RE: Help with the web proxy setup in ISA 2004

Hi Shinder-sama,

May I know the reason why for "never"?

Thanks,

Roy Tsao


> Hi Roy,
> 
> I think I might understand your problem now.
> 
> You should *never* enable the "ask unauthenticated users to
> authenticate" option. If you want to force authenticaiton, use Access
> Rules=20
> 
> HTH,=20
> 
> 
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
> 
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=20
> Sent: Monday, May 30, 2005 1:56 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> 
> http://www.ISAserver.org
> 
> To All Married Guys,
> 
> 
> The disucssion threads caused by me seems to be overflow while
> I really want to make sure the correct configuration and get
> to know the working merchanism. To summarize the past discussion,
> what I want to know is=20
>   - based on Client type: 1) FWC 2)WPC (webproxy)
>   - at conditions: "webproxy authentication is enabled"
>                    "autoproxy configuration shall be applied"
>                    autodisvoery is properly configured already
>   - result: right configuration so that no popup ask for authencaiton =20
>             in web browsing
> =20
> After verious kinds of test in my VM, the situation is like this:
> 1) FWC:
>    problem 1): if select "autodect ISA server" at FWC, it fails
>                to find out unless "webproxy authentication is disabled"
>    problme 2): if only select "autoconfig script" option at FWC tab
>                for interal network configuration, popup windows
>                asking for authentication comes up unless modify
>                the autoscript URL by replace "ISA_FQDN" into
> "isa_host_name"
>    no popup authentication windows only when select "autodetect" at
>    at FWC tab for interal network configuration.
> 
> 2) WPC:
>    problem 3): in addtion to check webproxy agent, enable either
>                autodectection or autodectation option at brower
>                will bring up authentication windows (this
>                must be caused by webproxy authenciation requirement),
>                keep click cancel "Pop-up" so that broswer act
>                just as natural WPC without autoconfiguration data to
> pass
>                authentication.
>    WPC must be manually setup including bypass list at client brower
> side.
> 
> As a conclusion, there is setting limitation for autoproxy/detection
> when "webproxy authentication is required for all users". Kindly
> let me know your some explanation for above problem 1) -3) if you=20
> think I am wrong.
> 
> Thanks,
> 
> Roy Tsao
> 
>   =20
> 
> 
> > Hi Roy-sama
> >=20
> > The entries in DNS or DHCP provide the client information about how to
> > get the autoconfiguration information. That information is published
> on
> > the autodiscovery port you configure on the ISA firewall.
> >=20
> > HTH,=3D20
> >=20
> >=20
> > Tom
> > www.isaserver.org/shinder
> > Tom and Deb Shinder's Configuring ISA Server 2004
> > http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >=20
> >=20
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20
> > Sent: Friday, May 27, 2005 1:00 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> >=20
> > http://www.ISAserver.org
> >=20
> > Thank you Shinder-san. Yup, I did know the setting for autodiscovrey
> > through both DHCP and DNS BUT BUT I have not known this kind of
> > setting for WPAD also needed for "Autoconfig", if so I have taken
> > a basic wrong concept regarding autocnfig setting, believe
> > not small number of ISA guys are the same, then I could understand
> > many posts in local forum here asking about why POPUP window
> > for authenciation though autoconfig is setted up.=3D20
> >=20
> >=20
> > > Hi Roy,
> > >=3D20
> > > Works the same in ISA Server 2004 (mostly):
> > >=3D20
> > > =3D
> >
> http://www.isaserver.org/img/upl/isaedukit/5automate/5automate.htm=3D3D20=
> 
> > >=3D20
> > >=3D20
> > > Tom
> > > www.isaserver.org/shinder
> > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >=3D20
> > >=3D20
> > > -----Original Message-----
> > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D20
> > > Sent: Friday, May 27, 2005 8:14 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > >=3D20
> > > http://www.ISAserver.org
> > >=3D20
> > > S guy,
> > >=3D20
> > > To be perfectly honest with you, it is first time for me to know
> > > wpad entry is reuired in dns for "autoproxy" I/O "autodectection"
> > > (=3D3D3Dautodisvoery). I never know it shall be prepare for
> webproxy/fwc
> > > client!
> > >=3D20
> > > Thanks,
> > >=3D20
> > > Roy Tsao
> > >=3D20
> > > P.S.: why don't you spend you time with you lovely wife, network is
> > not
> > > your main after your marriage otherwise your wife shall complain you
> a
> > > lot
> > > in talking with lot of guys known! Kidding!!!
> > >=3D20
> > >=3D20
> > > > Roy
> > > >=3D3D20
> > > > Yes you need a wpad entry in dns pointing to the internal ip of
> isa.
> > > >=3D3D20
> > > > Also make sure your wpad string is http://wpad/wpad.dat
> > > >=3D3D20
> > > >=3D3D20
> > > > WITH NO PORT NUMBER after  the 1st wpad
> > > >=3D3D20
> > > > S
> > > >=3D3D20
> > > > -----Original Message-----
> > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D20
> > > > Sent: Friday, May 27, 2005 10:03 AM
> > > > To: ISA Mailing List
> > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > > >=3D3D20
> > > > http://www.ISAserver.org
> > > >=3D3D20
> > > > Dear Jim-san,
> > > >=3D3D20
> > > > Sorry for disturbing you a lot but please be advised that I am not
> > > pro.
> > > > in network (it is just my private fan to learn computer network
> > which
> > > is
> > > > far from my present career), nor I am a native English speaker but
> > > > oriental guy, please be patient!
> > > >=3D3D20
> > > > 1) unfiltered logs: I am not trying to hide it but it will be very
> > > hard
> > > >    for you to read it out since my ISA version is not English so
> you
> > > >    may not judge what it is. May I try to take it out and send it
> to
> > > >    your private address.
> > > > 2) Brower configuration: the brower at client end has no setting
> > since
> > > >    FWC is installed namely initially not setting and it becomes
> > > > autoconfiguration webproxy client as per FWC's setting. The
> > > > autoconfiguration is checked finally with no other options. That's
> > why
> > > I
> > > > did not answer the browser's question
> > > > 3) Request merchanisam on http://wpad...: It is really a helpful
> > > > information for me to know those form you. I can download wpad.dat
> > if
> > > I
> > > > replace "wpad"
> > > > into "firewall_host_name:8080". Shall I sent this file to you?
> Also,
> > > do
> > > > I need to configure DHCP to point WPAD into right ISABOX internal
> > > > address, I am getting confused in WPADed things aside from
> > > > autodectection.
> > > >=3D3D20
> > > > Thanks,
> > > >=3D3D20
> > > > Roy Tsao
> > > >=3D3D20
> > > > > The discussion centers on "autoconfiguration".
> > > > > This functionality is based on a request for
> http://wpad/wpad.dat
> > > from
> > > >=3D3D20
> > > > > the browser and http://wpad/wspad.dat from the FWC.
> > > > > This is why I want you to examine the wpad.dat.
> > > > >=3D3D20
> > > > > You still have not answered the browser question.
> > > > > You still have not provided unfiltered log entries.
> > > > >=3D3D20
> > > > > This isn't magic, Roy and I don't read minds.
> > > > > I do tire of playing oral surgeon, though.
> > > > >=3D3D20
> > > > > -----Original Message-----
> > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > > Sent: Thursday, May 26, 2005 9:04 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > > > >=3D3D20
> > > > > http://www.ISAserver.org
> > > > >=3D3D20
> > > > > Dear Harrison-san,
> > > > > =3D3D20
> > > > > The setting of my present VM lab ISA box is:
> > > > >    - Access rules only two:
> > > > >      1) allow internal to external/all protocol /all users
> > > > >      2) deny all as default
> > > > > =3D3D20
> > > > >    - Internal Network Property:
> > > > >      <Firewall Client>=3D3D20
> > > > >        [CHECK]   Enable Firewall Client support
> > > > >        [UNCHECK] Auto detect setting
> > > > >        [CHECK]   Auto config script
> > > > >        [SELECT]  Use custom URL =3D3D3D
> > > > http://isalocal.firewall.local:8080...
> > > > >        [UNCHECK] Use a Web Proxy Server
> > > > >      <Domain>  =3D3D20
> > > > >        *.firewall.local
> > > > >      <Web Brower>=3D3D20
> > > > >        [CHECK] Bypass Proxy for Web server in this network
> > > > >        [CHECK] Directly Access computer specified in the Domain
> > tab.
> > > > >        Directly Access server & domain: *.firewall.local
> > > > >      <Web Proxy>
> > > > >        [CHECK] Enable Web proxy client
> > > > >        [CHECK] HTTP at 8080
> > > > >        Authentication: [CHECK] Integrated/ Require All User =3D
> > to=3D3D20
> > > > > authenticate
> > > > >      <Auto Discovery>
> > > > >        No setting
> > > > >      <Address>
> > > > >        10.0.0.0-10.0.0.255
> > > > > =3D3D20
> > > > > Web browser setting at client end will be automatically
> configured
> > > by
> > > > > FCW setting and become WebProxy client for HTTP.
> > > > >     =3D3D20
> > > > > I don't know why I need a wpad.dat since no auto discocery.
> > > > > =3D3D20
> > > > >=3D3D20
> > > > >=3D3D20
> > > > >=3D3D20
> > > > >=3D3D20
> > > > >=3D3D20
> > > > >=3D3D20
> > > > >=3D3D20
> > > > > > Please stop trimming the thread.
> > > > > >=3D3D20
> > > > > > I advise that you provide more than a single modified log
> entry.
> > > > > > I can't help you if you insist on filtering the data.
> > > > > >=3D3D20
> > > > > > Additional questions:
> > > > > > Q1 - exactly how is the browser configured?
> > > > > > Q2 - exactly what is the web proxy configuration for the
> > Internal=3D3D20
> > > > > > network?
> > > > > > Q3 - when you do receive the wpad.dat file, exactly what data
> > is=3D3D20
> > > > > > found between "{" and "}" in:
> > > > > >     "function MakeIPs"
> > > > > >     And
> > > > > >     "function MakeNames()"
> > > > > >=3D3D20
> > > > > >=3D3D20
> > > > > > -----Original Message-----
> > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > > > Sent: Thursday, May 26, 2005 3:22 AM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA
> 2004
> > > > > >=3D3D20
> > > > > > http://www.ISAserver.org
> > > > > >=3D3D20
> > > > > > I did understand your points, also I have took a examin at
> > whole=3D3D20
> > > > > > logs before & after changing from FQDN to hostname.
> > > > > >=3D3D20
> > > > > > Anyhow, when FQDN is used, there is POPUP asking for
> > > authentication,
> > > >=3D3D20
> > > > > > could you advise any possible reason?
> > > > > >=3D3D20
> > > > > > Thanks,
> > > > > >=3D3D20
> > > > > > Roy Tsao
> > > > > >=3D3D20
> > > > > >=3D3D20
> > > > > > Try not to "filter" the log data.
> > > > > > "Imaginary" information is useless.
> > > > > > If you have a problem sending it to the list, then you need
> > to=3D3D20
> > > > > > rethink your security model.
> > > > > > "Security by obscurity is no security at all".
> > > > > >=3D3D20
> > > > > > Also, you should examine more than a single log entry - it's
> > just
> > > as
> > > >=3D3D20
> > > > > > likely that you're looking at the wrong one.
> > > > > >=3D3D20
> > > > > > ------------------------------------------------------
> > > > > > List Archives: =3D3D
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > > > ISA Server Newsletter:
> > > http://www.isaserver.org/pages/newsletter.asp
> > > > > > ISA Server FAQ:
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > > > > ------------------------------------------------------
> > > > > > Other Internet Software Marketing Sites:
> > > > > > World of Windows Networking: =3D
> > http://www.windowsnetworking.com=3D3D20
> > > > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > > > No.1 Exchange Server Resource Site: =3D
> > http://www.msexchange.org=3D3D20
> > > > > > Windows Security Resource Site:
> > http://www.windowsecurity.com/=3D3D20
> > > > > > Network Security Library: http://www.secinf.net/ Windows
> 2000/NT
> > > Fax
> > > >=3D3D20
> > > > > > Solutions: http://www.ntfaxfaq.com
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org Discussion
> > List
> > > > as:
> > > > > > jim@xxxxxxxxxxxx
> > > > > > To unsubscribe visit
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > > >=3D3D20
> > > > > > All mail to and from this domain is GFI-scanned.
> > > > >=3D3D20
> > > > > ------------------------------------------------------
> > > > > List Archives:
> > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ: =3D3D
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > > > ------------------------------------------------------
> > > > > Other Internet Software Marketing Sites:
> > > > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading
> > > > > Network Software Directory: http://www.serverfiles.com
> > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows
> > > > > Security Resource Site: http://www.windowsecurity.com/ =3D
> > Network=3D3D20
> > > > > Security Library: http://www.secinf.net/ Windows 2000/NT
> Fax=3D3D20
> > > > > Solutions: http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion
> List
> > > as:
> > > > > jim@xxxxxxxxxxxx
> > > > > To unsubscribe visit=3D3D20
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > >=3D3D20
> > > > > All mail to and from this domain is GFI-scanned.
> > > >=3D3D20
> > > > ------------------------------------------------------
> > > > List Archives: =3D
> > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > World of Windows Networking: http://www.windowsnetworking.com
> > Leading
> > > > Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows
> > > > Security Resource Site: http://www.windowsecurity.com/ Network
> > > Security
> > > > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > > > http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List
> > as:
> > > > isalist@xxxxxxxxxx To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >=3D3D20
> > > > The correct technical term for haggis stalking is "havering".
> > >=3D20
> > > ------------------------------------------------------
> > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: =3D
> > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit =3D3D
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >=20
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: =
> http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit =3D
> > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit =
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: