RE: Help with the web proxy setup in ISA 2004
- From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Mon, 30 May 2005 05:36:23 -0600
Dear Pouseele Sama,
Your post is just in time. Config Registry per KB885683 throw away whole
my pain for long!!!
It solves problems on conditons of webproxy authentication as follows,
1) Isafirwall detect at FCW
2) Autodetect per WPC's browser
4) Autoconfig per FWC's browser based on URL FQDN I/O host_name
4) Autoconfig per WPC's broswer based on URL FQDN
those of which never works and becomes big hardness to deploy auto
configuration. No more POP-UP!!!
Dear Jim-sama,
Webproxy authentication did break not only FWC but also WPC. I am
sorry to send you the configuration data because it waste your time
and nothing to be identified.
Dear Shinder-sama,
You may refer to Pouseele-samma's article, and it shall be within your
next edition of ISA Guidebook. Before MS$ release KB, there must be
a lot of guys who can't depoly autoconfig under webauthentication or
likewise me, our misunderstanding is those autoconfig and also
autodisvoery
are merely based HTTP download from ISA, once webproxy authentication
required, it doest not therefore we can't enable authenticaton options!
Anyway, I am so extited to settle this problem even though it was fiinally
serveral figure touch.
Thanks again,
Roy Tsao
> Dear Stefann,
>
> You might be the guy who understand my pain! Let me read you intermediate
> article!
>
> Thanks,
>
> Roy Tsao
>
> > Hi Roy,
> >
> > I'm currently writing a new article for isaserver.org about this subject.
> > You can already read an early draft at
> > http://users.skynet.be/spouseele/ClientAutoConfig/ISA2004_ClientAutoConfig.h
> > tm.
> >
> > HTH,
> > Stefaan
> >
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > Sent: maandag 30 mei 2005 8:56
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> >
> > http://www.ISAserver.org
> >
> > To All Married Guys,
> >
> >
> > The disucssion threads caused by me seems to be overflow while I really want
> > to make sure the correct configuration and get to know the working
> > merchanism. To summarize the past discussion, what I want to know is
> > - based on Client type: 1) FWC 2)WPC (webproxy)
> > - at conditions: "webproxy authentication is enabled"
> > "autoproxy configuration shall be applied"
> > autodisvoery is properly configured already
> > - result: right configuration so that no popup ask for authencaiton
> > in web browsing
> >
> > After verious kinds of test in my VM, the situation is like this:
> > 1) FWC:
> > problem 1): if select "autodect ISA server" at FWC, it fails
> > to find out unless "webproxy authentication is disabled"
> > problme 2): if only select "autoconfig script" option at FWC tab
> > for interal network configuration, popup windows
> > asking for authentication comes up unless modify
> > the autoscript URL by replace "ISA_FQDN" into "isa_host_name"
> > no popup authentication windows only when select "autodetect" at
> > at FWC tab for interal network configuration.
> >
> > 2) WPC:
> > problem 3): in addtion to check webproxy agent, enable either
> > autodectection or autodectation option at brower
> > will bring up authentication windows (this
> > must be caused by webproxy authenciation requirement),
> > keep click cancel "Pop-up" so that broswer act
> > just as natural WPC without autoconfiguration data to pass
> > authentication.
> > WPC must be manually setup including bypass list at client brower side.
> >
> > As a conclusion, there is setting limitation for autoproxy/detection when
> > "webproxy authentication is required for all users". Kindly let me know your
> > some explanation for above problem 1) -3) if you think I am wrong.
> >
> > Thanks,
> >
> > Roy Tsao
> >
> >
> >
> >
> > > Hi Roy-sama
> > >
> > > The entries in DNS or DHCP provide the client information about how to
> > > get the autoconfiguration information. That information is published
> > > on the autodiscovery port you configure on the ISA firewall.
> > >
> > > HTH,=20
> > >
> > >
> > > Tom
> > > www.isaserver.org/shinder
> > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > > -----Original Message-----
> > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=20
> > > Sent: Friday, May 27, 2005 1:00 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > >
> > > http://www.ISAserver.org
> > >
> > > Thank you Shinder-san. Yup, I did know the setting for autodiscovrey
> > > through both DHCP and DNS BUT BUT I have not known this kind of
> > > setting for WPAD also needed for "Autoconfig", if so I have taken a
> > > basic wrong concept regarding autocnfig setting, believe not small
> > > number of ISA guys are the same, then I could understand many posts in
> > > local forum here asking about why POPUP window for authenciation
> > > though autoconfig is setted up.=20
> > >
> > >
> > > > Hi Roy,
> > > >=20
> > > > Works the same in ISA Server 2004 (mostly):
> > > >=20
> > > > =
> > > http://www.isaserver.org/img/upl/isaedukit/5automate/5automate.htm=3D2
> > > 0
> > > >=20
> > > >=20
> > > > Tom
> > > > www.isaserver.org/shinder
> > > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > > http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >=20
> > > >=20
> > > > -----Original Message-----
> > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20
> > > > Sent: Friday, May 27, 2005 8:14 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 =20
> > > >http://www.ISAserver.org =20 S guy, =20 To be perfectly honest with
> > > >you, it is first time for me to know wpad entry is reuired in dns
> > > >for "autoproxy" I/O "autodectection"
> > > > (=3D3Dautodisvoery). I never know it shall be prepare for
> > > >webproxy/fwc client!
> > > >=20
> > > > Thanks,
> > > >=20
> > > > Roy Tsao
> > > >=20
> > > > P.S.: why don't you spend you time with you lovely wife, network is
> > > not
> > > > your main after your marriage otherwise your wife shall complain you
> > > >a lot in talking with lot of guys known! Kidding!!!
> > > >=20
> > > >=20
> > > > > Roy
> > > > >=3D20
> > > > > Yes you need a wpad entry in dns pointing to the internal ip of isa.
> > > > >=3D20
> > > > > Also make sure your wpad string is http://wpad/wpad.dat =3D20
> > > > >=3D20 WITH NO PORT NUMBER after the 1st wpad =3D20 S =3D20
> > > > >-----Original Message-----
> > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20
> > > > > Sent: Friday, May 27, 2005 10:03 AM
> > > > > To: ISA Mailing List
> > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > > > >=3D20 http://www.ISAserver.org =3D20 Dear Jim-san, =3D20 Sorry
> > > > >for disturbing you a lot but please be advised that I am not
> > > > pro.
> > > > > in network (it is just my private fan to learn computer network
> > > which
> > > > is
> > > > > far from my present career), nor I am a native English speaker but
> > > > >oriental guy, please be patient!
> > > > >=3D20
> > > > > 1) unfiltered logs: I am not trying to hide it but it will be very
> > > > hard
> > > > > for you to read it out since my ISA version is not English so you
> > > > > may not judge what it is. May I try to take it out and send it to
> > > > > your private address.
> > > > > 2) Brower configuration: the brower at client end has no setting
> > > since
> > > > > FWC is installed namely initially not setting and it becomes
> > > > > autoconfiguration webproxy client as per FWC's setting. The
> > > > > autoconfiguration is checked finally with no other options. That's
> > > why
> > > > I
> > > > > did not answer the browser's question
> > > > > 3) Request merchanisam on http://wpad...: It is really a helpful
> > > > > information for me to know those form you. I can download wpad.dat
> > > if
> > > > I
> > > > > replace "wpad"
> > > > > into "firewall_host_name:8080". Shall I sent this file to you?
> > > > > Also,
> > > > do
> > > > > I need to configure DHCP to point WPAD into right ISABOX internal
> > > > >address, I am getting confused in WPADed things aside from
> > > > >autodectection.
> > > > >=3D20
> > > > > Thanks,
> > > > >=3D20
> > > > > Roy Tsao
> > > > >=3D20
> > > > > > The discussion centers on "autoconfiguration".
> > > > > > This functionality is based on a request for
> > > > > > http://wpad/wpad.dat
> > > > from
> > > > >=3D20
> > > > > > the browser and http://wpad/wspad.dat from the FWC.
> > > > > > This is why I want you to examine the wpad.dat.
> > > > > >=3D20
> > > > > > You still have not answered the browser question.
> > > > > > You still have not provided unfiltered log entries.
> > > > > >=3D20
> > > > > > This isn't magic, Roy and I don't read minds.
> > > > > > I do tire of playing oral surgeon, though.
> > > > > >=3D20
> > > > > > -----Original Message-----
> > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > > > Sent: Thursday, May 26, 2005 9:04 PM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > > > > >=3D20 http://www.ISAserver.org =3D20 Dear Harrison-san, =3D20
> > > > > >The setting of my present VM lab ISA box is:
> > > > > > - Access rules only two:
> > > > > > 1) allow internal to external/all protocol /all users
> > > > > > 2) deny all as default
> > > > > > =3D20
> > > > > > - Internal Network Property:
> > > > > > <Firewall Client>=3D20
> > > > > > [CHECK] Enable Firewall Client support
> > > > > > [UNCHECK] Auto detect setting
> > > > > > [CHECK] Auto config script
> > > > > > [SELECT] Use custom URL =3D3D
> > > > > http://isalocal.firewall.local:8080...
> > > > > > [UNCHECK] Use a Web Proxy Server
> > > > > > <Domain> =3D20
> > > > > > *.firewall.local
> > > > > > <Web Brower>=3D20
> > > > > > [CHECK] Bypass Proxy for Web server in this network
> > > > > > [CHECK] Directly Access computer specified in the Domain
> > > tab.
> > > > > > Directly Access server & domain: *.firewall.local
> > > > > > <Web Proxy>
> > > > > > [CHECK] Enable Web proxy client
> > > > > > [CHECK] HTTP at 8080
> > > > > > Authentication: [CHECK] Integrated/ Require All User =
> > > to=3D20
> > > > > > authenticate
> > > > > > <Auto Discovery>
> > > > > > No setting
> > > > > > <Address>
> > > > > > 10.0.0.0-10.0.0.255
> > > > > > =3D20
> > > > > > Web browser setting at client end will be automatically
> > > > > > configured
> > > > by
> > > > > > FCW setting and become WebProxy client for HTTP.
> > > > > > =3D20
> > > > > > I don't know why I need a wpad.dat since no auto discocery.
> > > > > > =3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > > > Please stop trimming the thread.
> > > > > > >=3D20
> > > > > > > I advise that you provide more than a single modified log entry.
> > > > > > > I can't help you if you insist on filtering the data.
> > > > > > >=3D20
> > > > > > > Additional questions:
> > > > > > > Q1 - exactly how is the browser configured?
> > > > > > > Q2 - exactly what is the web proxy configuration for the
> > > Internal=3D20
> > > > > > > network?
> > > > > > > Q3 - when you do receive the wpad.dat file, exactly what data
> > > is=3D20
> > > > > > > found between "{" and "}" in:
> > > > > > > "function MakeIPs"
> > > > > > > And
> > > > > > > "function MakeNames()"
> > > > > > >=3D20
> > > > > > >=3D20
> > > > > > > -----Original Message-----
> > > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > > > > Sent: Thursday, May 26, 2005 3:22 AM
> > > > > > > To: [ISAserver.org Discussion List]
> > > > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA
> > > > > > >2004 =3D20 http://www.ISAserver.org =3D20 I did understand
> > > > > > >your points, also I have took a examin at
> > > whole=3D20
> > > > > > > logs before & after changing from FQDN to hostname.
> > > > > > >=3D20
> > > > > > > Anyhow, when FQDN is used, there is POPUP asking for
> > > > authentication,
> > > > >=3D20
> > > > > > > could you advise any possible reason?
> > > > > > >=3D20
> > > > > > > Thanks,
> > > > > > >=3D20
> > > > > > > Roy Tsao
> > > > > > >=3D20
> > > > > > >=3D20
> > > > > > > Try not to "filter" the log data.
> > > > > > > "Imaginary" information is useless.
> > > > > > > If you have a problem sending it to the list, then you need
> > > to=3D20
> > > > > > > rethink your security model.
> > > > > > > "Security by obscurity is no security at all".
> > > > > > >=3D20
> > > > > > > Also, you should examine more than a single log entry - it's
> > > just
> > > > as
> > > > >=3D20
> > > > > > > likely that you're looking at the wrong one.
> > > > > > >=3D20
> > > > > > > ------------------------------------------------------
> > > > > > > List Archives: =3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > > > ISA Server Newsletter:
> > > > http://www.isaserver.org/pages/newsletter.asp
> > > > > > > ISA Server FAQ:
> > > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > > > > ------------------------------------------------------
> > > > > > > Other Internet Software Marketing Sites:
> > > > > > > World of Windows Networking: =
> > > http://www.windowsnetworking.com=3D20
> > > > > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > > > > No.1 Exchange Server Resource Site: =
> > > http://www.msexchange.org=3D20
> > > > > > > Windows Security Resource Site:
> > > http://www.windowsecurity.com/=3D20
> > > > > > > Network Security Library: http://www.secinf.net/ Windows
> > > > > > > 2000/NT
> > > > Fax
> > > > >=3D20
> > > > > > > Solutions: http://www.ntfaxfaq.com
> > > > > > > ------------------------------------------------------
> > > > > > > You are currently subscribed to this ISAserver.org Discussion
> > > List
> > > > > as:
> > > > > > > jim@xxxxxxxxxxxx
> > > > > > > To unsubscribe visit
> > > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 All mail to and
> > > > > > >from this domain is GFI-scanned.
> > > > > >=3D20
> > > > > > ------------------------------------------------------
> > > > > > List Archives:
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > > ISA Server Newsletter:
> > > http://www.isaserver.org/pages/newsletter.asp
> > > > > > ISA Server FAQ: =3D
> > > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > > > ------------------------------------------------------
> > > > > > Other Internet Software Marketing Sites:
> > > > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > Leading
> > > > > > Network Software Directory: http://www.serverfiles.com
> > > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > Windows
> > > > > > Security Resource Site: http://www.windowsecurity.com/ =
> > > Network=3D20
> > > > > > Security Library: http://www.secinf.net/ Windows 2000/NT
> > > > > > Fax=3D20
> > > > > > Solutions: http://www.ntfaxfaq.com
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org Discussion
> > > > > > List
> > > > as:
> > > > > > jim@xxxxxxxxxxxx
> > > > > > To unsubscribe visit=3D20
> > > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 All mail to and
> > > > > >from this domain is GFI-scanned.
> > > > >=3D20
> > > > > ------------------------------------------------------
> > > > > List Archives: =
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > ISA Server Newsletter:
> > > > > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > > ------------------------------------------------------
> > > > > Other Internet Software Marketing Sites:
> > > > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading
> > > > > Network Software Directory: http://www.serverfiles.com
> > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows
> > > > > Security Resource Site: http://www.windowsecurity.com/ Network
> > > > Security
> > > > > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > > > > http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion List
> > > as:
> > > > > isalist@xxxxxxxxxx To unsubscribe visit
> > > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 The correct
> > > > >technical term for haggis stalking is "havering".
> > > >=20
> > > > ------------------------------------------------------
> > > > List Archives:
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> > > > Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List as:
> > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit =3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com Leading
> > > Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> > > Security Resource Site: http://www.windowsecurity.com/ Network
> > > Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> > > Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > > tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit =
> > > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com Leading
> > Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > stefaan.pouseele@xxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
