RE: Help with the web proxy setup in ISA 2004
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 30 May 2005 07:00:21 -0500
Hi Roy,
Good point! I've been using that Registry setting for a while now and
it's make the log on dialog boxes go away.
Good job Stefaan!
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Monday, May 30, 2005 6:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
http://www.ISAserver.org
Dear Pouseele Sama,
Your post is just in time. Config Registry per KB885683 throw away whole
my pain for long!!!
It solves problems on conditons of webproxy authentication as follows,
1) Isafirwall detect at FCW
2) Autodetect per WPC's browser
4) Autoconfig per FWC's browser based on URL FQDN I/O host_name
4) Autoconfig per WPC's broswer based on URL FQDN
those of which never works and becomes big hardness to deploy auto
configuration. No more POP-UP!!!
Dear Jim-sama,
Webproxy authentication did break not only FWC but also WPC. I am
sorry to send you the configuration data because it waste your time
and nothing to be identified.
Dear Shinder-sama,
You may refer to Pouseele-samma's article, and it shall be within your
next edition of ISA Guidebook. Before MS$ release KB, there must be
a lot of guys who can't depoly autoconfig under webauthentication or
likewise me, our misunderstanding is those autoconfig and also
autodisvoery
are merely based HTTP download from ISA, once webproxy authentication
required, it doest not therefore we can't enable authenticaton options!
Anyway, I am so extited to settle this problem even though it was
fiinally
serveral figure touch.
Thanks again,
Roy Tsao
> Dear Stefann,
>
> You might be the guy who understand my pain! Let me read you
intermediate
> article!
>
> Thanks,
>
> Roy Tsao
>
> > Hi Roy,
> >
> > I'm currently writing a new article for isaserver.org about this
subject.
> > You can already read an early draft at
> >
http://users.skynet.be/spouseele/ClientAutoConfig/ISA2004_ClientAutoConf
ig.h
> > tm.
> >
> > HTH,
> > Stefaan
> >
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > Sent: maandag 30 mei 2005 8:56
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> >
> > http://www.ISAserver.org
> >
> > To All Married Guys,
> >
> >
> > The disucssion threads caused by me seems to be overflow while I
really want
> > to make sure the correct configuration and get to know the working
> > merchanism. To summarize the past discussion, what I want to know is
> > - based on Client type: 1) FWC 2)WPC (webproxy)
> > - at conditions: "webproxy authentication is enabled"
> > "autoproxy configuration shall be applied"
> > autodisvoery is properly configured already
> > - result: right configuration so that no popup ask for
authencaiton
> > in web browsing
> >
> > After verious kinds of test in my VM, the situation is like this:
> > 1) FWC:
> > problem 1): if select "autodect ISA server" at FWC, it fails
> > to find out unless "webproxy authentication is
disabled"
> > problme 2): if only select "autoconfig script" option at FWC tab
> > for interal network configuration, popup windows
> > asking for authentication comes up unless modify
> > the autoscript URL by replace "ISA_FQDN" into
"isa_host_name"
> > no popup authentication windows only when select "autodetect" at
> > at FWC tab for interal network configuration.
> >
> > 2) WPC:
> > problem 3): in addtion to check webproxy agent, enable either
> > autodectection or autodectation option at brower
> > will bring up authentication windows (this
> > must be caused by webproxy authenciation
requirement),
> > keep click cancel "Pop-up" so that broswer act
> > just as natural WPC without autoconfiguration data to
pass
> > authentication.
> > WPC must be manually setup including bypass list at client brower
side.
> >
> > As a conclusion, there is setting limitation for autoproxy/detection
when
> > "webproxy authentication is required for all users". Kindly let me
know your
> > some explanation for above problem 1) -3) if you think I am wrong.
> >
> > Thanks,
> >
> > Roy Tsao
> >
> >
> >
> >
> > > Hi Roy-sama
> > >
> > > The entries in DNS or DHCP provide the client information about
how to
> > > get the autoconfiguration information. That information is
published
> > > on the autodiscovery port you configure on the ISA firewall.
> > >
> > > HTH,=20
> > >
> > >
> > > Tom
> > > www.isaserver.org/shinder
> > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > > -----Original Message-----
> > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=20
> > > Sent: Friday, May 27, 2005 1:00 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > >
> > > http://www.ISAserver.org
> > >
> > > Thank you Shinder-san. Yup, I did know the setting for
autodiscovrey
> > > through both DHCP and DNS BUT BUT I have not known this kind of
> > > setting for WPAD also needed for "Autoconfig", if so I have taken
a
> > > basic wrong concept regarding autocnfig setting, believe not small
> > > number of ISA guys are the same, then I could understand many
posts in
> > > local forum here asking about why POPUP window for authenciation
> > > though autoconfig is setted up.=20
> > >
> > >
> > > > Hi Roy,
> > > >=20
> > > > Works the same in ISA Server 2004 (mostly):
> > > >=20
> > > > =
> > >
http://www.isaserver.org/img/upl/isaedukit/5automate/5automate.htm=3D2
> > > 0
> > > >=20
> > > >=20
> > > > Tom
> > > > www.isaserver.org/shinder
> > > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > > http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >=20
> > > >=20
> > > > -----Original Message-----
> > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20
> > > > Sent: Friday, May 27, 2005 8:14 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
=20
> > > >http://www.ISAserver.org =20 S guy, =20 To be perfectly honest
with
> > > >you, it is first time for me to know wpad entry is reuired in
dns
> > > >for "autoproxy" I/O "autodectection"
> > > > (=3D3Dautodisvoery). I never know it shall be prepare for
> > > >webproxy/fwc client!
> > > >=20
> > > > Thanks,
> > > >=20
> > > > Roy Tsao
> > > >=20
> > > > P.S.: why don't you spend you time with you lovely wife, network
is
> > > not
> > > > your main after your marriage otherwise your wife shall complain
you
> > > >a lot in talking with lot of guys known! Kidding!!!
> > > >=20
> > > >=20
> > > > > Roy
> > > > >=3D20
> > > > > Yes you need a wpad entry in dns pointing to the internal ip
of isa.
> > > > >=3D20
> > > > > Also make sure your wpad string is http://wpad/wpad.dat =3D20
> > > > >=3D20 WITH NO PORT NUMBER after the 1st wpad =3D20 S =3D20
> > > > >-----Original Message-----
> > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20
> > > > > Sent: Friday, May 27, 2005 10:03 AM
> > > > > To: ISA Mailing List
> > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA
2004
> > > > >=3D20 http://www.ISAserver.org =3D20 Dear Jim-san, =3D20
Sorry
> > > > >for disturbing you a lot but please be advised that I am not
> > > > pro.
> > > > > in network (it is just my private fan to learn computer
network
> > > which
> > > > is
> > > > > far from my present career), nor I am a native English speaker
but
> > > > >oriental guy, please be patient!
> > > > >=3D20
> > > > > 1) unfiltered logs: I am not trying to hide it but it will be
very
> > > > hard
> > > > > for you to read it out since my ISA version is not English
so you
> > > > > may not judge what it is. May I try to take it out and send
it to
> > > > > your private address.
> > > > > 2) Brower configuration: the brower at client end has no
setting
> > > since
> > > > > FWC is installed namely initially not setting and it
becomes
> > > > > autoconfiguration webproxy client as per FWC's setting. The
> > > > > autoconfiguration is checked finally with no other options.
That's
> > > why
> > > > I
> > > > > did not answer the browser's question
> > > > > 3) Request merchanisam on http://wpad...: It is really a
helpful
> > > > > information for me to know those form you. I can download
wpad.dat
> > > if
> > > > I
> > > > > replace "wpad"
> > > > > into "firewall_host_name:8080". Shall I sent this file to you?
> > > > > Also,
> > > > do
> > > > > I need to configure DHCP to point WPAD into right ISABOX
internal
> > > > >address, I am getting confused in WPADed things aside from
> > > > >autodectection.
> > > > >=3D20
> > > > > Thanks,
> > > > >=3D20
> > > > > Roy Tsao
> > > > >=3D20
> > > > > > The discussion centers on "autoconfiguration".
> > > > > > This functionality is based on a request for
> > > > > > http://wpad/wpad.dat
> > > > from
> > > > >=3D20
> > > > > > the browser and http://wpad/wspad.dat from the FWC.
> > > > > > This is why I want you to examine the wpad.dat.
> > > > > >=3D20
> > > > > > You still have not answered the browser question.
> > > > > > You still have not provided unfiltered log entries.
> > > > > >=3D20
> > > > > > This isn't magic, Roy and I don't read minds.
> > > > > > I do tire of playing oral surgeon, though.
> > > > > >=3D20
> > > > > > -----Original Message-----
> > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > > > Sent: Thursday, May 26, 2005 9:04 PM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA
2004
> > > > > >=3D20 http://www.ISAserver.org =3D20 Dear Harrison-san,
=3D20
> > > > > >The setting of my present VM lab ISA box is:
> > > > > > - Access rules only two:
> > > > > > 1) allow internal to external/all protocol /all users
> > > > > > 2) deny all as default
> > > > > > =3D20
> > > > > > - Internal Network Property:
> > > > > > <Firewall Client>=3D20
> > > > > > [CHECK] Enable Firewall Client support
> > > > > > [UNCHECK] Auto detect setting
> > > > > > [CHECK] Auto config script
> > > > > > [SELECT] Use custom URL =3D3D
> > > > > http://isalocal.firewall.local:8080...
> > > > > > [UNCHECK] Use a Web Proxy Server
> > > > > > <Domain> =3D20
> > > > > > *.firewall.local
> > > > > > <Web Brower>=3D20
> > > > > > [CHECK] Bypass Proxy for Web server in this network
> > > > > > [CHECK] Directly Access computer specified in the
Domain
> > > tab.
> > > > > > Directly Access server & domain: *.firewall.local
> > > > > > <Web Proxy>
> > > > > > [CHECK] Enable Web proxy client
> > > > > > [CHECK] HTTP at 8080
> > > > > > Authentication: [CHECK] Integrated/ Require All User
=
> > > to=3D20
> > > > > > authenticate
> > > > > > <Auto Discovery>
> > > > > > No setting
> > > > > > <Address>
> > > > > > 10.0.0.0-10.0.0.255
> > > > > > =3D20
> > > > > > Web browser setting at client end will be automatically
> > > > > > configured
> > > > by
> > > > > > FCW setting and become WebProxy client for HTTP.
> > > > > > =3D20
> > > > > > I don't know why I need a wpad.dat since no auto discocery.
> > > > > > =3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > >=3D20
> > > > > > > Please stop trimming the thread.
> > > > > > >=3D20
> > > > > > > I advise that you provide more than a single modified log
entry.
> > > > > > > I can't help you if you insist on filtering the data.
> > > > > > >=3D20
> > > > > > > Additional questions:
> > > > > > > Q1 - exactly how is the browser configured?
> > > > > > > Q2 - exactly what is the web proxy configuration for the
> > > Internal=3D20
> > > > > > > network?
> > > > > > > Q3 - when you do receive the wpad.dat file, exactly what
data
> > > is=3D20
> > > > > > > found between "{" and "}" in:
> > > > > > > "function MakeIPs"
> > > > > > > And
> > > > > > > "function MakeNames()"
> > > > > > >=3D20
> > > > > > >=3D20
> > > > > > > -----Original Message-----
> > > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > > > > Sent: Thursday, May 26, 2005 3:22 AM
> > > > > > > To: [ISAserver.org Discussion List]
> > > > > > > Subject: [isalist] RE: Help with the web proxy setup in
ISA
> > > > > > >2004 =3D20 http://www.ISAserver.org =3D20 I did
understand
> > > > > > >your points, also I have took a examin at
> > > whole=3D20
> > > > > > > logs before & after changing from FQDN to hostname.
> > > > > > >=3D20
> > > > > > > Anyhow, when FQDN is used, there is POPUP asking for
> > > > authentication,
> > > > >=3D20
> > > > > > > could you advise any possible reason?
> > > > > > >=3D20
> > > > > > > Thanks,
> > > > > > >=3D20
> > > > > > > Roy Tsao
> > > > > > >=3D20
> > > > > > >=3D20
> > > > > > > Try not to "filter" the log data.
> > > > > > > "Imaginary" information is useless.
> > > > > > > If you have a problem sending it to the list, then you
need
> > > to=3D20
> > > > > > > rethink your security model.
> > > > > > > "Security by obscurity is no security at all".
> > > > > > >=3D20
> > > > > > > Also, you should examine more than a single log entry -
it's
> > > just
> > > > as
> > > > >=3D20
> > > > > > > likely that you're looking at the wrong one.
> > > > > > >=3D20
> > > > > > > ------------------------------------------------------
> > > > > > > List Archives: =3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > > > ISA Server Newsletter:
> > > > http://www.isaserver.org/pages/newsletter.asp
> > > > > > > ISA Server FAQ:
> > > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > > > > ------------------------------------------------------
> > > > > > > Other Internet Software Marketing Sites:
> > > > > > > World of Windows Networking: =
> > > http://www.windowsnetworking.com=3D20
> > > > > > > Leading Network Software Directory:
http://www.serverfiles.com
> > > > > > > No.1 Exchange Server Resource Site: =
> > > http://www.msexchange.org=3D20
> > > > > > > Windows Security Resource Site:
> > > http://www.windowsecurity.com/=3D20
> > > > > > > Network Security Library: http://www.secinf.net/ Windows
> > > > > > > 2000/NT
> > > > Fax
> > > > >=3D20
> > > > > > > Solutions: http://www.ntfaxfaq.com
> > > > > > > ------------------------------------------------------
> > > > > > > You are currently subscribed to this ISAserver.org
Discussion
> > > List
> > > > > as:
> > > > > > > jim@xxxxxxxxxxxx
> > > > > > > To unsubscribe visit
> > > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 All mail to
and
> > > > > > >from this domain is GFI-scanned.
> > > > > >=3D20
> > > > > > ------------------------------------------------------
> > > > > > List Archives:
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > > ISA Server Newsletter:
> > > http://www.isaserver.org/pages/newsletter.asp
> > > > > > ISA Server FAQ: =3D
> > > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > > > ------------------------------------------------------
> > > > > > Other Internet Software Marketing Sites:
> > > > > > World of Windows Networking:
http://www.windowsnetworking.com
> > > > Leading
> > > > > > Network Software Directory: http://www.serverfiles.com
> > > > > > No.1 Exchange Server Resource Site:
http://www.msexchange.org
> > > > Windows
> > > > > > Security Resource Site: http://www.windowsecurity.com/ =
> > > Network=3D20
> > > > > > Security Library: http://www.secinf.net/ Windows 2000/NT
> > > > > > Fax=3D20
> > > > > > Solutions: http://www.ntfaxfaq.com
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org
Discussion
> > > > > > List
> > > > as:
> > > > > > jim@xxxxxxxxxxxx
> > > > > > To unsubscribe visit=3D20
> > > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 All mail to
and
> > > > > >from this domain is GFI-scanned.
> > > > >=3D20
> > > > > ------------------------------------------------------
> > > > > List Archives: =
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > ISA Server Newsletter:
> > > > > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > > ------------------------------------------------------
> > > > > Other Internet Software Marketing Sites:
> > > > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading
> > > > > Network Software Directory: http://www.serverfiles.com
> > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows
> > > > > Security Resource Site: http://www.windowsecurity.com/ Network
> > > > Security
> > > > > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > > > > http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion
List
> > > as:
> > > > > isalist@xxxxxxxxxx To unsubscribe visit
> > > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 The correct
> > > > >technical term for haggis stalking is "havering".
> > > >=20
> > > > ------------------------------------------------------
> > > > List Archives:
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Network Security Library: http://www.secinf.net/ Windows 2000/NT
Fax
> > > > Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
List as:
> > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit =3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
Leading
> > > Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows
> > > Security Resource Site: http://www.windowsecurity.com/ Network
> > > Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> > > Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
as:
> > > tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit =
> > > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
Leading
> > Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network
Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > stefaan.pouseele@xxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
