions posted. You probably should start your own thread and clearly state what you have tried.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 23.Dec.2005 6:29:12 PM
|
|
|
keastland
Posts: 3
Joined: 10.Nov.2005
Status: offline
|
Sorry, I'm an admitted newbie that's been thrown in over my head.
My issue is that in SurfControl I was unable to monitor by username, it would only recognize IP's. I found an article on SurfControls site that said to check the "require all users to authenticate" box on the Web Proxy tab of the Internal properties in ISA 2004. So I did that and I was then able to use usernames in the setup and monitoring, however, SurfControl would still not use groups from AD and it also started to prompt users for logon info when they open IE
So I've had to uncheck the "require all users to authenticate" and right now ISA is set up for Integrated Authentication only. I've been reading alot about setting up a RADIUS server, WPAD's, and now in this thread using GPO's. The problem with GPO's is that we still have a lot of NT machines on our network and it is not feasible at this time to upgrade them all. I was wondering if there is another way to take care of this issue without using GPO's.
I'm certain that I will need to supply more info. Sorry, I'm just a rookie and thank you to anyone who provides me with any ideas or solutions.
Thanks!
< Message edited by keastland -- 23.Dec.2005 6:31:01 PM >
|
|
|
|
|
RE: ISA 2004, IE and Proxy settings - 23.Dec.2005 8:03:06 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Unless I missed something, the only thing mentioned in this thread on the subject of GPO, is adding ISA to the trusted sites zone. That was just an alternative to the fix mentioned in KB885683. IMHO, the SkipAuthenticationForRoutingInformation is a simple and viable fix.
It sounds to me that you have an entirely different problem, that of not being able to communcate properly with your DC. Rather than entertain IAS, why not join the ISA to the domain? You will most likely need to adjust the system policy.
I also hold to the principle of NOT forcing authentication at the network rule but rather access per rule only as needed. It sounds to me your issues are totally different from this threads topic so you really should start your own.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
