Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Understanding the Web Proxy and Firewall Client Automatic Configuration

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> RE: Understanding the Web Proxy and Firewall Client Automatic Configuration Page: <<   < prev  1 2 [3]
Login
Message << Older Topic   Newer Topic >>
RE: Understanding the Web Proxy and Firewall Client Aut... - 21.Jun.2006 11:27:28 PM   
Gabonescu

 

Posts: 8
Joined: 19.Jun.2006
From: London, ON
Status: offline 		Hello Stefaan,
 
 
Indeed a very acurate article about this auto config.
 
I had to use your recommenations for all IE clients but now I'm comming with a problem:
 
-if I set up IE client with an automatic script (http://FQDN80/array.dll?Get.Routing.Script) I can access my intranet webpage (http://intranet.mycorp.com) BUT I can't access any Ip address (http://172.16.1.22) which is a netwotrk printer for example;
-if I set up IE client with a manual proxy ( 172.16.1.1 :8080) I can't access anythink inside and the error is Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
 
Thre is any way to add some exceptions to the automatic script config?
 
 
I really apreciate any input.
 
Thanks,
Gabon

(in reply to spouseele)
Post #: 41
RE: Understanding the Web Proxy and Firewall Client Aut... - 23.Jun.2006 8:14:50 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Gabon,
 
prior to ISA 2004 SP2, it was good practice to configure all the internal IP ranges as direct access on ISA. The result was that IE didn't redirect those requests to the ISA server what was the wanted behavior. However, with ISA 2004 SP2 the logic behind the Direct Access script was changed and that broke the above good practice. For more info about the changes, check out:


I know that they are working on a solution to fix that problem. In the mean time, the workaround I use is to configure individual IP address as FQDN for direct access. Of course this is only feasible for a small number of IP addresses.

Hmm... I just read again the blog and saw that a fix was already released as KB920716. Maybe you could try it out and let us know how it works for you.

HTH,
Stefaan

(in reply to Gabonescu)
Post #: 42
RE: Understanding the Web Proxy and Firewall Client Aut... - 12.Jul.2006 2:35:44 PM   
hl.hassan

 

Posts: 12
Joined: 27.Jul.2005
From: kuwait
Status: offline 		Hello everyone,
                
Recently i am trying to configure the internet explorer to use automatic detect settings so that the users do not need to specify the ISA server name. I got the internet to work through automatic detect settings,but it is very slow for some reason. All users have firewall client

can anyone please help me in why the internet is slow? 

Note: if i manually specify the ISA sever name the internet works quick.

Or if anyone has an article on how to configure automatic detect settings that will be helpfull aswel.

(in reply to spouseele)
Post #: 43
RE: Understanding the Web Proxy and Firewall Client Aut... - 12.Jul.2006 9:24:36 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi hassan,

what do you mean with "...but it is very slow for some reason". Please, elaborate on it.

Thanks,
Stefaan

(in reply to hl.hassan)
Post #: 44
RE: Understanding the Web Proxy and Firewall Client Aut... - 13.Jul.2006 11:40:37 AM   
hl.hassan

 

Posts: 12
Joined: 27.Jul.2005
From: kuwait
Status: offline 		what i mean is that i configured the auto detect settings for the IE the users can browse the intra sites and also browse the internet , but when browsing the internet it is very very slow. If i specify the ISA server name manually in the IE the internet will work more quicker.

I hope the information i have provided will help you solve my problem.

(in reply to spouseele)
Post #: 45
RE: Understanding the Web Proxy and Firewall Client Aut... - 13.Jul.2006 10:34:10 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi hassan,

some things to check out:
  • make sure that Use HTTP 1.1 and Use HTTP 1.1 through proxy connections is enable in the IE advanced settings.
  • make sure you have a rock solid DNS name resolving infrastructure.


HTH,
Stefaan

(in reply to hl.hassan)
Post #: 46
RE: Understanding the Web Proxy and Firewall Client Aut... - 11.Aug.2006 4:57:49 PM   
thejun

 

Posts: 101
Joined: 21.Jan.2002
Status: offline 		I had an issue come up recently.
An OC192 went down, and all my AD DNS servers could not resolve.

So i changed my isa to a backup internet connection.
I changed the primary dns on ISA to an external DNS address.

now, for the clients the browsers are set to autodetect, which pulls the wpad.  They all cannot connect.

If i change them to manual and type in the proxy server, they can connect fine. 

I know this is DNS related, but I cannot find a way to fix it so autodetect will work properly.

(in reply to spouseele)
Post #: 47
RE: Understanding the Web Proxy and Firewall Client Aut... - 11.Aug.2006 8:42:07 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi thejun,

what do you mean exactly with
quote:

I changed the primary dns on ISA to an external DNS address.

Why didn't you just change your forwarders on the AD DNS servers to the new ISP?

HTH,
Stefaan

(in reply to thejun)
Post #: 48
RE: Understanding the Web Proxy and Firewall Client Aut... - 18.Jun.2007 3:01:50 AM   
btg

 

Posts: 5
Joined: 11.Jun.2007
Status: offline 		hello,

Great article, thanks heaps for the information posted.

I'm not sure if this problem is related but it is definitely one I have been seeing since activating this feature.

Auto configurations is working ok and users are finding the ISA server. I am currently using DHCP + DNS method with the wpad cname.

I have found on my isa logs that many browsers are accessing the isa proxy as anonymous. I have intergrated authentication enabled on browsers. I am using IE 6 and IE 7 and trying win2k and winxp sp2 clients. Sometimes logs will show usernames and sometimes it will show anonymous.

I tried enforcing all connections to authenticate though this created issues where by many browsers started showing up an authentication box. It was resulting in unhappy users. So I have removed it for now.

Do I need to edit the wpad.dat file to enforce this authentication?

help would be appreciated.

(in reply to spouseele)
Post #: 49
RE: Understanding the Web Proxy and Firewall Client Aut... - 18.Jun.2007 2:51:27 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi btg,

when you enforce authentication on the web proxy listener, you might run in some authentication prompt issues. You can solve that with KB 885683. For more info, check out:
- Getting Prompted for Authentication When You Enable Firewall Client and Web Proxy Client Autodiscovery?
- Irritated by Firewall Clients Constantly Being Asked for Credentials?

Now, it's normal to see some anonymous requests in the ISA log. When a browser (i.e. IE) sends a request, the browser can't know if authentication will be required. Therefore the initial request is always sent anonymous. When ISA determines that the access rule requires authentication, ISA will reject this request and inform the browser with a 407 response that Proxy authentication is required.  The browser will than resend the request with authentication.

HTH,
Stefaan

(in reply to btg)
Post #: 50
RE: Understanding the Web Proxy and Firewall Client Aut... - 28.Jun.2007 9:44:16 AM   
Byron Trent

 

Posts: 2
Joined: 5.Oct.2006
Status: offline 		Hi there,

This could be just what I am looking for but the link seems to be down. Will it be coming back?

Cheers,

Byron.

(in reply to spouseele)
Post #: 51
RE: Understanding the Web Proxy and Firewall Client Aut... - 27.Jul.2007 1:22:21 PM   
ITGuy85

 

Posts: 8
Joined: 23.Jul.2007
Status: offline 		Reading through the great article, I didn't see the logic behind how the client or ISA determines which is the best ISA to point the proxy to. I understand the wpad process.

Here's the scenario. Let's say I have two datacenters (LA and NYC) with internet access and ISA servers at each. Both have two branch offices in hub/spoke fashion. If I take a laptop from branch office A (homed off NYC) to branch office C (homed off LA), what logic does wpad/ISA/IE use to determine which ISA server it should point to?

Is it intelligent enough to point to LA or NYC "correctly", and if so, what information does it use? AD sites and services, subnet, pings, hops, etc.?

Assuming ISA 2006, IE 7, and XP SP2, and ISA client is installed.

(in reply to Byron Trent)
Post #: 52
RE: Understanding the Web Proxy and Firewall Client Aut... - 27.Jul.2007 3:11:01 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi ITGuy85,

the only logic used is what DNS or DHCP returns for the wpad request from the client. For DHCP you can define per scope the wpad option. So, this can easily be made location depended.

However, for DNS it isn't that simple or even sometimes impossible because you usual don't work with split DNS servers for the internal network itself. You might consider the use of netmask ordering as explained in my blog Multi-Networking WPAD Support in ISA 2004.

HTH,
Stefaan

(in reply to ITGuy85)
Post #: 53
RE: Understanding the Web Proxy and Firewall Client Aut... - 27.Jul.2007 3:45:10 PM   
ITGuy85

 

Posts: 8
Joined: 23.Jul.2007
Status: offline 		Thanks for the feedback. So the intelligence is very minimal, I take it. Assuming we rely on DNS for staticly assigned servers, I can't quite wrap my brain around an enterprise configuration. If we have 100 subnets of various lengths (/10, /14, /16, /20, /24) across multiple sites, I don't see how the multi-networking solution would work. There aren't ISA servers on each of the subnets, so I can't return an IP address for an ISA server that's on each local subnet.

Since static machines won't be leaving the office or moved around, maybe this just calls for a GPO configuration. Roaming clients will be required to use DHCP, and then use intelligent WPAD configuration to point to the desired ISA server.

Or am I missing something?


(in reply to spouseele)
Post #: 54
RE: Understanding the Web Proxy and Firewall Client Aut... - 27.Jul.2007 4:13:33 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi ITGuy85,

in my opinion DNS netmask ordening will only work if you can summarize all branches from a datacenter to a 'supernet' of the ISA's internal interface in that datacenter. Moreover, the 'supernet' for each datacenter must have the same subnet length. If that isn't the case, forget DNS wpad for the roaming clients.

For the 'static' machines, why not use DHCP reservations and make them DHCP clients too?

HTH,
Stefaan

(in reply to ITGuy85)
Post #: 55
RE: Understanding the Web Proxy and Firewall Client Aut... - 27.Jul.2007 4:16:15 PM   
ITGuy85

 

Posts: 8
Joined: 23.Jul.2007
Status: offline 		Using reservations is certainly an option. You have given me some great insight and I now have a plan! Thanks!

(in reply to spouseele)
Post #: 56
RE: Understanding the Web Proxy and Firewall Client Aut... - 27.Jul.2007 4:54:16 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Bob,

good to hear I could help and thanks for the follow up!

Stefaan

(in reply to ITGuy85)
Post #: 57
RE: Understanding the Web Proxy and Firewall Client Aut... - 23.Oct.2007 4:06:02 PM   
smathur

 

Posts: 18
Joined: 19.Sep.2007
Status: offline 		Hi Stefaan

I am unable to access the article u wrote on " Understanding the Web Proxy and Firewall client autoconfig". It directs me to the page http://forums.isaserver.org/m_350016600/mpage_1/%22http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html%22, which says "page cannot be displayed due to permanently removed, temp unavailabe ".
So I am wondering is it just me having the access issue or it was removed, and is there a way to still access that article ?

Thanks

(in reply to spouseele)
Post #: 58
RE: Understanding the Web Proxy and Firewall Client Aut... - 23.Oct.2007 4:17:39 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi smathur,

what about http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html?

HTH, Stefaan

(in reply to smathur)
Post #: 59
RE: Web Proxy settings - 2.Jan.2008 4:21:08 AM   
abdulaziz

 

Posts: 21
Joined: 15.Mar.2007
Status: offline 		hello experts,

I have notice very weird stuff in my client machines, previous we were browsing using proxy setting under port 8080. All clients machine are behind ISA Server, recently I have noticed everyone is browsing with and without Proxy.

To my understanding every user who need Internet connectivity should have Proxy Enabled or using secured NAT.

But I have choosen Proxy as our settings and it was working fine. But now every machine is BROWSING with and without Proxy..

Please assist me on how to revert back to proxy solution only.

Thanks,
Abdulaziz

(in reply to spouseele)
Post #: 60

Page:   <<   < prev  1 2 [3] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> RE: Understanding the Web Proxy and Firewall Client Automatic Configuration Page: <<   < prev  1 2 [3]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts