• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Firewall client cannot autodiscover

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Firewall client cannot autodiscover Page: [1]
Login
Message << Older Topic   Newer Topic >>
Firewall client cannot autodiscover - 13.Aug.2004 6:23:00 PM   
Joppe

 

Posts: 1
Joined: 13.Aug.2004
From: Sweden
Status: offline
Hi!

Just replaced our old ISA2000 with a brand new machine running ISA 2004. Everytning seems to be up and running but after going live with the server we got a problem that didn't occur during the initial tests against the same machine. One thing that stoped working was that it can't autodiscover the server (but if i type in the name and presses test it doesn't complain). I have the WPAD entry in my dns and added the DHCP option. wpad pings just fine from the client.

Any ideas?

[ August 13, 2004, 06:24 PM: Message edited by: Joppe ]
Post #: 1
RE: Firewall client cannot autodiscover - 15.Aug.2004 1:16:00 AM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
have you updated your DHCP server to reflect the new ISA name in WPAD ?

LexP

(in reply to Joppe)
Post #: 2
RE: Firewall client cannot autodiscover - 17.Aug.2004 8:32:00 PM   
cvanderjagt

 

Posts: 7
Joined: 10.Oct.2003
Status: offline
in the isa 2004 management console go to the server > configuration > networks > internal > edit selected network. click the auto discovery tab and check the box to publish isa server info on port 80.

(in reply to Joppe)
Post #: 3
RE: Firewall client cannot autodiscover - 18.Aug.2004 7:28:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Also, ensure you do not have the option for "Require all users to authenticate" under the properties of the Internal network on the Web Proxy tab - this will cause auto-discovery to fail for both Web proxy and Firewall Clients.

[ August 18, 2004, 07:29 AM: Message edited by: ClintD ]

(in reply to Joppe)
Post #: 4
RE: Firewall client cannot autodiscover - 24.Aug.2004 3:16:00 PM   
sponz

 

Posts: 4
Joined: 24.Aug.2004
Status: offline
quote:
Originally posted by ClintD:
Also, ensure you do not have the option for "Require all users to authenticate" under the properties of the Internal network on the Web Proxy tab - this will cause auto-discovery to fail for both Web proxy and Firewall Clients.

That fixed my problem I was having. What exactly does this do?

Aaron

P.S. Thanks for the help (i know you were helping someone else, but it worked for me, too!)

(in reply to Joppe)
Post #: 5
RE: Firewall client cannot autodiscover - 25.Aug.2004 5:51:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Well, let me recant the "Web Proxy" part - if you're using Internet Explorer (or any other browser that support Proxy Authentication) you should be able to "Web Proxy Auto-Discover" if that option is enabled as IE can automatically provide credentials when ISA sends back a HTTP 407 Proxy Authentication Required.

The problem we have here is that the Firewall Client doesn't have the same code included in it to respond to a 407 Proxy Auth - IE can handle it, but the Firewall Client can't.

It's actually a problem in ISA 2000 that it works with the equivalent setting enabled ("Ask Unauthenticted Users for Identification").

(in reply to Joppe)
Post #: 6
RE: Firewall client cannot autodiscover - 25.Aug.2004 1:35:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Clint,

Exactly! That's why I recommend that this option never be enabled. While it can be enabled for clients configured as only Web proxy, it plays havoc in what I think is the preferred security config: client configured as both Web Proxy and Firewall client.

Thanks!
Tom

(in reply to Joppe)
Post #: 7
RE: Firewall client cannot autodiscover - 30.Aug.2004 10:23:00 AM   
censor

 

Posts: 52
Joined: 1.Apr.2002
Status: offline
Hey.

I still have the problem with autodiscover isaserver from my fwclient.Have check all u have say here but it still not work for me.and if i write in the name to my isa it works.

(in reply to Joppe)
Post #: 8
RE: Firewall client cannot autodiscover - 30.Aug.2004 3:24:00 PM   
sponz

 

Posts: 4
Joined: 24.Aug.2004
Status: offline
quote:
Originally posted by tshinder:
Hi Clint,

Exactly! That's why I recommend that this option never be enabled. While it can be enabled for clients configured as only Web proxy, it plays havoc in what I think is the preferred security config: client configured as both Web Proxy and Firewall client.

Thanks!
Tom

Now how do I make it so I can look through the logs to make sure no one is looking at stuff they aren't supposed to be? It used to list the user name in the logs, now it's anonymous. This actually poses a problem for us due to the nature of our business. Any advice would be great.

Thanks
Aaron

(in reply to Joppe)
Post #: 9
RE: Firewall client cannot autodiscover - 30.Aug.2004 4:40:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Aaron,

Just don't create any anonymous access rules that allow anonymous access. Then user names for the Firewall and Web Proxy clients will always be recorded.

HTH,
Tom

(in reply to Joppe)
Post #: 10
RE: Firewall client cannot autodiscover - 30.Aug.2004 8:58:00 PM   
sponz

 

Posts: 4
Joined: 24.Aug.2004
Status: offline
quote:
Originally posted by tshinder:
Hi Aaron,

Just don't create any anonymous access rules that allow anonymous access. Then user names for the Firewall and Web Proxy clients will always be recorded.

HTH,
Tom

I was going to create a new thread, but this is still some what related (the anonymous log files). If a new thread is more appropriate, I can start there...

Ok, just to make sure we fully understand, under FireWall Policy, we have a policy created that Allows -- All Outbound Traffic -- From Internal Network Set -- To Anywhere -- for All Users.

Any advice you could throw our way would be greatly appreciated.

Aaron

(in reply to Joppe)
Post #: 11
RE: Firewall client cannot autodiscover - 31.Aug.2004 12:10:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Change the "All Users" to "Authenticated Users" and you're good to go.

Do this on the "Users" tab of this rule - remove the "All Users" (this is what allows anonymous access) to some other group and you'll have the user names logged.

(in reply to Joppe)
Post #: 12
RE: Firewall client cannot autodiscover - 31.Aug.2004 4:10:00 AM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
quote:
Originally posted by ClintD:
Well, let me recant the "Web Proxy" part - if you're using Internet Explorer (or any other browser that support Proxy Authentication) you should be able to "Web Proxy Auto-Discover" if that option is enabled as IE can automatically provide credentials when ISA sends back a HTTP 407 Proxy Authentication Required.

The problem we have here is that the Firewall Client doesn't have the same code included in it to respond to a 407 Proxy Auth - IE can handle it, but the Firewall Client can't.

It's actually a problem in ISA 2000 that it works with the equivalent setting enabled ("Ask Unauthenticted Users for Identification").

[Mad] This is another 'good info' to know when setting up ISA. Tom, you might be able to follow my progress, and (almost) each step, it seems there is a semi-caveat that is necessary to know to have ISA happy [Razz] .

I was running into the same thing as the thread starter -- WPAD worked perfectly when "Require all users to authenticate" was not enabled, however I mistakenly thought it was necessary to enable that check box to have users listed in the logs. Now that i know it is recommended *not* to enable, "Require all users to authenticate" when using the firewall client.

Thanks ClintD about the explanation regarding code that wasn't allowing for the percieved configuration.

Edgardo

Onto the next ISA 'configuration mystery' [Big Grin]

[ August 31, 2004, 05:28 PM: Message edited by: grinn253 ]

(in reply to Joppe)
Post #: 13
RE: Firewall client cannot autodiscover - 31.Aug.2004 2:24:00 PM   
sponz

 

Posts: 4
Joined: 24.Aug.2004
Status: offline
Works like a champ. Thanks again for the help. You guys are great!

(in reply to Joppe)
Post #: 14
RE: Firewall client cannot autodiscover - 1.Sep.2004 8:18:00 PM   
rf@toly.com

 

Posts: 1
Joined: 1.Sep.2004
From: Malta
Status: offline
I have an issue with the 2004 FW client. As soon as I open up IE it gets disabled and on the FW client I get the message "disabled - cannot authenticate with ISA server". The web site does come up and the FW client is able to detect the ISA server. Any hints?

(in reply to Joppe)
Post #: 15
RE: Firewall client cannot autodiscover - 7.Sep.2004 3:39:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bob,

Is the ISA firewall a member of the domain?

Is the client machine a member of the domain?

Can the client resolve the name for the ISA firewall that you configured for the Firewall client listener?

Thanks!
Tom

(in reply to Joppe)
Post #: 16
RE: Firewall client cannot autodiscover - 7.Oct.2004 2:21:00 PM   
druid_ro

 

Posts: 8
Joined: 22.Oct.2003
Status: offline
Big issue

If you have caching enabled, auto-discovery set-up and working(with the "require users to authenticate" unchecked of course) and the http acces rule set to authenticate, every time you acces content from cache it denies the connection or it doesn't display the content.

Or worse it displays a login box.

This is beacuse request to content on isa server cache is not authenticated. It doesn't work if you force authentication to localhost, or internal ip of isa 2004.

Had this problem?

(in reply to Joppe)
Post #: 17
RE: Firewall client cannot autodiscover - 2.May2005 3:56:00 PM   
TechFan

 

Posts: 24
Joined: 9.Dec.2004
Status: offline
How can I log all authenticated traffic, but allow all users if they are not authenticated??

(in reply to Joppe)
Post #: 18
RE: Firewall client cannot autodiscover - 12.May2005 6:06:00 PM   
kcadmin

 

Posts: 23
Joined: 5.Jan.2005
Status: offline
I'm getting this too, only I DON'T have "require all users to authenticate" and never have. Autoconfig works in some sites (2003 server) in our mixed-mode domain , but not others (NT4DC sites). WPAD is resolvable in all cases. They work if you staticlly define the ISA in the FWC.

Help! [Confused]

(in reply to Joppe)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Firewall client cannot autodiscover Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts