Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Understanding the Web Proxy and Firewall Client Automatic Configuration
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 17.Aug.2005 4:26:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
It works today but i dont why! It works for Win. XP SP2 clients except Win. 2K3 server with 502 proxy error. What do you think happen?
I use both options, the test for DHCP is work and it returns me the script file.
And the nslookup is work for Wpad.domain name.
Thanks,
Al-Taee
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 18.Aug.2005 1:19:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi,
Regarding my post that Win. 2k3 Srv doesnt work. I check the ISA log today (thanks Stefaan for make me use this tool) and i saw that it contains domain1/administrator not the user that i login which is domain1/altaee so i just add the administrator to the Internet group and now its work.
But why the user is diffrent in the log? just a note that my user is memeber of administrator group.
Thanks,
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 18.Aug.2005 10:42:00 AM
|
|
|
Firefox
Posts: 22
Joined: 11.Aug.2004
Status: offline
|
I'm having a bit of a problem with my setup, and perhaps this is the right place to put it...
I have an auto detect setup. Some PC's have the Firewall Client installed, others not (yet)
For specific purposes, we are required to use a VPN connection from the client to a server in the US. For the purpose of connecting with the remote VPN server it doesn't realy matter if one has the firewall client or not... the funny part starts once you trie to open a webbased application that has been made accessible by dialing out to that VPN server.
Without the MSFWClient, you can blindly access the remote site, and you won't see anything on the firewall logs other then that there is a VPN tunnel open.
With the MSFWClient however, as long as it is enabled it will attempt to send *ALL* http trafic through the proxy server. Yet when you look in the internet Explorer in the dial-up properties there has not been set anything that would assign a proxy server. It doesn't help either to turn off the "Configure my browser" setting in the MSFWC properties.
As soon as you disable the firewall client, it's hapy joy again and the tunneled sites work again...
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 18.Aug.2005 2:31:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
I never have experienced that behaviour! Hmm... no idea why ...
HTH,
Stefaan
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 18.Aug.2005 2:40:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Vuurvos,
that has nothing to do with autodetect. The problem is that the Firewall client will redirect all requests not destined for your internal network to the ISA server. That happens before the VPN client ever see those requests.
To fully understand that behavior and how to solve that problem, check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html , particular section '4. Configuring ISA Clients'.
BTW --- If you have further questions, please start a new thread.
HTH,
Stefaan
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 19.Aug.2005 4:38:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
Ya, its strange thing. When i use that user on another computer win. xp sp2 it will appear as domain1/altaee but on my computer win. 2k3 srv it appeared as domain1/administrator.
Anyway thank you for your help.
Al-Taee
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 6.Sep.2005 3:43:00 PM
|
|
|
Guest
|
Have you received a fix from Microsoft yet?
Thank you.
quote:
Originally posted by spouseele:
Hi Robert,
yep, the DHCP delay occures on every OS I've checked out as long as the logged in user has local administrator rights. Because it is client issue, the ISA version 2000/2004 comes not into play.
Yes, I'll post a message in this topic when I got an answer from Microsoft PSS. The ticket was created on may 26, 2005 and is now escalated to level 2 and 3 support.
BTW --- thanks for the compliments. ![[Smile]](/image/smiles/smile.gif)
HTH,
Stefaan
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 6.Sep.2005 3:46:00 PM
|
|
|
sambo
Posts: 12
Joined: 20.Jul.2005
From: Cincinnati, OH
Status: offline
|
Thank you for your well done article. I first was introduced to the long IE startup delay when I had deployed ISA 2004 into by SBS2003 network and then deployed out the FW clients. I thought everything was going to be awesome and everyone would be treating my hard work as amazing. Well the 15 second startup experience squelched my aspirations for high approval ratings and subsequent owner adulation and set me on the road to better understand the mystery of how ISA, IE6, the various Windows OS's, and the FW client interact.
My pain driven research has brought me to this article amongst many other sources and this article is a HUGE help and has been very informative. I am passing on all I am learning through practice and reading to the Ohio, Kentucky, & Indiana other small business consultants. Thank from all of us and our customers.
[ September 06, 2005, 03:48 PM: Message edited by: DaleSBSGuy ]
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 6.Sep.2005 4:02:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi mthurmond,
the status of the 'DHCP issue' is as follows:
1. The issue has been confirmed by Microsoft and it is an IE WININET problem. A new KB 907455 (not yet published) will address this issue.
2. According to Microsoft it is already fixed in IE 7 Beta 1. I will test this asap on Windows XP SP2 and probably on Windows Vista Beta 1 too.
3. I've no confirmation yet that a backport of the IE 7 fix into IE 6 will happen. I'm still waiting for a acceptance/rejection to the business case I opened.
HTH,
Stefaan
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 18.Oct.2005 6:00:00 PM
|
|
|
JeffVandervoort
Posts: 93
Joined: 20.Nov.2004
Status: offline
|
Great article.
Section 3, Client OS Support, could use a little updating. I see that MS has now updated KB 312864 with availability of a hotfix for Windows 2000 to allow DHCP discovery for all users under W2K. And they also mention the change in WinXPSP2 that allows all users to autodiscover via DHCP.
Also, Section 2.1, Note 2 regarding "Require all users to authenticate" was apparently fixed in ISA 2004 SP1. This, per MSKB 885683.
I have not tested either of these issues myself, however.
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 25.Nov.2005 11:44:03 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi all,
just an update on the status of the 'DHCP issue':
1. a fix for Windows XP SP2 is officialy released on November 11, 2005. The related knowledge base article is KB906650 and should be available soon on the web. IE uses an obsolete DHCP API but this API has been fixed (DHCPCSVC) for Windows XP SP2 only.
2. another fix but now for Windows XP SP1 and SP2 is worked on. The related knowledge base article should be KB907455 and is of course not yet available. Here IE will use a supported DHCP API but this requires an new registry key and a change to WININET. So, it will take a little bit longer to get it fixed.
3. I have been told that the DHCP issue is already fixed in IE 7 Beta 2. However, I didn't have a chance to test it yet.
HTH,
Stefaan
< Message edited by spouseele -- 21.Dec.2005 9:53:28 PM >
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 27.Dec.2005 5:42:23 PM
|
|
|
Jim Harrison
Posts: 231
Joined: 5.May2001
From: Redmond, WA
Status: offline
|
Yep - that's a later file version than in 906650, too (been testing 906650).
Stefaan has done an admirable job of tracking this one down - it's a real #$%^% to sort through.
Call CSS and ask for this one - now.
_____________________________
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 20.Jan.2006 5:17:22 PM
|
|
|
ExchAdminGer
Posts: 1
Joined: 20.Jan.2006
Status: offline
|
Hi,
i tried to get the hotfix in German but i was told that the fix i only available in English :( I that true?
Greetings
ExchAdminGer
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 14.Feb.2006 8:14:29 PM
|
|
|
javon7065
Posts: 9
Joined: 24.Apr.2001
From: phila, pa
Status: offline
|
Stefaan, thanks for the great article. I have a question for you about authentication and the autodetect
configuration script options. I am trying to use the autodetect option with DNS. We are using the Integrated
Basic authentication options and have the box checked for requiring users to authenticate.
When using either Autodetect and/or the Config script option, I get prompted for credentials. is this by design?
if so, then that is not good since the integrated authenticion bypasses users having to put in credentials
thanks for any info
Joe
|
|
|
|
|
RE: Understanding the Web Proxy and Firewall Client Aut... - 14.Feb.2006 8:50:27 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Joe,
we generally advice against using the Require all users to authenticate Web Proxy setting. Instead you should request authentication on the rule level. However, if you can't resist, check out the following excerpt from my article:
quote:
Note 2: if the Require all users to authenticate Web Proxy setting is configured for the Internal interface of your ISA 2004 server, the request for the configuration script file (wpad.dat or wspad.dat) must be authenticated also. This means that for Internet Explorer an authentication prompt will pop-up. However, the Firewall client does not handle the "401 Authentication Required" response. Therefore, that request will fail. To solve that problem, check out the Microsoft Knowledge Base Article 885683.
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Big Grin]](/image/smiles/biggrin.gif)
