I've recently been given the responsibility of administering our ISA firewall (I'm far more experienced with our Cisco PIX/ASA). I migrated from ISA 2000 to ISA 2004 SP3 (on a Windows Server 2003 SP2 box), but due to budget constraints wasn't able to attend any training, I had to make do w/ the MS Training Kit (and unfortunately my learning style doesn't lend itself well to self-paced book study). The server is up and running, but I'm experiencing a couple of odd issues...
Our ISA 2004 server acts as an inside firewall in that it has one leg on our inside network and one leg in the DMZ. The DMZ is separated from the outside/Internet by a pair of Cisco ASA appliances.
Our network environment is a mixture of Windows 2000 Professional and Windows XP Professional workstations, most of which have the MS FWC deployed to them (version 4.0, build 4.0.3442.654).
We're currently operating in a Windows 2000 Active Directory environment, and use Group Policy to configure Internet Explorer.
Issue #1 is that ever since we migrated to ISA 2004 and deployed MS FWC v4, the proxy settings configured via Group Policy in IE are being cleared when the MS FWC receives its configuration from the ISA server. The main setting we're concerned with is the 'Exceptions' list as we have several destinations that are used on a daily basis that are outside of our enterprise, but accessed via internal, dedicated WAN links. I've not had any luck configuring the ISA server to provide these configuration settings for IE. If I could do that, I'd remove the GPO. Which leads me to ask, which is preferred, configuring IE via GPO or via ISA?
Issue #2 is of a much lower priority. We've noticed that since the new ISA server has been in place, certain websites that run Java applets no longer display correctly. A window titled "Authentication Required" pops up and requests that the user "Enter login details to access Digest on server.domain.com:" Nothing the user enters at this point has any effect, the Java applet simply won't load and run in the browser.
I appreciate any and all help/feedback and I can provide additional details as necessary. Thanks in advance.
ORIGINAL: KHauer Issue #1 is that ever since we migrated to ISA 2004 and deployed MS FWC v4, the proxy settings configured via Group Policy in IE are being cleared when the MS FWC receives its configuration from the ISA server. The main setting we're concerned with is the 'Exceptions' list as we have several destinations that are used on a daily basis that are outside of our enterprise, but accessed via internal, dedicated WAN links. I've not had any luck configuring the ISA server to provide these configuration settings for IE. If I could do that, I'd remove the GPO. Which leads me to ask, which is preferred, configuring IE via GPO or via ISA?
I much prefer using ISA, because of a hard limit in the proxy bypass list within IE (which would be set by a GPO). However if your bypass is list less than that limit, you can exclusively use the GPO. Although when you deploy the Firewall client your ISA Server has to be configured to not blow away your GPO IE settings, therefore ISA will require the following settings: Configuration -> Networks -> Internal -> Firewall Client Enable Firewall client support for this network -> provide your ISA SERVER name or IP Select - > Automatically detect settings (if you've enalbed WPAD in your environment) and / or -> Use automatic configuration script
and DO NOT select use Web proxy server (as this is what's blanking out your bypass list set by GPO.)
You can still leave your GPO in place in this scenario if you wish.
ORIGINAL: KHauer Issue #2 is of a much lower priority. We've noticed that since the new ISA server has been in place, certain websites that run Java applets no longer display correctly. A window titled "Authentication Required" pops up and requests that the user "Enter login details to access Digest on server.domain.com:" Nothing the user enters at this point has any effect, the Java applet simply won't load and run in the browser.
For sites that require Java, you're probably going to have to turn on Basic authentication support on the Internal Network -> Web Proxy -> Authentication Methods. Or just create an anonymous HTTP Access rule in ISA for the site(s) that force some type of Java applets down to the client. Or set your java runtime clients to "Do Not use a proxy server" and the MS firewall client should step in and handle the requests for you.
< Message edited by abqtech -- 31.Jan.2008 5:35:39 PM >
Hi abqtech, thank you for the help so far. My apologies for taking so long to respond, I was unexpectedly sidetracked.
Here's where I'm at so far with issue #1:
I've configured my ISA server following your suggestion, Configuration -> Networks -> Internal -> Firewall Client has only "Enable Firewall client support for this network" selected. Nothing else is checked.
My GPO contains the bypass list and IE *is* indeed being configured via GPO. However, I'm still seeing an annoyance...
On workstations where the Firewall client has been installed, the default installation behavoir is for the "Enable Web browser automatic configuration" checkbox to be checked on the "Web Browser" tab of the Firewall client.
When this tab is checked, the IE settings configured by our GPO are blown away when a user logs in. If they remain logged in long enough for the GPO to refresh, or if a refresh is forced, then the settings are reconfigured by the GPO and will remain configured (until the user logs off and logs back on again).
If the tab is unchecked, then the IE settings are configured by our GPO and are left alone, everything works correctly.
This leads me to two questions: - 1. Is it possible to uncheck this box on all installed instances of the Firewall client on the network via scripting? - 2. How can I uncheck the box during installation of the Firewall client (which we deploy automatically)?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Still fairly new to ISA, having a few issues... 
Still fairly new to ISA, having a few issues... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread