I am running ISA 2004 on Windows Server 2003. All of my clients are Firewall clients utilizing wpad for configuration settings.
This setup has been online and operational for a very long time. I can watch the monitor and see that my clients were hitting inside sites without ever touching ISA (after getting the latest wpad). Last night I applied ISA 2004 SP2 and all of a sudden my clients were all hitting ISA when trying to access inside sites. I could see in the monitor that the source and destination networks were both Internal. No one was getting anywhere until I quickly created a rule allowing access from Internal to Internal. Clients are all IE 6.0.
The clients can still browse to the wpad.dat file and see all of the "directly access" strings. Can anyone tell me what changed in SP2 to cause this? Can I get them back to directly accessing Internal sites and subnets?
I removed all of my IP addresses from the "Web Browser" tab and left only the exisiting domain names - with wildcards. i.e. "*.racineco.com" and discovered much to my surprise that my clients were still hitting ISA ta access those sites.
I entered "www.racineco.com" in the list and no my users access directly. Apparently wildcards are no longer allowed?
I have literally hundreds of "*.state.wi.us" websites that my users connect to over a private link. This is going to be such a major pain that I guess I will be better off un-installing SP-2.
Is there a new syntax for wildcards? Or are wildcards history?
I can assure you that wildcards are still supported. Keep in mind that the 'wpad.dat' file is cached on the client and has a default time-to-live of 50 minutes. So, wait that long are clear the IE cache before making a new test.
I have discovered that the wildcard problem is restricted to users of wpad.dat ONLY. If I go to an end-user machine and de-select the "Use automatic configuration script", and put them back to proxy clients, the wildcard in the domain name functions properly.
When "Use automatic configuration script" is in use, and pointing my users to the wpad.dat, the wildcard in a domain name is not valid. i.e. *.racineco.com will cause the client to hit ISA, but www.racineco.com will send the client directly to the server.
Using a browser to look at the wpad.dat file reveals no apparent differences than before SP-2. All names, including the ones with wildcards, are in quotes. "*.racineco.com"
Has anyone else had a problem with wildcards in wpad? At this point I think I have no choice except to un-install SP-2.
I've just tested it again and direct access for '*.domain.tld' just works as it should if you use Automatic Configuration (wpad.dat)! However, make sure you have *no* IP addresses specified in the Web Browser tab of the internal network properties, otherwise it won't work with ISA 2004 SP2.
I have found - and resolved - the problem I have been having with the "direct access".
My employer, Racine County, has 2 main domains - RacineCo.com and goRacine.org. Over the years I have developed the habit of typing them just that way. 3 Years ago, when I first implemented ISA, that is how they were entered in the "domains" tab --> *.RacineCo.com and *.goRacine.org. They also appeared that way in the wpad.dat file when viewed with a browser. They have also functioned correctly over the last 3 years.
After the implementation of SP-2, my clients began hitting the ISA box when accessing either of those domains. Remebering that when I first setup the wpad in my DNS there were several articles warning that it was case sensitive, I figured, why not take a shot.
I changed the syntax of the entries on the "domains" tab to *.racineco.com and *.goracine.org and voila - all of my clients are behaving as expected. I must admit that this makes absolutely no sense, but; it is now working correctly so -- ???? -- who knows.
The only explanation I could think of is that maybe in pre-SP2 the wpad file was created with all FQDNs in lowercase. I have no longer an ISA 2004 SP1 running, so I can't verify that. Can you still check that?
Unfortunately, I upgraded both of my ISA's to SP-2 so I can not test backwards.
The only thing I can offer here is that it used to work with upper case entries in the "domains" tab and in the "web browser" tab. Visual inspection of the wpad.dat file via a browser showed the upper case entries and my clients would not hit the ISA box when accessing those sites.
After SP-2 upper case entries caused me problems and I had to create an "Allow Internal to Internal" rule. Visual inspection of the wpad.dat file via a browser looked exactly the same as before.
I haven't got a clue. I have not delved into this too deeply as my clients are now functioning correctly and I was able to remove the Allow Internal to Internal rule. It would appear that that some thing has changed in the run-time wpad.dat generator after SP-2.