none
Force PC on network to use proxy even if PC is not joined to the domain. RRS feed

  • Question

  • Hi,

    We have a domain, and all PCs that are joined to the domain use the proxy - script by policy. Now anyone that are not joined to the domain can still connect on the network, get an IP via DHCP and browse the Internet. How can I force them to use the proxy and authenticate as well? Will this be a problem now for iPhones / PDA's connecting via the wireless grid on the network?

    Any help appreciated,
    Thanks indeed.
    Shawn
    Friday, October 30, 2009 11:57 AM

Answers

  • look, first, ISA server acting as transparent proxy server will never ask for authentication. The only option is to configure clients with the proxy settings either way.

    how to configure clients? Create the DNS record pointing to ISA server and the go to the ISA server itself, open its console and navigate to Configuration/Networks/Internal, there is a tab that is called Autodiscovery and just publish the autodiscovery information on the ISA server.

    ISA server then automatically publishes the file on its internal network opening its own virtual web server on port 80 and you are done. The clients will then download the file directly from ISA server.

    Some notes to the scenario and how to prevent users from changing the configuration manually on their client browsers:

    a) if you create a rule in ISA server that will allow HTTP traffic to internet and the Users tab will contain only some user group (for example All Authenticated Users), you will achieve the result, that all users will be forced to use the proxy. Without the proxy, they wouldn't be authenticated and the rule wouldn't apply for them, blocking their access.

    b) you can also not configure the clients with default gateway at all - this would mean, the client computer which wouldn't have proxy configured (either statically or dynamically through the wpad) wouldn't be able to access anything outside your local network at all


    ondrej.
    Saturday, October 31, 2009 1:41 PM

All replies

  • You can use the WPAD DNS record to apply the proxy settings to all DHCP clients.
      
    Otherwise you can make your proxy also into a router and set it as the Default Gateway using DHCP. Microsoft ISA Server is capable of this.
    Friday, October 30, 2009 12:42 PM
  • The ISA server is the Default Gateway at the moment but it never asks for authentication. It is open. I'm going to try the WPAD DNS record, thanks indeed!
    Friday, October 30, 2009 12:52 PM
  • I'm learning as I go along, I can't find good guides to setup WPAD. I got the DNS record but looks like I should also create a file, and where should I put it / configure the rest of it. Do you have any procedures for this? Thanks.

    Friday, October 30, 2009 1:16 PM
  • look, first, ISA server acting as transparent proxy server will never ask for authentication. The only option is to configure clients with the proxy settings either way.

    how to configure clients? Create the DNS record pointing to ISA server and the go to the ISA server itself, open its console and navigate to Configuration/Networks/Internal, there is a tab that is called Autodiscovery and just publish the autodiscovery information on the ISA server.

    ISA server then automatically publishes the file on its internal network opening its own virtual web server on port 80 and you are done. The clients will then download the file directly from ISA server.

    Some notes to the scenario and how to prevent users from changing the configuration manually on their client browsers:

    a) if you create a rule in ISA server that will allow HTTP traffic to internet and the Users tab will contain only some user group (for example All Authenticated Users), you will achieve the result, that all users will be forced to use the proxy. Without the proxy, they wouldn't be authenticated and the rule wouldn't apply for them, blocking their access.

    b) you can also not configure the clients with default gateway at all - this would mean, the client computer which wouldn't have proxy configured (either statically or dynamically through the wpad) wouldn't be able to access anything outside your local network at all


    ondrej.
    Saturday, October 31, 2009 1:41 PM