• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Automatically detect ISA server keeps FW client from working?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Automatically detect ISA server keeps FW client from working? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Automatically detect ISA server keeps FW client from wo... - 24.Dec.2002 8:15:00 PM   
athoren

 

Posts: 5
Joined: 23.Dec.2002
Status: offline
I ran into an issue today where I was trying to figure out why firewall clients were not working. The logs showed all packets being blocked as coming from a non-authenticated source. I finally figured out though that if I disabled the "Automatically detect ISA server" setting on the client everything worked fine. Logs then showed traffic going through with authentication taking place. Do I possibly have a misconfiguration somewhere that might cause the FW client not to work when it is set to automatically detect the ISA server? I can't seem to puzzle out why that might make a difference and keep the FW from authenticating. Thanks in advance.

Andy
Post #: 1
RE: Automatically detect ISA server keeps FW client fro... - 25.Dec.2002 12:20:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Andy,

hmm... I've heard other people complaining about that problem too, although I've never encountered it myself! I always use the DNS wpad solution for autodiscovery and it has been rock solid so far.

For more info, check out:
- http://www.isaserver.org/tutorials/Automating_the_Configuration_of_the_Firew all_Client_Part_1.html
- http://www.isaserver.org/tutorials/Automating_the_Configuration_of_the_Fire wall_Client__Part_2.html

HTH,
Stefaan

[ December 25, 2002, 12:43 AM: Message edited by: spouseele ]

(in reply to athoren)
Post #: 2
RE: Automatically detect ISA server keeps FW client fro... - 25.Dec.2002 6:02:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

The most likely cause is a DNS problem. Its easy to figure out. Just run your packet sniffer on the client and look for the domain suffix the client is appending to the wpad. host name. 9 out of 10 times you'll find the problem right there.

HTH,
Tom

(in reply to athoren)
Post #: 3
RE: Automatically detect ISA server keeps FW client fro... - 28.Dec.2002 12:09:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

I totally agree! [Smile]

Wrong interface settings on ISA server and a bad DNS infrastructure are the two top issues people encounter.

Thanks,
Stefaan

(in reply to athoren)
Post #: 4
RE: Automatically detect ISA server keeps FW client fro... - 31.Dec.2002 9:07:00 PM   
StuartR

 

Posts: 7
Joined: 31.Dec.2002
Status: offline
I'm having a similar problem. When I configure the WPAD solution in both ISA and DHCP, no WPAD.* file gets created on the ISA server and of course, the clients can't connect.

When I put in the default configuration of:

http://ISA_Server:8080/array.dll?Get.Routing.Script

the clients connect file via the Firewall client.

Why isn't the WPAD.* file getting created?

(in reply to athoren)
Post #: 5
RE: Automatically detect ISA server keeps FW client fro... - 1.Jan.2003 9:10:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stuart,

Run a packet trace on the client and observe where the client is trying to obtain the wpad information from. I think you'll find this very enlightening!

HTH,
Tom

(in reply to athoren)
Post #: 6
RE: Automatically detect ISA server keeps FW client fro... - 3.Jan.2003 3:50:00 AM   
StuartR

 

Posts: 7
Joined: 31.Dec.2002
Status: offline
Tom,

I presume I should use the MS version of the network tools for this trace?

The other point is that no WPAD* file is created ANYWHERE on the ISA server, despite setting it up via the ISA instructions.

Confused,

Stuart.

(in reply to athoren)
Post #: 7
RE: Automatically detect ISA server keeps FW client fro... - 3.Jan.2003 12:15:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Stuart,

the wpad file is *not* a physical file! You won't find it on the ISA server because it is created on the fly when requested.

When you use the wpad autodiscovery then:
- a Web Proxy client (IE) makes a call to http://wpad:80/wpad.dat
- a Firewall client makes a call to http://wpad:80/wspad.dat

In both cases, name resolution gives them the IP of the ISA server, from which all good things should flow! [Big Grin]

For a very good and free Network Monitor, check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000062 .

HTH,
Stefaan

(in reply to athoren)
Post #: 8
RE: Automatically detect ISA server keeps FW client fro... - 9.Jan.2003 1:15:00 AM   
mcotton

 

Posts: 5
Joined: 9.Jan.2003
Status: offline
I've had this problem and managed to find something I couldn't find mentioned in any of the notes.

If you have followed excellent instructions posted on this site, you will have a CNAME entry in DNS and an entry in DHCP pointing to the url to get the wpad/wspad autoconfiguration files.

If you have everything setup correctly you should be able to download/view in notepad the wpad.dat and wspad.dat generated files by their url e.g.

http://wpad:80/wpad.dat
http://wpad:80/wspad.dat

or whatever for your installation.

If you don't have the DNS alias setup correctly try the name of the server, if you suspect a name resolution issue, try the IP address of the proxy server instead of the name.

In my case wpad was fine, but wspad gave authorization requied and I guess this is why the firewall client couldn't configure itself.

Looking at the server properties, the Outgoing Web Requests had 'ask un-authenticated users for authentication' checked. Unchecking this allowed me to view the wspad.dat file in notepad and the firewall client to be automaticaly configured.

Hope that helps

Mark

(in reply to athoren)
Post #: 9
RE: Automatically detect ISA server keeps FW client fro... - 9.Jan.2003 3:25:00 AM   
Guest
Does this apply: http://support.microsoft.com/default.aspx?scid=kb;en-us;305204 ?

I think it was fixed in SP1.

Ray

(in reply to athoren)
  Post #: 10
RE: Automatically detect ISA server keeps FW client fro... - 9.Jan.2003 7:47:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ray,

Its interesting that you bring up that article. I was driving myself nuts because I thought that SP1 would fix the random authentication prompts problem when I enable the "ask unauthenticated users for authentication" option. But it did not. I also used the Registry fix that's supposed to fix the multiple authentication prompts problem as well. But that made no difference either.

What fixed the problem? I can't domain policy so that all machines use autodicovery *only* to configure the browsers. Why should that work when manually configuring the autoconfiguration script doesn't work? Beats me. I've done packet traces up and ying-yang and studies them, and no hints are appearent.

Thanks!
Tom

(in reply to athoren)
Post #: 11
RE: Automatically detect ISA server keeps FW client fro... - 3.Feb.2004 1:46:00 PM   
spookem

 

Posts: 2
Joined: 18.Aug.2003
Status: offline
So has anyone been successful with Firewall clients autodetecting the isa server when "ask unauthenticated users for identification is checked?"

(in reply to athoren)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Automatically detect ISA server keeps FW client from working? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts