Re: Laptops with ISA Client installed - how do users out on the road operate?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"Jim" <jim@xxxxxxxxxx> wrote in message
news:fc1qm49di1qpjupqdhlri9p5nesc67io28@xxxxxxxxxx
Hi all,

Our configuration:

Windows 2003 SBS R2 Premium, running ISA Server 2004 SP3. All
computers have the firewall client installed and running, and we have
the WPAD entry in DNS to advertise the proxy. All clients are XP Pro
with IE7.

When users are in the office then they can happily browse the internet
etc. But when out on the road, staying at hotels or at home, they
still want to browse the internet BUT they do not want to connect to
the corporate LAN. Even disabling the firewall client isn't
sufficient, as Internet Explorer still has the proxy settings in
Internet Options > Connections > LAN Settings.

The obvious workaround is for the user to manually untick the "use
proxy server" setting. But there's two issues here, firstly the option
is buried quite deeply, and secondly they need to be a local admin.

What is the preferred solution in this scenario, so that the laptop
doesn't try to use the proxy? Does it sound like we have an incorrect
setting somewhere, or is there something we should do differently?

You may have configured WPAD on the DNS and DHCP (you did do the DHCP part
too, correct?) but you aren't actually *using* it,...at least not with the
browser. The browser and the FWC each make use of autodetection
independnetly of each other. In the browser's proxy settings, except for
the first two checkboxes and the accompanying Textbox everything should be
blank and not filled in,...and really only the first checkbox is required.

The browser should have all the proxy setting "cleared". Then properly
configure the FWC for autodetection from within the Properties of the
Internal Network Definiton *on the ISA*. Then the FWC will push the correct
settings to the browser.

Then when a proxy is not detected both the browser and the FWC will respond
correctly and let the machine operate "direct" with the Internet,...no user
interaction needed.

Here's the process:

The Tabs in the Internal Network Properties in the ISA MMC:
Some of these are just my preference, but they work for me.

Autodiscover Tab
Enable the checkbox
Leave the port on 80 (don't be tempted to change it)

Firewall Client Tab
Enable the first checkbox
Supply the proxy's server name in the text box
Enable the next two Checkboxes
Select "Use Default URL"
Leave the remaining checkbox disabled

Web Browser Tab
Enable the first three Checkboxes
I never needed anything in the big "Directly Access" text box
Enable the fourth Checkbox
Choose "Direct Access"

The rest is done in DNS and DHCP.

Do DNS first and use a CNAME for the "wpad" entry that points to the A
Record for your ISA.

When doing it in DHCP use the "wpad" name as it is in DNS (e.g.
http://wpad.company.loc)

With this done this way if you ever replace the ISA with a different machine
you only have to re-point the CNAME in DNS to the new proxy and everything
else stays the same. There is no changes on the Clients or in the DHCP
Service.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • Re: Laptops with ISA Client installed - how do users out on the road operate?
    ... Enable the first checkbox ... I had the Use a Web Proxy Server box ticked, ... Also, I've only configured the WPAD entry in DHCP, not in DNS. ... Clearing out the settings on a browser and just leaving the first one ...
    (microsoft.public.isa.configuration)
  • Re: Internet Access problems in Fedora Core 4
    ... using the raw ip was to factor out DNS from the troubleshooting. ... set right or your card's interface isn't setup right. ... nameserver <proxy if proxy does dns to you or isp's dns> ... PING 64.233.179.99 56bytes of data. ...
    (comp.os.linux.misc)
  • RE: ISA Not allowing clients to browse
    ... The clients are using the firewall client and have proxy set to myserver ... I have one protocal rule that allows everyone everything. ... > Microsoft Online Partner Support ...
    (microsoft.public.windows.server.sbs)
  • ISP DNS, proxies and security
    ... >dns lookups are not done by the isp, ... As far as DNS goes, that's a good question, but I do not know of DNS ... Can you be certain that the proxy itself isn't monitoring ... They do this with transparent proxies, ...
    (comp.security.misc)
  • Re: Internet Access problems in Fedora Core 4
    ... I m using an ethernet LAN card to access the internet. ... your ISP via DNS. ... by trying a URL in your browser that's already in numeric format. ... your proxy is working and most likely DNS is misconfigured. ...
    (comp.os.linux.misc)