Hi Roy, I'm currently writing a new article for isaserver.org about this subject. You can already read an early draft at http://users.skynet.be/spouseele/ClientAutoConfig/ISA2004_ClientAutoConfig.h tm. HTH, Stefaan -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: maandag 30 mei 2005 8:56 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 http://www.ISAserver.org To All Married Guys, The disucssion threads caused by me seems to be overflow while I really want to make sure the correct configuration and get to know the working merchanism. To summarize the past discussion, what I want to know is - based on Client type: 1) FWC 2)WPC (webproxy) - at conditions: "webproxy authentication is enabled" "autoproxy configuration shall be applied" autodisvoery is properly configured already - result: right configuration so that no popup ask for authencaiton in web browsing After verious kinds of test in my VM, the situation is like this: 1) FWC: problem 1): if select "autodect ISA server" at FWC, it fails to find out unless "webproxy authentication is disabled" problme 2): if only select "autoconfig script" option at FWC tab for interal network configuration, popup windows asking for authentication comes up unless modify the autoscript URL by replace "ISA_FQDN" into "isa_host_name" no popup authentication windows only when select "autodetect" at at FWC tab for interal network configuration. 2) WPC: problem 3): in addtion to check webproxy agent, enable either autodectection or autodectation option at brower will bring up authentication windows (this must be caused by webproxy authenciation requirement), keep click cancel "Pop-up" so that broswer act just as natural WPC without autoconfiguration data to pass authentication. WPC must be manually setup including bypass list at client brower side. As a conclusion, there is setting limitation for autoproxy/detection when "webproxy authentication is required for all users". Kindly let me know your some explanation for above problem 1) -3) if you think I am wrong. Thanks, Roy Tsao > Hi Roy-sama > > The entries in DNS or DHCP provide the client information about how to > get the autoconfiguration information. That information is published > on the autodiscovery port you configure on the ISA firewall. > > HTH,=20 > > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > -----Original Message----- > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=20 > Sent: Friday, May 27, 2005 1:00 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 > > http://www.ISAserver.org > > Thank you Shinder-san. Yup, I did know the setting for autodiscovrey > through both DHCP and DNS BUT BUT I have not known this kind of > setting for WPAD also needed for "Autoconfig", if so I have taken a > basic wrong concept regarding autocnfig setting, believe not small > number of ISA guys are the same, then I could understand many posts in > local forum here asking about why POPUP window for authenciation > though autoconfig is setted up.=20 > > > > Hi Roy, > >=20 > > Works the same in ISA Server 2004 (mostly): > >=20 > > = > http://www.isaserver.org/img/upl/isaedukit/5automate/5automate.htm=3D2 > 0 > >=20 > >=20 > > Tom > > www.isaserver.org/shinder > > Tom and Deb Shinder's Configuring ISA Server 2004 > > http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > >=20 > >=20 > > -----Original Message----- > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20 > > Sent: Friday, May 27, 2005 8:14 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 =20 > >http://www.ISAserver.org =20 S guy, =20 To be perfectly honest with > >you, it is first time for me to know wpad entry is reuired in dns > >for "autoproxy" I/O "autodectection" > > (=3D3Dautodisvoery). I never know it shall be prepare for > >webproxy/fwc client! > >=20 > > Thanks, > >=20 > > Roy Tsao > >=20 > > P.S.: why don't you spend you time with you lovely wife, network is > not > > your main after your marriage otherwise your wife shall complain you > >a lot in talking with lot of guys known! Kidding!!! > >=20 > >=20 > > > Roy > > >=3D20 > > > Yes you need a wpad entry in dns pointing to the internal ip of isa. > > >=3D20 > > > Also make sure your wpad string is http://wpad/wpad.dat =3D20 > > >=3D20 WITH NO PORT NUMBER after the 1st wpad =3D20 S =3D20 > > >-----Original Message----- > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20 > > > Sent: Friday, May 27, 2005 10:03 AM > > > To: ISA Mailing List > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 > > >=3D20 http://www.ISAserver.org =3D20 Dear Jim-san, =3D20 Sorry > > >for disturbing you a lot but please be advised that I am not > > pro. > > > in network (it is just my private fan to learn computer network > which > > is > > > far from my present career), nor I am a native English speaker but > > >oriental guy, please be patient! > > >=3D20 > > > 1) unfiltered logs: I am not trying to hide it but it will be very > > hard > > > for you to read it out since my ISA version is not English so you > > > may not judge what it is. May I try to take it out and send it to > > > your private address. > > > 2) Brower configuration: the brower at client end has no setting > since > > > FWC is installed namely initially not setting and it becomes > > > autoconfiguration webproxy client as per FWC's setting. The > > > autoconfiguration is checked finally with no other options. That's > why > > I > > > did not answer the browser's question > > > 3) Request merchanisam on http://wpad...: It is really a helpful > > > information for me to know those form you. I can download wpad.dat > if > > I > > > replace "wpad" > > > into "firewall_host_name:8080". Shall I sent this file to you? > > > Also, > > do > > > I need to configure DHCP to point WPAD into right ISABOX internal > > >address, I am getting confused in WPADed things aside from > > >autodectection. > > >=3D20 > > > Thanks, > > >=3D20 > > > Roy Tsao > > >=3D20 > > > > The discussion centers on "autoconfiguration". > > > > This functionality is based on a request for > > > > http://wpad/wpad.dat > > from > > >=3D20 > > > > the browser and http://wpad/wspad.dat from the FWC. > > > > This is why I want you to examine the wpad.dat. > > > >=3D20 > > > > You still have not answered the browser question. > > > > You still have not provided unfiltered log entries. > > > >=3D20 > > > > This isn't magic, Roy and I don't read minds. > > > > I do tire of playing oral surgeon, though. > > > >=3D20 > > > > -----Original Message----- > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > > > Sent: Thursday, May 26, 2005 9:04 PM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 > > > >=3D20 http://www.ISAserver.org =3D20 Dear Harrison-san, =3D20 > > > >The setting of my present VM lab ISA box is: > > > > - Access rules only two: > > > > 1) allow internal to external/all protocol /all users > > > > 2) deny all as default > > > > =3D20 > > > > - Internal Network Property: > > > > <Firewall Client>=3D20 > > > > [CHECK] Enable Firewall Client support > > > > [UNCHECK] Auto detect setting > > > > [CHECK] Auto config script > > > > [SELECT] Use custom URL =3D3D > > > http://isalocal.firewall.local:8080... > > > > [UNCHECK] Use a Web Proxy Server > > > > <Domain> =3D20 > > > > *.firewall.local > > > > <Web Brower>=3D20 > > > > [CHECK] Bypass Proxy for Web server in this network > > > > [CHECK] Directly Access computer specified in the Domain > tab. > > > > Directly Access server & domain: *.firewall.local > > > > <Web Proxy> > > > > [CHECK] Enable Web proxy client > > > > [CHECK] HTTP at 8080 > > > > Authentication: [CHECK] Integrated/ Require All User = > to=3D20 > > > > authenticate > > > > <Auto Discovery> > > > > No setting > > > > <Address> > > > > 10.0.0.0-10.0.0.255 > > > > =3D20 > > > > Web browser setting at client end will be automatically > > > > configured > > by > > > > FCW setting and become WebProxy client for HTTP. > > > > =3D20 > > > > I don't know why I need a wpad.dat since no auto discocery. > > > > =3D20 > > > >=3D20 > > > >=3D20 > > > >=3D20 > > > >=3D20 > > > >=3D20 > > > >=3D20 > > > >=3D20 > > > > > Please stop trimming the thread. > > > > >=3D20 > > > > > I advise that you provide more than a single modified log entry. > > > > > I can't help you if you insist on filtering the data. > > > > >=3D20 > > > > > Additional questions: > > > > > Q1 - exactly how is the browser configured? > > > > > Q2 - exactly what is the web proxy configuration for the > Internal=3D20 > > > > > network? > > > > > Q3 - when you do receive the wpad.dat file, exactly what data > is=3D20 > > > > > found between "{" and "}" in: > > > > > "function MakeIPs" > > > > > And > > > > > "function MakeNames()" > > > > >=3D20 > > > > >=3D20 > > > > > -----Original Message----- > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > > > > Sent: Thursday, May 26, 2005 3:22 AM > > > > > To: [ISAserver.org Discussion List] > > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA > > > > >2004 =3D20 http://www.ISAserver.org =3D20 I did understand > > > > >your points, also I have took a examin at > whole=3D20 > > > > > logs before & after changing from FQDN to hostname. > > > > >=3D20 > > > > > Anyhow, when FQDN is used, there is POPUP asking for > > authentication, > > >=3D20 > > > > > could you advise any possible reason? > > > > >=3D20 > > > > > Thanks, > > > > >=3D20 > > > > > Roy Tsao > > > > >=3D20 > > > > >=3D20 > > > > > Try not to "filter" the log data. > > > > > "Imaginary" information is useless. > > > > > If you have a problem sending it to the list, then you need > to=3D20 > > > > > rethink your security model. > > > > > "Security by obscurity is no security at all". > > > > >=3D20 > > > > > Also, you should examine more than a single log entry - it's > just > > as > > >=3D20 > > > > > likely that you're looking at the wrong one. > > > > >=3D20 > > > > > ------------------------------------------------------ > > > > > List Archives: =3D > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist > > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ > > > > > ------------------------------------------------------ > > > > > Other Internet Software Marketing Sites: > > > > > World of Windows Networking: = > http://www.windowsnetworking.com=3D20 > > > > > Leading Network Software Directory: http://www.serverfiles.com > > > > > No.1 Exchange Server Resource Site: = > http://www.msexchange.org=3D20 > > > > > Windows Security Resource Site: > http://www.windowsecurity.com/=3D20 > > > > > Network Security Library: http://www.secinf.net/ Windows > > > > > 2000/NT > > Fax > > >=3D20 > > > > > Solutions: http://www.ntfaxfaq.com > > > > > ------------------------------------------------------ > > > > > You are currently subscribed to this ISAserver.org Discussion > List > > > as: > > > > > jim@xxxxxxxxxxxx > > > > > To unsubscribe visit > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist > > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 All mail to and > > > > >from this domain is GFI-scanned. > > > >=3D20 > > > > ------------------------------------------------------ > > > > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist > > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: =3D > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ > > > > ------------------------------------------------------ > > > > Other Internet Software Marketing Sites: > > > > World of Windows Networking: http://www.windowsnetworking.com > > Leading > > > > Network Software Directory: http://www.serverfiles.com > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows > > > > Security Resource Site: http://www.windowsecurity.com/ = > Network=3D20 > > > > Security Library: http://www.secinf.net/ Windows 2000/NT > > > > Fax=3D20 > > > > Solutions: http://www.ntfaxfaq.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org Discussion > > > > List > > as: > > > > jim@xxxxxxxxxxxx > > > > To unsubscribe visit=3D20 > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 All mail to and > > > >from this domain is GFI-scanned. > > >=3D20 > > > ------------------------------------------------------ > > > List Archives: = > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist > > > ISA Server Newsletter: > > > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > Leading > > > Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows > > > Security Resource Site: http://www.windowsecurity.com/ Network > > Security > > > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: > > > http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > as: > > > isalist@xxxxxxxxxx To unsubscribe visit > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 The correct > > >technical term for haggis stalking is "havering". > >=20 > > ------------------------------------------------------ > > List Archives: > >http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: = > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax > > Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit =3D > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com Leading > Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit = > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx