Context: When we deployed the firewall client, the ISA server Internal Network Domains tab included all our internal domains, and within the Internal Network Web Browser tab we've accounted for our Internal Domains and Internal Addressing as well as additional domains and addresses that are supplied in the routing script so that we furnish a comprehensive "bypass ISA Server list" to our web proxy clients utilizing the routing script. However we're running into a deficiency in how Internet Explorer is being configured by the firewall client (via the firewall client web browser settings | Enable web browser automatic configuration), where the browser is not being supplied any "exceptions" for the Proxy Server "bypass proxy server for local addresses" area.
Problem: Web proxy clients that inherit the Proxy Server settings (from Internet Explorer) do not inherit a "bypass list" and send all requests to ISA, even the requests for local (domain or addresses) resources. Is there a way to resolve this with ISA 2004 or ISA 2006?
In other words: Is there a way for ISA Server or the firewall client to supply a bypass proxy server for local addresses list within Internet Explorer’s Proxy Server settings?
That KB is related to bypass/direct access problems with clients utilzing the routing script, which is not related to my post, the web proxy clients having this problem are just using the Proxy Server setting in I.E.
Tarek, I'd don't want to manually poplulate any settings in I.E. For several reasons -It's a manually entry -When the firewall client configures the web browser, any settings added in the LAN Settings (including "bypass proxy for local addresses") table are replaced by the Firewall Clients settings provided by ISA Server.
We've been using GPO to set the Proxy Server and bypass proxy server for local addresses, however from my testing with the firewall client set to configure the web browser, all the GPO settings are replaced with the Settings supplied by the firewall client. Make sense?
I dont see how the "Direct Access" article accounts for the problem I'm seeing, and if it does, please excuse my oversight.
I am having a similar problem. I am trying to configure the ISA server with a list of defined "local" sites that the client shouldn't use the proxy for. I am not using the automatic configuration script. I am not currently using GPO to assign the settings. I am trying to get these issues worked out before I deploy the new ISA 2006 server. I am part of a much larger organization and they won't provide us with any kind of web monitoring or limitations. We are installing the ISA server so that we can do our own reporting and monitoring that our management have requested. There are a number of intranet sites that don't work if proxy is turned on. I have not deployed the firewall client (and I don't really want to at this point). If I manually enter the entry in the IE configuration, it works fine. I am trying to make this a server side solution instead of having to configure all of my clients individually.
I have gone into Configuration/Networks and edited the properties of my internal network. I have defined the whole 10/8 subnet as local/internal. I have added the domain names to both the 'Domains' and 'Web Browser' tabs. On 'Web Browsers' based on the KB article linked above, I tried adding the /* to the end of my addresses. I also tried putting https:// and http:// at the beginning. I have tried a number of other things, yet my client computer still gets the "Error Code: 502 Proxy Error" message when I try to go to the page.
I am starting to get frustrate with this. It looks like I am going to have to configure the bypasses on all the clients. There are about 3 settings that I see that all say it shouldn't be going there (i.e. Bypass proxy for local is checked, the IP of the destination is part of the 'internal' network, there are exceptions defined for the domain on both the Domains and Web Server tabs.)
Any help that you can provide would be greatly appreciated.
If you want to supply a "bypass domains and addresses" list to your web browser clients by ISA Server, you'll need to use:
Automatically Detect Settings (WPAD, requires additional DNS / DHCP configuration) - and/or - Use Automatic configuration script
Both can be set by a GPO.
That way you can manage and maintain the bypass list within ISA, and as long as your managing the bypass list (or direct access list) in ISA properly you should'nt run into any problems.
If you're having specifc problems with either of the two options metioned above, please let me know what they are and I'll assist.
Am I misunderstanding some functionality somewhere? It seems to me that where I have configured the Internal Network (inlcuding Domains and Web Server) when a request comes from a client to the proxy for any of those domains/IPs, it should tell the client to go there directly and not go through the ISA. But what I am see is that it still tries to go through the ISA and the ISA denies it for some reason (I am assuming because it would have to go back in the internal interface to fullfil the request). Is my only option to somehow configure my clients IE settings so that it is bypassed at the client?
That doesn't seem very flexible to me. As far as my configuring of the clients, I will likely be using my login script to do it. With the company that bought us, it is somewhat difficult to get GPO created and configured correctly. As to the WPAD, I have never configured it but it appears that I would need to make a DNS entry as well as setup the actual script. I am not sure how to do that entirely, but I know the DNS entry can be somewhat problematic as I would have to contact Corporate to configure it and I am sure I don't want the other 5000+ people going through my proxy server when they screw it up...
On the ISA Server Configure your Internet Network by: <Addresses> tab add the internal addresses for your network Any applicable RFC 1918 addresses 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12
<Domains> tab Add the domains that belong to your internal network as well as domains that you want clients to access directly. *.domain.com or just the specific subdomains you need i.e. www.domain.com, webmail.domain.com
<Web Browsers> tab Adding the domains and address ranges in the Directly access these servers or domains. Also make sure and check: Bypass proxy server for web servers in this network Directly access computers specified in the Domains tab Directly access computers specified in the Address tab
ISA 2006 with all the latest patches (including the console update). I did everything you described in the previous except for setting up the routing script. So, to make the settings take effect on the clients that you make in the server, you have to go to Tools/ Internet Options/ Connection/ LAN Settings/ Check the 'Use automatic configuration script and provide the link you listed (fixed for my domain) in the resulting Address box. Or set that value by some other method (GPO, registry, etc.)
Am I understanding this correctly? If so, it is a server side fix that requires a client side component. I am testing now.
But just putting the correct value in that key doesn't seem to be working for me. I think I need to "check the box" as well, but I don't know where that is. I am disecting a Process Monitor capture now to see if I can find anything else, but I am not having any luck thus far.
Charles, If the string value of: AutoConfigURL"="http://isaserver.domain.com:8080/array.dll?Get.Routing.Script Is present in: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
It should properly populate I.E.'s autoconfig URL.
I have the same problem as Charles in that I want ISA to recognise that intranet sites that fall into my internal subnets should not be directed through the Web Proxy filter. I do not want to have to configure the routing script or the firewall client. I come from a Squid background and to do this is very simple as Squid recognises the intranet addresses and therefore does not pass the traffic out through the proxy, instead directing this direct the to intranet server.
I had an epiphany!!! Tested it and solved this problem.
Go to Configuration\Networks\Web Caching. Create a new Web Caching rule, select To "Internal Network" then Request Processing select "Retrieve requests directly from the specified destination". Apply this rule and all should work.
quote:
ORIGINAL: nwigmore
Hi there,
I have the same problem as Charles in that I want ISA to recognise that intranet sites that fall into my internal subnets should not be directed through the Web Proxy filter. I do not want to have to configure the routing script or the firewall client. I come from a Squid background and to do this is very simple as Squid recognises the intranet addresses and therefore does not pass the traffic out through the proxy, instead directing this direct the to intranet server.
This still doesn't seem to be working for me. The internal website that I am trying to hit keeps getting caught by my ISA server. However, it isn't affected if I uncheck the options in IE for:
Tools -> Internet Options -> LAN Settings -> “Use Automatic Configuration Script” & ”Automatically detect settings”
It looks like something with those options interferes with the cookie that my internal website is using and causes errors. If those are unchecked, it works so it still seems like it is hitting my ISA server even though I want direct connection. Any ideas?
set IE to use your ISA server as a proxy and then add the url to the exceptions field in IE, this will make sure that you bypass the proxy (ISA) for that site. There is also an area in ISA that you can add in your intranet domains. Not sure where that is as then ISA will know what domains are local and should bypass these.
How many users do you have and are you simply using ISA as a proxy?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Web Proxy] >> Web Proxy Client >> Proxy Server - Bypass proxy for local addresses 
Proxy Server - Bypass proxy for local addresses - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread