I am running ISA 2006 on 2003. It is configured with intergrated authentication on the local host and internal network objects. We use it purely as a web proxy so allow alll through the firewall. One thing we do implement in the only firewall rule is a user group based on a AD group for internet users
The problem is when, for example, browsing bbc and opening a media player link. I get a proxy authentication box appear. Why would this be? I thought by using integrated authentication this should not happen? It needs to be transparent to users!
From: Taylorville, IL
Because of limitations and "in-capabilities" with Windows Media Player it will not be possible for it to be transparent to users if proxy authentication is required.
Earlier version of WMP didn't seem to have the problem, but I think when they hit version 9 they screwed up the part of it that interacts and authenticates with a CERN Compliant Web Proxy when authentication is required. There was supposed to be a patch that fixed it but when I tried it the problem still persisted. The problem continued with later versions of WMP but I do not know if it is still an issue with the latest WMP if fully patched.
The solution is to: 1. go into the Options of the Media Player 2. go to the Network Tab 3. Go down to the lower section "Streaming Proxy Settings" 4. If any of them are set to "browser" change them to "none".
This will cause: 1. With a single-nic web proxy the WMP will simply ignore the proxy and and follow the LAN's Routing path to the Internet which is going to be your NAT Firewall. This means the NAT Firewall will have to allow outbound access for those protocols which include HTTP. This means users can remove the proxy settings from their browsers and bypass the proxy. This is why single-nic caching servers are a waste of time an money and should be wiped from the face of the earth (in my opinion).
2. With a normal full featured properly installed and properly functioning multi-nic ISA this will cause the WMP to stop using the Web Proxy Service and will fall back to being a Firewall Client or SecureNAT Client. If the Firewall Client is not installed it will have to be a SecureNAT Client which means the access has to be anonymous for HTTP. This downside is a good example of why all ISA installations should be done so that ISA is used with all its features the way it was intended to be used and all the workstations,..at least those that run Windows, should have the Firewall Client installed.
Here's the WMP article that did not work for me, but explains the issue:
By the way,...you will likely have the same problem with Java Applets that use the JRE and run in the Browser. The Java JRE has the same issues with it that the WMP has had. You will have to go into the JRE (Java Icon in Control Panel) and tell it to not use a proxy. You will have the same resulting effects as with the WMP.
From: Taylorville, IL
...can't say for sure it won't happen with RP. Most products out there seem to have similar problemes authenticating with a CERN Compliant Web Proxy when authentication is required. It seems to linger around the order or sequence that things are presented and requested during the process. Tom Shinder could probably elaborate on that,..it is kind of beyond me. Remember that with most CERN Compliant Web Proxys out there, there is no authentication or even if capable doesn't seem to be commonly used. ISA Server is probably the most prevelant one out there in use and most developers are not very sharp when it comes to properly interacting with ISA server for some reason. I have no idea why there is such a blind spot there for them, but it seems to be common, appearantly even among some of MS's developers in the case of WMP.
Spyware and AV products trying to update their definitions are another big example of this. Adaware is one such example and has only gotten worse in more recent versions,..at least the older ones you could disable the proxy settings in it and it would work with the Firewall Client,..but now it doesn't seem to even do that correctly.
From: Lebanese in Kuwait
This has been discussed in Toms blog.
You can either as said by pwindell to disable the proxy setting inside each of your clients WMP, or as seens in Toms blog, this can be done also by using Registry or even Group Policy for easier management.