I purchased an IPAQ about two years ago. It was a cool toy, but the small screen and the low battery life never made it one of my favorite gadgets. I never spend more money on a modem – a network adapter or any other expansion for the device.
A few days ago I received a call from a customer, requesting assistance with a problem – connecting an IPAQ to the Internet on a network running ISA.
How does this thing work ???
Since I never liked the device – I never took the time to understand how it connects to the network. I just plugged the thing to the PC with the USB cable and synced with Outlook. Now I needed to know how this client actually interacts with the network.
If you look around the device configuration, you will notice the availability of network adapter configuration which includes the use of a DHCP or a manual configuration. I guess that those settings should be used when you got a real network adapter connected to the device.
From my experience, when connecting the device using the USB adapter, the Pocket PC never gets its own IP address (I checked the DHCP). It leaches on the hosting computer IP address and configuration. This information is important to understand since the Pocket PC will behave as an extension of the PC – which can mean either a SecureNAT client or a WebProxy client.
Note!!! A firewall client was not used for testing, but I assume it will have no effect on the Pocket PC since it is not installed on the Pocket PC.
Setting up the Pocket PC
If you are planning to use the SecureNAT client to gain web access from the PocketPC, there is nothing much to be done except setting the host computer as a SecureNAT client. If you intend to use the Web Proxy to provide the web access, you will need to use the following instructions to configure the device.
On your PocketPC, click Start -> Settings. Go to the Connections tab
Click the Connections icon. Make sure that the settings are shown as the ones below:
Click Modify and set it to the internal address of the ISA server
Since most ISA installations use the default outgoing listening port of 8080 you will need to click the Advanced and set it.
Apply the Changes by clicking OK.
Pocket PC and NTLM authentication
Pocket PC 2000/2002 share the same problem – they are unable to support NTLM authentication by default. Since in most configurations of ISA server the control over outgoing traffic is based on user identification it means that you have to deal with the issue in one of the following ways:
Update Pocket PC to handle NTLM authentication.
Use only basic authentication on outgoing web requests.
Create client specific rules and definitions.
Update Pocket PC to handle NTLM authentication.
Microsoft published article number 290538 which states the in order to have NTLM authentication you should install Service Pack 1 for Pocket PC 2000. Recently the article was changed, and a fix which you were able to get from PPS for Pocket PC 2002 – is not even mentioned anymore. I guess that we should wait for the PPC 2002 SP
Use only basic authentication on Outgoing web requests
We all know that basic authentication means sending your credentials as clear text over the network. This is not the most recommended solution, but if you do not suspect that any of the people involved is planning to develop a craving for network sniffing, and access control is still an issue, use this method.
To configure Outgoing web requests to use basic authentication, open the ISA console, right click on the server object, and select Properties.
On the “Outgoing web requests” tab select the interface and click Edit.
Remove the “Integrated” selection and apply the change. When done – you will be prompted to restart the ISA services – do not decline the offer.
When Pocket PC is configured with the proxy settings, and either “Outgoing web requests” tab requires authentication or there are rules which will allow access based on user/group membership, a prompt will appear after you make your URL request.
After entering the credentials, the page will load.
Note! An un-patched PPC will not prompt for credentials nor allow Internet access if both Basic and integrated authentication are selected on the Outgoing listener.
Create client specific rules and definitions.
If you cannot get the NTLM patch, and just want to make the CEO PPC, which connects to his workstation, surf worthy – your can avoid any configuration on the client side (even the proxy settings on the PPC) and use the following method:
1. Configure the CEO workstation as a SecureNAT client with either a static IP address which was excluded from the DHCP scope, or create an IP reservation on the DHCP server which will assign a specific IP address every time the same workstation makes an IP lease request. (the procedures for creating the reservation will not be covered here).
2. In the ISA console expand the “Policy Elements” and create a client address set which defines the specific IP address you reserved or excluded for the use of the specific workstation.
3. Create the “Site and Content rule” and “Protocol Rule” which will apply to the specific client address set you created in step 2.
A typical “Site and Content Rule” will allow everything to the IPAQ client set, the “Protocol Rule” which applies to the Client set will usually allow HTTP and HTTPS.
4. The final step is to make sure that the request which will be intercepted by the firewall will be handled correctly and sent back to the Web Proxy.
To do so, go to “Application Filters” and double click the “HTTP Redirector” filter.
Select the option to redirect the request to the local web proxy service.
Note! Configuring the filter with the second option “Send to…” will allow smart users to bypass the web proxy restrictions and access the web directly by removing the Proxy settings from the browser.
I hope you will find this information useful. If anyone has any updates on this issue – I would be glad to fix this article.
Keep Surfing – Liran Zamir [email protected]
