Forefront Edge Security TechCenter >
Forefront Edge Security Forums
>
Forefront Edge Security - Installation, Upgrade, and Setup
>
ISA 2004 Web Proxy Auto Discover
ISA 2004 Web Proxy Auto Discover
- Hi,
I was wondering if it would be possible for auto discover to work with this setup. We have 2 connections to the internet, one is for our network and the other is for a guest wireless. I am trying to set up auto discover on the guest wireless. The server specs, the operating system is Windows 2003 R2 and ISA 2004 Enterprise with 3 NICs and is part of our domain. NIC 1 connects to a wireless access point that has dhcp running that users will initially connect to. NIC 2 connects to our network to access active directory for users to authenticate against. NIC 3 connects to a managed router that goes out to the internet. If a user specifies the ip address for the proxy in internet options, the user will be prompt for credentials and it works. Since this server is part of our domain and we already have 2 DCs both running dns and dhcp and the guest wireless users can not access the domain, Can autodiscovery work in this setup?
Answers
- Foicing authentication for WPAD has nothing whatsoever to do with authenticating Internet access.
Also, because the WAP assigns IP addresses, you cannot use it for your WPAD solution - you must use DNS.
Unless you place a DNS server in the WLAN, you muyst give the WLAN users anonymous access to the DNS server (DNS cannot be authenticated) in the LAN.
Jim Harrison Forefront Edge CS- Marked As Answer byproline1000 Wednesday, September 23, 2009 7:38 PM
- Update for all looking for a solution.
We are using our access point for DHCP and you can configure auto discovery through the access point depending on the type of access point you use.- Marked As Answer byproline1000 Monday, October 26, 2009 8:17 PM
All Replies
- If "guest wireless users can not access the domain", then Web Proxy Auto Discovery (WPAD) cannot work for them.
As noted in this article, WPAD depends on DHCP, DNS or both (depending on your choices).
If the wireless users cannot communicate with the domain resources that provide these services, they cannot use WPAD to discover the proxy.
Also, you omitted whether the wireless network and the wired network use different subnets (they must)?
You also stated "2 connections to the internet", which is not possible using ISA; although I suspect you really meant "two protected networks that access the Internet through ISA".
This can be done, but you have to be aware that client behavior cannot be affected overmuch by ISA.
1. DNS: the wired and wireless networks should operate using different DNS suffixes; this allows you to maintain unique records for the different ISA interfaces in each network.
2. DHCP: you must use separate scopes for the wired and wireless networks. If you do not, you cannot provide different DHCP INFORM responses to those clients.
Jim Harrison Forefront Edge CS - I'm sorry if I did not explain the setup clear enough. We do have two connections to the internet, each with a different service provider. Our faster connection provides connectivity to our domain and domain users. The other was just a test line that we could use if we needed to troubleshoots something such as a vpn issue as it can not be replicated if we used our on network connection. We still use the test line but very rarely and would serve a better purpose as a guest wireless as people come and go from our office that don't need access to our network but need internet connectivity. Most of these users have an account in active directory as they use our email and that is why we need the ISA to be part of the domain so these users can authenticate against AD. Other than having users be able to authenticate, we do not want any other traffic to come through to our network. So to sum up a flow chart on how the traffic flows, users will connect to our Guest WAP which will give them a 192.168.1.* ip address from its internal dhcp (NIC 1 on ISA address 192.168.1.100). If they try to access the internet, they will be prompt for credentials which will authenticate against our domain AD (NIC 2 on ISA address 10.128.16.*). If the credentials are valid, they can access the internet thorugh our test line NIC 3 on ISA address 216.130.96.*). Basically, the ISA is serving as a web proxy and the only purpose it has with our network is to authenticate against AD.
- You have to provide the proper DHCP or DNS configuration as described this article or the WLAN users cannot "discover" the proxy.
Since the WLAN users get their IP addresses from the WAP, you're limited to the DNS structure I spoke of.
Jim Harrison Forefront Edge CS - I have followed that article using the method specified for DNS and it still does not work. I can use the url http://192.168.1.100/wpad.dat and it will prompt for credentials. After authentication, it will allow me to download or view the file. I read that if that works then you can add a wpad cname file in dns and have it point to the host. I have done this as well and autodiscovery still does not work. I have auto detect settings checked on the client computer. I am almost to the point where we will just have to tell users to specify the proxy in their internet settings and that is why I am asking here. In DNS, there are 3 Host records, one for each NIC. The wpad cname points to the 192.168.1.100 entry.
- Assuming you've configured ISA properly, it sounds like you're way behind in your ISA patching.
http://support.microsoft.com/kb/889035 is the answer to authentication prompts for wpad requests.
You also said the WLAN users have no access to the domain resources. If you don't allow the WLAN users to communicate across ISA to the DNS server, theey can't find the DNS records you create.
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Tuesday, September 22, 2009 10:50 PM
Almost all of the users that will be using the guest wireless have pc's that are not part of the domain. We DO want it to always prompt for user and password. What we don't want is for the users to have to manually enter in the web proxy address and port.
- Foicing authentication for WPAD has nothing whatsoever to do with authenticating Internet access.
Also, because the WAP assigns IP addresses, you cannot use it for your WPAD solution - you must use DNS.
Unless you place a DNS server in the WLAN, you muyst give the WLAN users anonymous access to the DNS server (DNS cannot be authenticated) in the LAN.
Jim Harrison Forefront Edge CS- Marked As Answer byproline1000 Wednesday, September 23, 2009 7:38 PM
Thats right, but the link for the patch you posted above was something about how stop the authentication prompt which is not what I was looking to do. I figured that I would either have to use a seperate DNS server on the WLAN if I didnt want users the have to access DNS in our domain. I guess I have to consider my options and move on from here.
Jim, I appreciate your help and thank you for your assistance. Keep it up.
Adam- Update for all looking for a solution.
We are using our access point for DHCP and you can configure auto discovery through the access point depending on the type of access point you use.- Marked As Answer byproline1000 Monday, October 26, 2009 8:17 PM
I am using ISA proxy my application.its giving below error
please help me in resolving this?.HTTP transport error: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )"; nested exception is:
HTTP transport error: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )"
- It's impolite to hijack someone else's thread.
You have two options:
1. update your Java runtime
2. create a ISA rule that allows anonymous access to wherever the Java apop is trying to go/
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Monday, November 02, 2009 9:16 PM
