As I describe in "Authenticate Internet Access with ISA Server," June 2003, http://www.secadministrator.com, InstantDoc ID 38773, Microsoft Internet Security and Acceleration (ISA) Server 2000 supports three methods for providing controlled Internet access for internal clients: Secure Network Address Translation (SecureNAT), Web proxy, and firewall. SecureNAT doesn't require any configuration on the client computer other than setting the default gateway of the client machine to be the ISA Server machine, a task that's usually automated by using a DHCP server. (In a subnetted environment, the ISA Server system doesn't need to be the default gateway, but the default route needs to go through the ISA Server machine.) However, SecureNAT access doesn't use username-based authentication, so you might prefer the Web proxy and firewall methods, which provide user-specific access control.
The Web proxy method requires setting one client browser option, and the firewall method requires Firewall Client software installation. Although the Web proxy and firewall configuration might not look like a chore at first, remote clients and maintaining client configurations as you add and remove ISA servers complicate the task for administrators. Fortunately, you can easily set up the ISA Server Web Proxy service and Firewall Server so that configuration is automated for users.
Figure 1 shows my enterprise's network topology. An intranet with the address 10.0.0.0 connects a server named ALPHA (which runs DHCP and DNS and has the address 10.0.0.2) and a client named BETA-CLNT. The intranet also connects to the Internet through an ISA Server machine named ISA-LEON. My objective is to ensure that with minimal configuration on the user's part, BETA-CLNT can access the Internet through ISA-LEON. I first configure the Web proxy access (which allows only HTTP and HTTP Secure—HTTPS—traffic), then the firewall access (which enables applications such as FTP and Telnet to get to the Internet).
Web Proxy and Firewall Recap
To refresh your memory of the Web proxy and firewall Internet access methods, let's recap. ISA Server consists of two services: the Web Proxy service and Firewall Server. Client browsers set to use the Web proxy access method send all HTTP requests directly to the ISA Server machine, which performs the requests on the client's behalf. This method works only for applications such as Microsoft Internet Explorer (IE) that can use Web proxy. To provide Internet access for other client applications such as FTP and Telnet, ISA Server supplies the Firewall Client application for the client machines. Firewall Client is implemented as a Layered Service Provided for Winsock and provides Internet access for client applications.
Administrators frequently configure clients to use both Web proxy and Firewall Client Internet access. Administrators might want to use Web proxy access because unlike Firewall Client, Web proxy can prompt the user for his or her proxy credentials. Firewall Client doesn't prompt the user for credentials and uses the user's logon credentials instead.
If you configure the client browser to use Web proxy, the client will use Web proxy for HTTP and HTTPS requests, regardless of whether Firewall Client is present. If you don't configure the browser to use Web proxy, IE assumes a direct Internet connection. However, because Firewall Client intercepts every Winsock call, ISA Server's Firewall component will still provide the Internet connection.
Configuring WPAD with DHCP
To set up intranet client machines for automatic discovery of the ISA Server machine as a Web proxy, you need to perform three tasks. First, you must configure the ISA Server machine to support the Web Proxy Autodiscovery Protocol (WPAD). Second, you must ensure that the client machine can locate the computer running ISA Server and providing the proxy service. And third, you must ensure that the client browsers support WPAD.
To configure ISA Server to support proxy autodiscovery, right-click ISA-LEON in the Microsoft Management Console (MMC) ISA Management console, which Figure 2 shows, and select Properties. Go to the Auto Discovery tab, which Figure 3 shows, select Publish automatic discovery information, and enter the port for the autodiscovery information. ISA Server makes the autodiscovery information available on the port used for all outgoing requests (you can see this port on the Outgoing Web Requests tab)—port 8080 in my installation. The Auto Discovery tab makes the autodiscovery information available on any additional port of your choosing—port 9090 in my setup.
Your approach to ensuring that the client machine can locate the ISA Server machine depends on your enterprise's network architecture. If DHCP is present in the enterprise, the client broadcasts the DHCPINFORM message and requests option 252. The DHCP server stores various client-configuration parameters in the form of options, which it sends to the client machine upon request. Option 252 is reserved for WPAD. ALPHA runs the intranet's DHCP server, so you can add option 252 to its DHCP scope. Open the MMC DHCP console, right-click ALPHA, and select Set Predefined Options. The Predefined Options and Values dialog box will appear; click Add. Figure 4 shows how to add option 252, WPAD. After you click OK, you'll see the Predefined Options and Values dialog box again—this time, containing information about your new option. The string http://isa-leon:8080/wpad.dat represents an automatic configuration URL that the client browser will use to connect to the ISA Server Web Proxy service to obtain proxy information. (You enter this string as a value for DHCP option 252.) Note that the URL points to a specific ISA Server machine. If your environment has an array of multiple ISA Server machines, using an automatic configuration script is more efficient. I talk about that option later in this article.
The DHCP server will send the URL to the client's browser when the client makes a DHCPINFORM request. Notice the port number. It can be either the ISA Server machine's outgoing port (8080, in my case) or a port that you've configured specifically for the autodiscovery information (9090).
After you've configured the option on the DHCP server, you must enable it for the scope. To do so, in the DHCP console, right-click Scope Options under the intranet's DHCP server, and select Configure Options. On the General tab, scroll down the list of the configured options, and select 252 WPAD.
IE versions starting with 3.02 support WPAD, so as long as your clients are using IE or any other browser supporting autodiscovery, the third step in configuring clients in a DHCP network to use proxy autodiscovery is easy. On the client computer's browser menu, go to Tools, Internet Options, Connections. Click LAN Settings and select the Automatically detect settings check box in the Local Area Network (LAN) Settings dialog box, as Figure 5 shows.
After you've performed these three steps, when the user on the client machine navigates to any URL, the following takes place: The browser obtains the URL for the WPAD entry (in my case, http://isa-leon:8080/wpad.dat) from the DHCP server. The browser reads the contents of the wpad.dat file. To see the contents of your wpad.dat file, enter your autodiscovery URL in an intranet client browser and open the wpad.dat file in Notepad.
The wpad.dat file is a JavaScript file that implements a few functions. All the functions that this file uses are documented at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ie/reskit/ie6/part6/c26ie6rk.asp. The key one is FindProxyForUrl, which tells the browser which proxy server to use to reach the URL that the user entered.
ISA Server creates the wpad.dat file based on the ISA Server configuration. For example, adding domains to ISA Server's Local Domain Table (in the ISA Management console under Network Configuration) alters wpad.dat in such a way that FindProxyForUrl will always return DIRECT when the browser requests a proxy name for any machine from the local domain table.
The beauty of autodiscovery is that ISA Server creates a complex wpad.dat file that the browser uses to find the optimal route to the requested URL. Any change in the ISA configuration is reflected in the wpad.dat file and therefore affects all clients configured to use autodiscovery.