Automatically detect ISA server keeps FW client from working? (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> Firewall Client



Message


athoren -> Automatically detect ISA server keeps FW client from working? (24.Dec.2002 8:15:00 PM)

I ran into an issue today where I was trying to figure out why firewall clients were not working. The logs showed all packets being blocked as coming from a non-authenticated source. I finally figured out though that if I disabled the "Automatically detect ISA server" setting on the client everything worked fine. Logs then showed traffic going through with authentication taking place. Do I possibly have a misconfiguration somewhere that might cause the FW client not to work when it is set to automatically detect the ISA server? I can't seem to puzzle out why that might make a difference and keep the FW from authenticating. Thanks in advance.

Andy




spouseele -> RE: Automatically detect ISA server keeps FW client from working? (25.Dec.2002 12:20:00 AM)

Hi Andy,

hmm... I've heard other people complaining about that problem too, although I've never encountered it myself! I always use the DNS wpad solution for autodiscovery and it has been rock solid so far.

For more info, check out:
- http://www.isaserver.org/tutorials/Automating_the_Configuration_of_the_Firew all_Client_Part_1.html
- http://www.isaserver.org/tutorials/Automating_the_Configuration_of_the_Fire wall_Client__Part_2.html

HTH,
Stefaan

[ December 25, 2002, 12:43 AM: Message edited by: spouseele ]




tshinder -> RE: Automatically detect ISA server keeps FW client from working? (25.Dec.2002 6:02:00 PM)

Hey guys,

The most likely cause is a DNS problem. Its easy to figure out. Just run your packet sniffer on the client and look for the domain suffix the client is appending to the wpad. host name. 9 out of 10 times you'll find the problem right there.

HTH,
Tom




spouseele -> RE: Automatically detect ISA server keeps FW client from working? (28.Dec.2002 12:09:00 PM)

Hi Tom,

I totally agree! [Smile]

Wrong interface settings on ISA server and a bad DNS infrastructure are the two top issues people encounter.

Thanks,
Stefaan




StuartR -> RE: Automatically detect ISA server keeps FW client from working? (31.Dec.2002 9:07:00 PM)

I'm having a similar problem. When I configure the WPAD solution in both ISA and DHCP, no WPAD.* file gets created on the ISA server and of course, the clients can't connect.

When I put in the default configuration of:

http://ISA_Server:8080/array.dll?Get.Routing.Script

the clients connect file via the Firewall client.

Why isn't the WPAD.* file getting created?




tshinder -> RE: Automatically detect ISA server keeps FW client from working? (1.Jan.2003 9:10:00 PM)

Hi Stuart,

Run a packet trace on the client and observe where the client is trying to obtain the wpad information from. I think you'll find this very enlightening!

HTH,
Tom




StuartR -> RE: Automatically detect ISA server keeps FW client from working? (3.Jan.2003 3:50:00 AM)

Tom,

I presume I should use the MS version of the network tools for this trace?

The other point is that no WPAD* file is created ANYWHERE on the ISA server, despite setting it up via the ISA instructions.

Confused,

Stuart.




spouseele -> RE: Automatically detect ISA server keeps FW client from working? (3.Jan.2003 12:15:00 PM)

Hi Stuart,

the wpad file is *not* a physical file! You won't find it on the ISA server because it is created on the fly when requested.

When you use the wpad autodiscovery then:
- a Web Proxy client (IE) makes a call to http://wpad:80/wpad.dat
- a Firewall client makes a call to http://wpad:80/wspad.dat

In both cases, name resolution gives them the IP of the ISA server, from which all good things should flow! [Big Grin]

For a very good and free Network Monitor, check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000062 .

HTH,
Stefaan




mcotton -> RE: Automatically detect ISA server keeps FW client from working? (9.Jan.2003 1:15:00 AM)

I've had this problem and managed to find something I couldn't find mentioned in any of the notes.

If you have followed excellent instructions posted on this site, you will have a CNAME entry in DNS and an entry in DHCP pointing to the url to get the wpad/wspad autoconfiguration files.

If you have everything setup correctly you should be able to download/view in notepad the wpad.dat and wspad.dat generated files by their url e.g.

http://wpad:80/wpad.dat
http://wpad:80/wspad.dat

or whatever for your installation.

If you don't have the DNS alias setup correctly try the name of the server, if you suspect a name resolution issue, try the IP address of the proxy server instead of the name.

In my case wpad was fine, but wspad gave authorization requied and I guess this is why the firewall client couldn't configure itself.

Looking at the server properties, the Outgoing Web Requests had 'ask un-authenticated users for authentication' checked. Unchecking this allowed me to view the wspad.dat file in notepad and the firewall client to be automaticaly configured.

Hope that helps

Mark




Guest -> RE: Automatically detect ISA server keeps FW client from working? (9.Jan.2003 3:25:00 AM)

Does this apply: http://support.microsoft.com/default.aspx?scid=kb;en-us;305204 ?

I think it was fixed in SP1.

Ray




tshinder -> RE: Automatically detect ISA server keeps FW client from working? (9.Jan.2003 7:47:00 PM)

Hi Ray,

Its interesting that you bring up that article. I was driving myself nuts because I thought that SP1 would fix the random authentication prompts problem when I enable the "ask unauthenticated users for authentication" option. But it did not. I also used the Registry fix that's supposed to fix the multiple authentication prompts problem as well. But that made no difference either.

What fixed the problem? I can't domain policy so that all machines use autodicovery *only* to configure the browsers. Why should that work when manually configuring the autoconfiguration script doesn't work? Beats me. I've done packet traces up and ying-yang and studies them, and no hints are appearent.

Thanks!
Tom




spookem -> RE: Automatically detect ISA server keeps FW client from working? (3.Feb.2004 1:46:00 PM)

So has anyone been successful with Firewall clients autodetecting the isa server when "ask unauthenticated users for identification is checked?"




Page: [1]