Posts: 15
Joined: 19.Jun.2006
From: Kansas City, Mo
Status: offline
I recently posted to the General forum about some problems that I’m having with a roll out of the ISA client but after doing some more research it all basically comes down to one problem.
We would like to install the Firewall client for ISA 2004 over GPO to make the rollout as smooth as possible but on any machine we test this with the system boots up and unable to automatically detect the ISA server and thus can’t pull down settings or block web-traffic. We’ve made sure the server is set to publish automatic discovery information, we’ve made sure the WPAD information is out there BOTH on DNS and DHCP. Still not able to detect the server on the client.
Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
The devil is in the details.
Please answer the following with actual details, not made up stuff: What did you setup in DNS? What did you setup in DHCP? What port is WPAD listening on? What SP level is ISA? Did you apply SkipAuthenticationForRoutingInformation? What does the FWCTool report? What do you get if you type the WPAD URL in your browser?
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
Posts: 15
Joined: 19.Jun.2006
From: Kansas City, Mo
Status: offline
I will certainly answer those questions to the best of my ability. Keep in mind I’m about as green as green gets with ISA.
1) We followed the instruction in the book “ISA Server 2004 Unleashed” by Sams. We created a host record and linked the server name to the IP address, then created the CNAME record, entered Wpad as the alias name and then entered the fully qualified domain name for the server.
2) Same run down for DHCP, followed the instructions in the SAMS books. Went to DHCP console, right clicked on server, selected predefined options, hit add, put Wpad in for the name of the option, data type set as string, code: 252, in the string field entered “http://<IP ADDRESS OF ISA SERVER>/wpad.dat.
3) I’m assuming you’re referring to the port number listed when you select the options for “Publish Automatic Discovery information” in the ISA server. That port number is 80.
4) I thought that someone had installed the service pack (I wasn’t the one that installed ISA on the server) but that may have not been the case. I went to the help/about section and it listed the version number as 4.0.2163.213 but made no mention of a service pack being installed. I’m assuming you will tell me to install the service pack, but I will hold off until you actually tell me to incase there is more that I should know.
5) To be honest... I don’t know what “SkipAuthenticationForRoutingInformation” is so I can only assume that this hasn’t been applied.
6) Have never used a FWCTool.
7) This page cannot be displayed. Explanation: There is a problem with the page you are trying to reach and it cannot be displayed. Error Code: 400 Bad Request. The data is invalid. (13)
Posts: 15
Joined: 19.Jun.2006
From: Kansas City, Mo
Status: offline
Just to be sure I just went ahead and loaded SP2, The version number went from 4.0.2163.213 to 4.0.2165.594, but had no luck after that.
Went to the SkipAuthenticationForRoutingInformation site that you linked to and that did it for me.
The only thing left for me to do now is to configure the MSI so it doesn’t have IE go through a proxy and so that it doesn’t give end users the ability to disable the client an I’ll be set. I think I found a good article in regard to the user access to client issue and supposedly that’s resolved by just restarting the computer again so we’ll see about that. But do you know of any ways (or any good articles or forum entries that mention how) to edit the MSI appropriately so that it will not enable the client computer to look to the ISA server for proxy settings?
Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I don't know why you would want to disable proxy in IE. I like to have FWC autodetect and I configure FWC to set IE to GetRoutingScript. THat gives you the best of both worlds. IE using WP will log the domain names in the URLs rather than just the IPs.
I know not of a clean way of preventing the users from disabling FWC but if they do, they get denied access to the internet so they don't mess with it.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
Posts: 15
Joined: 19.Jun.2006
From: Kansas City, Mo
Status: offline
Well what I’ve noticed is that if the proxxy settings are still in place a user can get on the net but it pops up a windows asking for username, password and domain. Plus there is a little checkbox on the lower left to have the computer document what you have entered for future reference. On my test machine I have only had to enter this once but on production machines or users who have volunteered to be guinea pigs we have been experiencing times where this pops up over and over and over again.
Once I go into IE and disable automatically detect settings that problem goes away and the firewall agent continues to block the websites that need to be blocked. The problem is that I’ve noticed if I disable that option and it’s not automatically getting settings, some ASP pages won’t work at all.
So honestly, if I could keep that box that asks for username, password and domain from popping up I would have no problem going with the detect settings option.
Posts: 15
Joined: 19.Jun.2006
From: Kansas City, Mo
Status: offline
Never mind. I looked up the help file and found what you had mentioned and I’m going to try this out and see what happens. If I have any other questions I’ll let you know.
Posts: 15
Joined: 19.Jun.2006
From: Kansas City, Mo
Status: offline
I installed SP2 while trying to resolve the previous issue and the ASP issue went away as well so I’m assuming SP2 fixed it. Thank you very much for the information anyway!