In a domain I would like to force the use of Firewall Client on the clients were it has been installed, not letting these clients to use the Web Proxy service. At the same time, I would like to leave the Web Proxy service enabled on the ISA server as there is no need of FWC on some clients.
We are an ISV and we are trying to find the best ISA configuration for the deployment of ClickOnce (.Net 2.0) installation packages from the web. If the client (so the browser) is configured to use (and detect) a Web Proxy that requires authentication, the installation of a ClickOnce package fails with a 407 error as the ClickOnce package doesn't pass the current security credentials to the proxy. If the client is forced to use the FWC the ClickOnce package installation succeeds.
DHCP and DNS are configured to point to the ISA server, the default gateway of the clients is the ISA server. The firewall policy rule for the internal network allows access to a specific domain user group. Another firewall policy is defined for SecureNat clients (a group of servers).
How can I configure the ISA and FWC in order to be sure that once FWC is installed on the client, it becomes the only way for any application (browser and ClickOnce apps) to pass through the ISA server?
I made few attempts but haven't found the right configuration. Best regards, Davide Bedin
You need to configure the destination sites for Direct Access to bypass the Web proxy client configuration, or remove the Web proxy client configuration from the Firewall clients, and then unbind the HTTP security filter from the HTTP protocol.
The first option does not match my scenario as I would like to enable the use of ClickOnce apps and not only the ones coming from a specific site.
In my ISA server, on the Internal network configuration, Firewall and Web Proxy client support are enabled. On the Firewall client configuration tab, clients are configured to automatically detect settings, to use automatic configuration script and web proxy server is disabled. I thought this would force clients with FWC to always use it for any request to a web resource but I was wrong.
I'm not sure I correctly understood the second option. How can I remove the Web proxy client configuration from the Firewall clients, and then unbind the HTTP security filter from the HTTP protocol?
Check my two articles on Direct Access on this site, and then ask me questions based on the information in those articles, if things are still not working after implementing the principles discussed there.
Thanks for the info. I read the 2 articles on Direct Access and applied the proposed solution. I enabled direct access to the web site where the ClickOnce app is hosted and It works as expected. Unfortunately, my problem is slightly different, as I would like to find a way to enable the deployment of any ClickOnce application through ISA, not a specific app coming from a known web site. Is there any other possible way to approach my problem?