RE: Help with the web proxy setup in ISA 2004
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 30 May 2005 06:53:50 -0500
Hi Roy,
I think I might understand your problem now.
You should *never* enable the "ask unauthenticated users to
authenticate" option. If you want to force authenticaiton, use Access
Rules
HTH,
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Monday, May 30, 2005 1:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
http://www.ISAserver.org
To All Married Guys,
The disucssion threads caused by me seems to be overflow while
I really want to make sure the correct configuration and get
to know the working merchanism. To summarize the past discussion,
what I want to know is
- based on Client type: 1) FWC 2)WPC (webproxy)
- at conditions: "webproxy authentication is enabled"
"autoproxy configuration shall be applied"
autodisvoery is properly configured already
- result: right configuration so that no popup ask for authencaiton
in web browsing
After verious kinds of test in my VM, the situation is like this:
1) FWC:
problem 1): if select "autodect ISA server" at FWC, it fails
to find out unless "webproxy authentication is disabled"
problme 2): if only select "autoconfig script" option at FWC tab
for interal network configuration, popup windows
asking for authentication comes up unless modify
the autoscript URL by replace "ISA_FQDN" into
"isa_host_name"
no popup authentication windows only when select "autodetect" at
at FWC tab for interal network configuration.
2) WPC:
problem 3): in addtion to check webproxy agent, enable either
autodectection or autodectation option at brower
will bring up authentication windows (this
must be caused by webproxy authenciation requirement),
keep click cancel "Pop-up" so that broswer act
just as natural WPC without autoconfiguration data to
pass
authentication.
WPC must be manually setup including bypass list at client brower
side.
As a conclusion, there is setting limitation for autoproxy/detection
when "webproxy authentication is required for all users". Kindly
let me know your some explanation for above problem 1) -3) if you
think I am wrong.
Thanks,
Roy Tsao
> Hi Roy-sama
>
> The entries in DNS or DHCP provide the client information about how to
> get the autoconfiguration information. That information is published
on
> the autodiscovery port you configure on the ISA firewall.
>
> HTH,=20
>
>
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=20
> Sent: Friday, May 27, 2005 1:00 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
>
> http://www.ISAserver.org
>
> Thank you Shinder-san. Yup, I did know the setting for autodiscovrey
> through both DHCP and DNS BUT BUT I have not known this kind of
> setting for WPAD also needed for "Autoconfig", if so I have taken
> a basic wrong concept regarding autocnfig setting, believe
> not small number of ISA guys are the same, then I could understand
> many posts in local forum here asking about why POPUP window
> for authenciation though autoconfig is setted up.=20
>
>
> > Hi Roy,
> >=20
> > Works the same in ISA Server 2004 (mostly):
> >=20
> > =
>
http://www.isaserver.org/img/upl/isaedukit/5automate/5automate.htm=3D20
> >=20
> >=20
> > Tom
> > www.isaserver.org/shinder
> > Tom and Deb Shinder's Configuring ISA Server 2004
> > http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >=20
> >=20
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20
> > Sent: Friday, May 27, 2005 8:14 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> >=20
> > http://www.ISAserver.org
> >=20
> > S guy,
> >=20
> > To be perfectly honest with you, it is first time for me to know
> > wpad entry is reuired in dns for "autoproxy" I/O "autodectection"
> > (=3D3Dautodisvoery). I never know it shall be prepare for
webproxy/fwc
> > client!
> >=20
> > Thanks,
> >=20
> > Roy Tsao
> >=20
> > P.S.: why don't you spend you time with you lovely wife, network is
> not
> > your main after your marriage otherwise your wife shall complain you
a
> > lot
> > in talking with lot of guys known! Kidding!!!
> >=20
> >=20
> > > Roy
> > >=3D20
> > > Yes you need a wpad entry in dns pointing to the internal ip of
isa.
> > >=3D20
> > > Also make sure your wpad string is http://wpad/wpad.dat
> > >=3D20
> > >=3D20
> > > WITH NO PORT NUMBER after the 1st wpad
> > >=3D20
> > > S
> > >=3D20
> > > -----Original Message-----
> > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20
> > > Sent: Friday, May 27, 2005 10:03 AM
> > > To: ISA Mailing List
> > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > >=3D20
> > > http://www.ISAserver.org
> > >=3D20
> > > Dear Jim-san,
> > >=3D20
> > > Sorry for disturbing you a lot but please be advised that I am not
> > pro.
> > > in network (it is just my private fan to learn computer network
> which
> > is
> > > far from my present career), nor I am a native English speaker but
> > > oriental guy, please be patient!
> > >=3D20
> > > 1) unfiltered logs: I am not trying to hide it but it will be very
> > hard
> > > for you to read it out since my ISA version is not English so
you
> > > may not judge what it is. May I try to take it out and send it
to
> > > your private address.
> > > 2) Brower configuration: the brower at client end has no setting
> since
> > > FWC is installed namely initially not setting and it becomes
> > > autoconfiguration webproxy client as per FWC's setting. The
> > > autoconfiguration is checked finally with no other options. That's
> why
> > I
> > > did not answer the browser's question
> > > 3) Request merchanisam on http://wpad...: It is really a helpful
> > > information for me to know those form you. I can download wpad.dat
> if
> > I
> > > replace "wpad"
> > > into "firewall_host_name:8080". Shall I sent this file to you?
Also,
> > do
> > > I need to configure DHCP to point WPAD into right ISABOX internal
> > > address, I am getting confused in WPADed things aside from
> > > autodectection.
> > >=3D20
> > > Thanks,
> > >=3D20
> > > Roy Tsao
> > >=3D20
> > > > The discussion centers on "autoconfiguration".
> > > > This functionality is based on a request for
http://wpad/wpad.dat
> > from
> > >=3D20
> > > > the browser and http://wpad/wspad.dat from the FWC.
> > > > This is why I want you to examine the wpad.dat.
> > > >=3D20
> > > > You still have not answered the browser question.
> > > > You still have not provided unfiltered log entries.
> > > >=3D20
> > > > This isn't magic, Roy and I don't read minds.
> > > > I do tire of playing oral surgeon, though.
> > > >=3D20
> > > > -----Original Message-----
> > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > Sent: Thursday, May 26, 2005 9:04 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > > >=3D20
> > > > http://www.ISAserver.org
> > > >=3D20
> > > > Dear Harrison-san,
> > > > =3D20
> > > > The setting of my present VM lab ISA box is:
> > > > - Access rules only two:
> > > > 1) allow internal to external/all protocol /all users
> > > > 2) deny all as default
> > > > =3D20
> > > > - Internal Network Property:
> > > > <Firewall Client>=3D20
> > > > [CHECK] Enable Firewall Client support
> > > > [UNCHECK] Auto detect setting
> > > > [CHECK] Auto config script
> > > > [SELECT] Use custom URL =3D3D
> > > http://isalocal.firewall.local:8080...
> > > > [UNCHECK] Use a Web Proxy Server
> > > > <Domain> =3D20
> > > > *.firewall.local
> > > > <Web Brower>=3D20
> > > > [CHECK] Bypass Proxy for Web server in this network
> > > > [CHECK] Directly Access computer specified in the Domain
> tab.
> > > > Directly Access server & domain: *.firewall.local
> > > > <Web Proxy>
> > > > [CHECK] Enable Web proxy client
> > > > [CHECK] HTTP at 8080
> > > > Authentication: [CHECK] Integrated/ Require All User =
> to=3D20
> > > > authenticate
> > > > <Auto Discovery>
> > > > No setting
> > > > <Address>
> > > > 10.0.0.0-10.0.0.255
> > > > =3D20
> > > > Web browser setting at client end will be automatically
configured
> > by
> > > > FCW setting and become WebProxy client for HTTP.
> > > > =3D20
> > > > I don't know why I need a wpad.dat since no auto discocery.
> > > > =3D20
> > > >=3D20
> > > >=3D20
> > > >=3D20
> > > >=3D20
> > > >=3D20
> > > >=3D20
> > > >=3D20
> > > > > Please stop trimming the thread.
> > > > >=3D20
> > > > > I advise that you provide more than a single modified log
entry.
> > > > > I can't help you if you insist on filtering the data.
> > > > >=3D20
> > > > > Additional questions:
> > > > > Q1 - exactly how is the browser configured?
> > > > > Q2 - exactly what is the web proxy configuration for the
> Internal=3D20
> > > > > network?
> > > > > Q3 - when you do receive the wpad.dat file, exactly what data
> is=3D20
> > > > > found between "{" and "}" in:
> > > > > "function MakeIPs"
> > > > > And
> > > > > "function MakeNames()"
> > > > >=3D20
> > > > >=3D20
> > > > > -----Original Message-----
> > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > > Sent: Thursday, May 26, 2005 3:22 AM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA
2004
> > > > >=3D20
> > > > > http://www.ISAserver.org
> > > > >=3D20
> > > > > I did understand your points, also I have took a examin at
> whole=3D20
> > > > > logs before & after changing from FQDN to hostname.
> > > > >=3D20
> > > > > Anyhow, when FQDN is used, there is POPUP asking for
> > authentication,
> > >=3D20
> > > > > could you advise any possible reason?
> > > > >=3D20
> > > > > Thanks,
> > > > >=3D20
> > > > > Roy Tsao
> > > > >=3D20
> > > > >=3D20
> > > > > Try not to "filter" the log data.
> > > > > "Imaginary" information is useless.
> > > > > If you have a problem sending it to the list, then you need
> to=3D20
> > > > > rethink your security model.
> > > > > "Security by obscurity is no security at all".
> > > > >=3D20
> > > > > Also, you should examine more than a single log entry - it's
> just
> > as
> > >=3D20
> > > > > likely that you're looking at the wrong one.
> > > > >=3D20
> > > > > ------------------------------------------------------
> > > > > List Archives: =3D
> > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > > ------------------------------------------------------
> > > > > Other Internet Software Marketing Sites:
> > > > > World of Windows Networking: =
> http://www.windowsnetworking.com=3D20
> > > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > > No.1 Exchange Server Resource Site: =
> http://www.msexchange.org=3D20
> > > > > Windows Security Resource Site:
> http://www.windowsecurity.com/=3D20
> > > > > Network Security Library: http://www.secinf.net/ Windows
2000/NT
> > Fax
> > >=3D20
> > > > > Solutions: http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion
> List
> > > as:
> > > > > jim@xxxxxxxxxxxx
> > > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > >=3D20
> > > > > All mail to and from this domain is GFI-scanned.
> > > >=3D20
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =3D
> > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > World of Windows Networking: http://www.windowsnetworking.com
> > Leading
> > > > Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows
> > > > Security Resource Site: http://www.windowsecurity.com/ =
> Network=3D20
> > > > Security Library: http://www.secinf.net/ Windows 2000/NT
Fax=3D20
> > > > Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
List
> > as:
> > > > jim@xxxxxxxxxxxx
> > > > To unsubscribe visit=3D20
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >=3D20
> > > > All mail to and from this domain is GFI-scanned.
> > >=3D20
> > > ------------------------------------------------------
> > > List Archives: =
> http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> Leading
> > > Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows
> > > Security Resource Site: http://www.windowsecurity.com/ Network
> > Security
> > > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > > http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > isalist@xxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >=3D20
> > > The correct technical term for haggis stalking is "havering".
> >=20
> > ------------------------------------------------------
> > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: =
> http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit =3D
> > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit =
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
