Some things you want to keep in mind: 1. *_NOTHING_* you set in ISA client configuration is of any value if the clients can't get the information. ISA doesn't "push" anything to the clients; they *_MUST_* request it from ISA. 2. unless you can configure the client to use autodiscovery (and of course configure WPAD in your environment) or a configuration URL, the client will *_NOT_* request this data from ISA. 3. ISA will attempt to perform PTR lookups for IP-based requests, but since Internet-based PTR zones are as worthwhile as a teenager on a Sat morning, this frequently fails. One of my fav examples for #3: 1. ISA has an allow rule for 'www.microsoft.com' 2. 'www.microsoft.com' resolves to (in my location): C:\>nslookup www.microsoft.com<http://www.microsoft.com> 4.2.2.2 Server: vnsc-bak.sys.gtei.net Address: 4.2.2.2 Non-authoritative answer: Name: lb1.www.ms.akadns.net Addresses: 65.55.12.249, 207.46.192.254, 207.46.193.254 Aliases: www.microsoft.com<http://www.microsoft.com>, toggle.www.ms.akadns.net g.www.ms.akadns.net 3. client makes a connection to 207.46.192.254 4. ISA asks Windows to resolve the IP to a name 5. Windows queries DNS for a PTR record relative to 207.46.192.254. C:\>nslookup -type=ptr 207.46.192.254 4.2.2.2 Server: vnsc-bak.sys.gtei.net Address: 4.2.2.2 Non-authoritative answer: 254.192.46.207.in-addr.arpa name = wwwtk2test1.microsoft.com Guess what; not only does 'wwwtk2test1.microsoft.com not match 'www.microsoft.com', it doesn't match any of the aliases also related to this IP address. Therefore, there is no mapping from the IP to the names ISA has available to it and the request must fail. 'This stuff ain't magic...' Jim ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill [bemayo@xxxxxxxxxxxxxxxx] Sent: Thursday, January 15, 2009 12:43 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Client Configuration Issues/Questions We are having a couple of issues related to client configuration/access for outbound traffic through ISA Server 2006 Enterprise Edition. I realize that these issues may be somewhat off-topic, but I hope someone may have some insight. The first issue is that we have some clients for whom browser traffic originates via the Firewall Client instead of the Web Proxy (to put it another way, ISA logging shows the Log Record Type to be Firewall, as opposed to Web Proxy Filter). This is mainly problematic because we have some clients that have access to only specific web sites, that are defined in rules using domain name sets. The problem is that the traffic hits ISA server by IP instead of DNS name and it doesn't match the rules. Unless I am missing something, this is because the Firewall Client is doing the DNS lookup itself and just asking to access the IP. Because the rules use the DNS name, ISA doesn't detect it as a match. We are publishing the proxy server in both DHCP and DNS, in addition to pushing the value through group policy. Nonetheless, some client's browsers don't seem to be respecting the setting. I have had some success in kick-starting the setting by hitting the "Configure Now" button on the web browser tab in the firewall client, but that does not work for everyone. It sure seems to be a registry problem, but having to delete profiles and/or re-image the computers is a bit extreme for resolving this. I can verify that, in at least one of these situations, Internet Explorer showed the correct proxy server address in LAN Settings, but the traffic continued to go through the firewall client. The second issue has to do with local addresses going through the proxy server (this issue affects folks who are correctly going through the web proxy). Despite the way I believe it is configured, access to internal sites is going through the proxy server. In most cases this doesn't cause a major issue, but there are some instances where it does (e.g. an internal dvr-appliance that tries to establish an SSL connection over port 8129). On the Internal network properties dialog, I have the internal address range listed (Addresses tab) and I have the "Directly access computers specified in the Addresses tab" checkbox enabled on the Web Browser tab. Nonetheless, the traffic is being sent throught the ISA Server web proxy (and, in the case of the non-standard SSL port, is blowing up). Is there something I am missing here? If I can provide any further information about our configuration that would be helpful, I would be happy to provide it. ~~~~~~~~~~ Bill Mayo Pitt County MIS