Posts: 8
Joined: 19.Jun.2006
From: London, ON
Status: offline
Hello Stefaan,
Indeed a very acurate article about this auto config.
I had to use your recommenations for all IE clients but now I'm comming with a problem:
-if I set up IE client with an automatic script (http://FQDN80/array.dll?Get.Routing.Script) I can access my intranet webpage (http://intranet.mycorp.com) BUT I can't access any Ip address (http://172.16.1.22) which is a netwotrk printer for example; -if I set up IE client with a manual proxy ( 172.16.1.1 :8080) I can't access anythink inside and the error is Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
Thre is any way to add some exceptions to the automatic script config?
prior to ISA 2004 SP2, it was good practice to configure all the internal IP ranges as direct access on ISA. The result was that IE didn't redirect those requests to the ISA server what was the wanted behavior. However, with ISA 2004 SP2 the logic behind the Direct Access script was changed and that broke the above good practice. For more info about the changes, check out:
I know that they are working on a solution to fix that problem. In the mean time, the workaround I use is to configure individual IP address as FQDN for direct access. Of course this is only feasible for a small number of IP addresses.
Hmm... I just read again the blog and saw that a fix was already released as KB920716. Maybe you could try it out and let us know how it works for you.
Recently i am trying to configure the internet explorer to use automatic detect settings so that the users do not need to specify the ISA server name. I got the internet to work through automatic detect settings,but it is very slow for some reason. All users have firewall client
can anyone please help me in why the internet is slow?
Note: if i manually specify the ISA sever name the internet works quick.
Or if anyone has an article on how to configure automatic detect settings that will be helpfull aswel.
what i mean is that i configured the auto detect settings for the IE the users can browse the intra sites and also browse the internet , but when browsing the internet it is very very slow. If i specify the ISA server name manually in the IE the internet will work more quicker.
I hope the information i have provided will help you solve my problem.
Great article, thanks heaps for the information posted.
I'm not sure if this problem is related but it is definitely one I have been seeing since activating this feature.
Auto configurations is working ok and users are finding the ISA server. I am currently using DHCP + DNS method with the wpad cname.
I have found on my isa logs that many browsers are accessing the isa proxy as anonymous. I have intergrated authentication enabled on browsers. I am using IE 6 and IE 7 and trying win2k and winxp sp2 clients. Sometimes logs will show usernames and sometimes it will show anonymous.
I tried enforcing all connections to authenticate though this created issues where by many browsers started showing up an authentication box. It was resulting in unhappy users. So I have removed it for now.
Do I need to edit the wpad.dat file to enforce this authentication?
Now, it's normal to see some anonymous requests in the ISA log. When a browser (i.e. IE) sends a request, the browser can't know if authentication will be required. Therefore the initial request is always sent anonymous. When ISA determines that the access rule requires authentication, ISA will reject this request and inform the browser with a 407 response that Proxy authentication is required. The browser will than resend the request with authentication.
Reading through the great article, I didn't see the logic behind how the client or ISA determines which is the best ISA to point the proxy to. I understand the wpad process.
Here's the scenario. Let's say I have two datacenters (LA and NYC) with internet access and ISA servers at each. Both have two branch offices in hub/spoke fashion. If I take a laptop from branch office A (homed off NYC) to branch office C (homed off LA), what logic does wpad/ISA/IE use to determine which ISA server it should point to?
Is it intelligent enough to point to LA or NYC "correctly", and if so, what information does it use? AD sites and services, subnet, pings, hops, etc.?
Assuming ISA 2006, IE 7, and XP SP2, and ISA client is installed.
the only logic used is what DNS or DHCP returns for the wpad request from the client. For DHCP you can define per scope the wpad option. So, this can easily be made location depended.
However, for DNS it isn't that simple or even sometimes impossible because you usual don't work with split DNS servers for the internal network itself. You might consider the use of netmask ordering as explained in my blog Multi-Networking WPAD Support in ISA 2004.
Thanks for the feedback. So the intelligence is very minimal, I take it. Assuming we rely on DNS for staticly assigned servers, I can't quite wrap my brain around an enterprise configuration. If we have 100 subnets of various lengths (/10, /14, /16, /20, /24) across multiple sites, I don't see how the multi-networking solution would work. There aren't ISA servers on each of the subnets, so I can't return an IP address for an ISA server that's on each local subnet.
Since static machines won't be leaving the office or moved around, maybe this just calls for a GPO configuration. Roaming clients will be required to use DHCP, and then use intelligent WPAD configuration to point to the desired ISA server.
in my opinion DNS netmask ordening will only work if you can summarize all branches from a datacenter to a 'supernet' of the ISA's internal interface in that datacenter. Moreover, the 'supernet' for each datacenter must have the same subnet length. If that isn't the case, forget DNS wpad for the roaming clients.
For the 'static' machines, why not use DHCP reservations and make them DHCP clients too?
I have notice very weird stuff in my client machines, previous we were browsing using proxy setting under port 8080. All clients machine are behind ISA Server, recently I have noticed everyone is browsing with and without Proxy.
To my understanding every user who need Internet connectivity should have Proxy Enabled or using secured NAT.
But I have choosen Proxy as our settings and it was working fine. But now every machine is BROWSING with and without Proxy..
Please assist me on how to revert back to proxy solution only.