Re: Other services through proxy...
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Fri, 9 Jan 2009 14:28:23 -0600
The Linux and Macs....
There is no FWC for them...
They will only use the Web Proxy Service via their browsers and those
"should" work fine with autodetection. The FWC clients and the things it
does has no effect on them. Beyond that they will have to use the SecureNAT
Service, which requires no proxy settings to begin with. However the
SecureNAT can not authenticate, so it will require the Access Rules they use
to be anonymous. If their browsers are configured for a proxy (wether
manual or autodetect), anything that falls in the realm of the Web Proxy
Service will do just that,...the Web Proxy Service takes precedence over
SecureNAT. Anything that doesn't fit into the Web Proxy's abilities will
"fall back" to using the SecureNAT Service as long as there is a proper
anonymous Rule to allow it.
Now, on the WIndows side of things.....
"Jake" <jake44@xxxxxxxxx> wrote in message
news:OBWQ59ocJHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
OK, so computers having installed ISA FW CL in autodetect mode don't need
any fiddling with their browser's proxy settings and all works out of the
box?
Pretty much. However the FWC is configured at the ISA in the MMC and this
includes "stuff" related to the browser as well. This all involves three
Tabs in the Properties of the Internal Network Definition. I'll list them
at the bottom.
So once the FWC detects the ISA and "picks up" its configuration from the
ISA it can also pickup the browser's "stuff" and then it will pass that on
to the browser. If I'm not mistaken this has a refresh period where the FWC
repeats this every 30 minutes,...so if you make FWC or Browser changes at
the ISA it may be 30 minutes before the changes take effect. It's been a
while since I dipped into those detials, but I'm pretty sure that is
accurate.
Internet Explorer's default out of the box is to autodetect. So IE is ready
to go without touching it. But even without that, if the FWC is installed
it can push the needed settings to IE anyway.
What about when they are at home not being connected to isa, will they
need to disable to fw client or will it all be transparent the the fw
client does not find any isa servers?
They don't have to do anything. That is the nice thing about
autodetection,...if the browser and the FWC can't detect the proxy they will
give up and operate "directly" just as they would if there was never a proxy
in use to start with. However the first time the browser or other Apps open
in those conditions there is a little time lag before it finally gives up
and goes without the proxy (maybe 10-15 seconds). But after that they
should work normally. You can see when it gives up by watching the FWC icon
by the clock,..it will get a red "X" over it when a proxy is not detected.
The flip side of this is if your business had more than one location with a
proxy at each,..if they start their machine up at the other location it will
autodetect the proxy at that loaction and use it. this assumes of course
that the location also has their autodetection configured correctly and the
proxy had the correct Access Rules in place for these users
The Tabs in the Internal Network Properties:
Some of these are just my preference, but they work for me.
Autodiscover Tab
Enable the checkbox
Leave the port on 80 (don't be tempted to change it)
Firewall Client Tab
Enable the first checkbox
Supply the proxy's server name in the text box
Enable the next two Checkboxes
Select "Use Default URL"
Leave the remaining checkbox disabled
Web Browser
Enable the first three Checkboxes
I never needed anything in the big "Directly Access" text box
Enable the fourth Checkbox
Choose "Direct Access"
The rest is done in DNS and DHCP.
Do DNS first and use a CNAME for the "wpad" entry that points to the A
Record for your ISA
When doing it in DHCP use the "wpad" name as it is in DNS
With this done this way if you ever replace the ISA with a different machine
you only have to re-point the CNAME in DNS to the new proxy and everything
else stays the same. There is no changes on the Clients or in the DHCP
Service.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
.
- Follow-Ups:
- Re: Other services through proxy...
- From: Jake
- Re: Other services through proxy...
- References:
- Other services through proxy...
- From: Jake
- Re: Other services through proxy...
- From: Phillip Windell
- Re: Other services through proxy...
- From: Jake
- Re: Other services through proxy...
- From: Phillip Windell
- Re: Other services through proxy...
- From: Jake
- Other services through proxy...
- Prev by Date: Re: Other services through proxy...
- Next by Date: ISA 2006 virtualization
- Previous by thread: Re: Other services through proxy...
- Next by thread: Re: Other services through proxy...
- Index(es):
Relevant Pages
|
