Thanks much for the reply, Jim. When I set it up, I used the info at http://www.shijaz.com/isaserver/isa2004_nlb.htm to configure it. I realize that it is for 2004 and I am using 2006, but that was the best thing I could find at the time. I have made that change. In some quick testing, it does appear to have resolved some of my issues. At least some of the things that weren't directly accessing before are now, but some seem to still be handled by the web proxy filter. A big THANKS, Jim, on what is clearly an improvement in my situation. Can I be so brazen to ask if you can shed any light on my 1 and 2 questions below? Bill Mayo ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, January 28, 2009 3:43 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Client Configuration Issues/Questions The correct solution (as opposed to the "tribal knowledge") is to set the Intra-array address properly. If the wpad includes IP addresses which the clients cannot reach, it's because the server Communication" tab includes the wrong address. Fix this first; it's also blocking intra-array communication.. JimmyJoeBob Alooba Office 2007 on Win7 Beta From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill Sent: Wednesday, January 28, 2009 10:58 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Client Configuration Issues/Questions I have (somewhat) answered my own question on the "makeproxies" question. I found other references to this issue and the solution being roll your own wpad, which I have done. Proxy access works with my tweaked wpad, but I still have some challenges related to my original message. Because my descriptions tend to ramble, I offer the consolidated list of questions below, in the hopes that some of you fine folks might be able to help without having to take a No-Doze. 1) I am seeing inconsistent results with bypassing local domains, address ranges, et al. My "Web Browser" tab in ISA configuration is populated according to the info at KB920715 (e.g. *.site.com/*), as I have to have an IP address in there. I note that the interface doesn't dictate this and the article is for ISA 2004 SP-2 (I am running ISA 2006). Can anyone confirm/deny that the information in this article is applicable to ISA 2006? 2) I have (temporarily) configured my browser to use the modified configuration script and cleared the proxy server info in IE's configuration. When configured like this, my traffic is logged in ISA as going through the web proxy filter (as desired). However, the "destination host name" and "url" fields show the IP of the site instead of the DNS name. If I clear the configuration script (and all auto detect checkboxes) and manually enter the proxy server info, I see the FQDN in those fields. My question is, "Is this normal?" Thanks, Bill Mayo ________________________________ From: Mayo, Bill Sent: Wednesday, January 28, 2009 10:45 AM To: 'isalist@xxxxxxxxxxxxx' Subject: RE: [isalist] Re: Client Configuration Issues/Questions Problems sprung back up with this while I was out last week, and I have spent the entire morning researching how exactly all of this works and trying to figure out where my problem is. Resultingly, I understand some things better and am thorougly confused on others (what I am reading does not match what I am hearing). In trying to figure out what might not be working with the auto-discovery, I have downloaded and reviewed the WPAD file (automatically generated). I note something in their that I *think* may be the issue, but am hoping that someone can confirm (or set me straight). Our ISA servers are in an NLB. To that end, I have 3 NICs on each server. NIC-1 is the internal connection. It has an IP address to which our internal clients can connect. It also shows that the NLB-specific IP is bound to it. NIC-2 faces the internet. The IP address it technically reachable by clients, but shouldn't be. This adapter has the default gateway. NIC-3 is the NLB adapter. This NIC uses a private network address and is on a private network that is not routable. The IP address here is 192.168.1.x. The (not currently enabled) autodiscovery information pointed to the NLB-specific IP (which is bound to NIC-1). This is the NIC/IP to which I would expect traffic to be routed. At this point, I get to what I think may be the problem. When I examine the "wpad.dat" file in notepad, I see: function MakeProxies(){ this[0]=new Node("192.168.1.12",1965764837,1.000000); this[1]=new Node("192.168.1.7",3977323674,1.000000); This looks to me like the WPAD file is telling the clients to use 192.168.1.12 and 192.168.1.7 as the proxy addresses. These are not addresses the client can reach and is (intentionally) sitting on a private network, as I believed was supposed to be the case. In every respect that I can measure, NLB seems to be working properly so I am assuming I have it configured correctly. Am I interpreting this correctly? If so, is this indicative that I have a configuration problem with NLB, or is there some other reason why those addresses are showing up? Most importantly, what can I do about it? Thanks, Bill Mayo ________________________________ ... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill [bemayo@xxxxxxxxxxxxxxxx] Sent: Thursday, January 15, 2009 12:43 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Client Configuration Issues/Questions We are having a couple of issues related to client configuration/access for outbound traffic through ISA Server 2006 Enterprise Edition. I realize that these issues may be somewhat off-topic, but I hope someone may have some insight. The first issue is that we have some clients for whom browser traffic originates via the Firewall Client instead of the Web Proxy (to put it another way, ISA logging shows the Log Record Type to be Firewall, as opposed to Web Proxy Filter). This is mainly problematic because we have some clients that have access to only specific web sites, that are defined in rules using domain name sets. The problem is that the traffic hits ISA server by IP instead of DNS name and it doesn't match the rules. Unless I am missing something, this is because the Firewall Client is doing the DNS lookup itself and just asking to access the IP. Because the rules use the DNS name, ISA doesn't detect it as a match. We are publishing the proxy server in both DHCP and DNS, in addition to pushing the value through group policy. Nonetheless, some client's browsers don't seem to be respecting the setting. I have had some success in kick-starting the setting by hitting the "Configure Now" button on the web browser tab in the firewall client, but that does not work for everyone. It sure seems to be a registry problem, but having to delete profiles and/or re-image the computers is a bit extreme for resolving this. I can verify that, in at least one of these situations, Internet Explorer showed the correct proxy server address in LAN Settings, but the traffic continued to go through the firewall client. The second issue has to do with local addresses going through the proxy server (this issue affects folks who are correctly going through the web proxy). Despite the way I believe it is configured, access to internal sites is going through the proxy server. In most cases this doesn't cause a major issue, but there are some instances where it does (e.g. an internal dvr-appliance that tries to establish an SSL connection over port 8129). On the Internal network properties dialog, I have the internal address range listed (Addresses tab) and I have the "Directly access computers specified in the Addresses tab" checkbox enabled on the Web Browser tab. Nonetheless, the traffic is being sent throught the ISA Server web proxy (and, in the case of the non-standard SSL port, is blowing up). Is there something I am missing here? If I can provide any further information about our configuration that would be helpful, I would be happy to provide it. ~~~~~~~~~~ Bill Mayo Pitt County MIS