Automating the Configuration of the Firewall Client – Part 2
Firewall Client and Web Browser Configuration
By Thomas W Shinder, M.D.
In the first part of our Firewall client automation series, I discussed how you get the firewall client software installed. Once you get the software installed, you need to configure it! You can manually configure the Firewall client, or have the configuration done for you automatically, in advance.
ISA Server support Firewall client Autodiscovery. Once the Firewall client software finds the ISA Server, it can obtain information from the ISA Server to help the client connect to the Internet. You can force Firewall Clients to use the Autodiscovery Mechanism by configuring the appropriate parameters in the Firewall Client Properties client configuration dialog box. Note that these settings apply only during installation of the Firewall client. If you make changes here, they will not apply to machines where the Firewall client was already installed.
Follow these steps to enable Autoconfiguration at setup.
- Open the ISA Server Management console, expand the Servers and Arrays node in the left pane. Then expand the Server name node, then click the Client Configuration node.
- Double click on the Firewall Client entry in the right pane. You will see what appears in the figure below.
- Enter the DNS name, NetBIOS name, or IP address of the ISA Server. The Firewall clients will use this address or name to connect to the ISA Server. This setting is a static setting and the Firewall client will always connect to this computer unless the setting is changed manually at the workstation. You can get around this situation by enabling Autodiscovery. The Autodiscovery feature allows the Firewall client to find the appropriate ISA Server for the network it’s currently connected to. If you want to enable Autodiscovery on these clients, just place a checkmark in the checkbox for Enable ISA Firewall automatic discovery in Firewall Client. After making your selections, click Apply and then click OK.
ISA Server Alert
You must be very mindful of the name you put in the DNS name box. If you put a single label name into the box, make sure your NetBIOS namespace and DNS namespace are complimentary. For example, if a machine’s NetBIOS name is SERVER1, then the DNS name of the machine should be server1.domain.com. In addition, make sure the clients are able to resolve unqualified requests appropriately. If you’re internal network domain is domain.com, the internal network clients should have a primary domain name of domain.com. If the internal network clients are not assigned primary domain names, then you should configure a DNS suffix search list in the TCP/IP Properties dialog boxes of the hosts.
The clients will configure themselves to use the ISA Server you configured in this dialog box after performing these steps.
ISA Server Mystery Meat – Autodiscovery Antics
When you look at the dialog box used to automatically configure the Firewall Client during setup, do you notice something odd? Take another look at the figure above. You have the choice to configure the Firewall client to use a particular server by DNS or IP address. You are also given the option to Enable automatic discovery. However, you do not have a choice to allow only automatic discovery. If you select the DNS name option button, you must put a name in the text box. If you choose IP address, you must enter an IP address. What if you just want the client to use Autodiscovery, and not use either the DNS name or IP address?
The answer is related to how the Firewall Client uses Autodiscovery information. The wpad entry (in DNS or DHCP) only tells the Firewall client what ISA Server to query for more information. It does not tell the Firewall client what ISA Server it should use to connect to the Firewall Service.
For example, if you put in the IP address 0.0.0.0 in the above dialog box, the Firewall client queries DHCP or DNS Server to get the address of the machine that contains the Autodiscovery information. Once the Firewall client connects to the address listed in the wpad entry, it obtains the address 0.0.0.0, as configured in the dialog box. Since this address is bogus, the Firewall client will not be able to connect to the the ISA Server. This happens in spite of the fact that it was able to connect to the ISA Server to obtain the Autodiscovery information! The ISA Server sent to the Firewall client the information you configured in this dialog box, which is exactly what the ISA Server was supposed to do.
When you select the Enable ISA Firewall automatic discovery in Firewall Client option, it will configure the Firewall Client during setup of the Firewall Client software, to use Autodiscovery. If you don’t select the Autodiscovery option, the Firewall Client software will use the address configured in this dialog box during setup, Disabling the Autodiscovery during setup does not prevent someone from manually configuring Autodiscovery at the desktop.
Automatically Configure the Firewall Client’s Web Browser
Another bonus you get with the Firewall client software installation is automatic configuration of the Web browser. This is very convenient! Instead of you having to manually configure the browsers to make them Web Proxy clients, you can get this task completed by installing the Firewall client. You get two jobs done at the same time when you install the Firewall client.
You don’t have to configure the browser during Firewall client software installation. But if you do want to configure the browser as a Web Proxy client, just perform the following steps.
- Open the ISA Management console, expand the Servers and Arrays node in the left pane, and then expand the Server name. Click on the Client Configuration node.
- Double click on the Web Browser entry in the right pane. You should see what appears in the figure below.
- Place a checkmark in the Configure Web browser during Firewall client setup checkbox to have the browser configured automatically during Firewall client installation.
- Enter the DNS name of the ISA Server in the DNS name text box. You can use the Browse button to find the name of the ISA Server. Note the Port entry defaults to 8080 and is not configurable via this interface. The outgoing Web requests listening port is configured in the Outgoing Web Requests page of the Server Properties dialog box and that is where the Web Browser Properties dialog box (seen above) obtains information about the port used for outgoing Web requests. If you change the listening port on the outbound Web requests listener, the new port number will be reflected here in the Web Browser Properties dialog box.
You can configure the client browsers to Automatically discover settings in the Automatic Configuration frame. The client can be moved from location to location and query either a DNS or DHCP Server and find the ISA Server when you enable the browser to automatically discover settings. You can also enable the client to take advantage of the automatic configuration script by checking the Set Web browsers to use automatic configuration script checkbox. When the browser is set to use the Autoconfiguration script, it will be able to take advantage of distributed Web caching as implemented by CARP (Cache Array Routing Protocol). CARP reduces the number of hops required to access a cached web page. Learn more about CARP at http://www.microsoft.com/isaserver/techinfo/planning/cachingwp.asp
ISA Server Alert
You can configure clients to use the Autoconfiguration script even when you’re not using an array. Configuring Web Proxy clients to use the Autoconfiguration script seems to improve performance significantly. Try it on your own machines. Manually configure a Web browser to use the IP address and port number for the outgoing Web requests listener. Time how long it takes to get to a series of Web pages. Then remove the Proxy settings and manually enter the Autoconfiguration URL (which you can find in the grayed out area at the bottom of the above dialog box). Restart the computer. Now browse a few Web sites (make sure they’re different sites, because the sites you already looked at are in the Web Proxy cache). You should find performance significantly increased.
All the configuration options on the General page of the Web Browser Properties dialog box (seen above) refer to the how the web browser is configured during the installation of the Firewall Client software.
For example, if you put a bogus server name in the DNS name text box, the web browser on the Firewall client during setup will use this invalid name and will not be able to connect to the ISA Server unless you manually change the setting in the web browser itself. The same is true for the Automatically discover settings and the Set Web browsers to use automatic configuration script options. These options are applied during Firewall client installation, and do not have any effect on the browser configuration after the Firewall client is installed.
Click on the Direct Access tab. You’ll see what appears in the figure below.
You configure the IP addresses and/or domain names to which you want the Web Proxy Clients to directly connect without having to go through the ISA Server’s Web Proxy Service on the Direct Access tab.
Now what exactly does Direct Access mean? If Direct Access means that the Web Proxy client will not use the Web Proxy service, the browser will need some method to connect to the resource. If the machine you want to connect to is on the internal network, the browser will be able to directly connect to the server. There’s no need for the computer to go through the ISA Server as no address translation or firewall policy needs to be applied when connecting to local resources.
But what about the example I have in the figure above? I have two entries in my Directly access these servers or domains list. The hotmail.com and the msn.com domains are not on my internal network. So how to I directly access these domains? I don’t actually directly access these domains, what I do is bypass the Web Proxy service. Since I’m bypassing the Web Proxy service, I have to use either the SecureNAT or Firewall client configuration to connect to the Internet. The browser will use either the SecureNAT or Firewall client configuration to connect to the ISA Server and allow access to the Internet. The only thing that’s different when I use Direct Access is that the Web Browser will not use the Web Proxy service to access these sites.
The Bypass proxy for local servers option tells the browser to not use the Web Proxy service to access "dotless" resources. That is to say, if the server you connect to contains a single label in its name, the Web Browser will not use the Web Proxy service to make the connection.
For example, with the Bypass proxy for local servers option enabled, http://shinder would be treated as local, but http://shinder.tacteam.net would be treated as remote, in spite of the fact that both of these URLs point to same machine on the internal network. The Web browser connection request will go directly to the http://shinder and will not go to the Web Proxy service on the ISA Server. The connection request from the Web browser to http://shinder.tacteam.net will go through the Web Proxy service on the ISA Server.
ISA Server Alert
Of course you have to be careful with single label names. The DNS client software does not send single label names for DNS name resolution. The DNS client attempts to qualify the name before sending the request to the DNS server for name resolution. So in this example, when you access http://shinder, the DNS client software attempts to resolve the request by appending a domain name, which typically is the primary domain name of the computer sending the request. If the computer making the request belongs to the tacteam.net domain, the name to be resolved is shinder.tacteam.net. So, the request for http://shinder and http://shinder.tacteam.net end up resolving to the same IP address! The only difference is that when you configure the browser to Bypass proxy for local servers, the browser will bypass the Web Proxy service to access http://shinder, while the browser will use the Web Proxy service to access http://shinder.tacteam.net
The Directly access computers specified in the Local Domain Table (LDT) option allows you to directly access machines located in domains that are included in the LDT. Entries in the Local Domain Table (LDT) are resolved by the client, not by the ISA Server. Web Proxy clients usually allow the ISA Server to resolve names for them. But if the Web Proxy client tries to access a Web sites that have their domain included in the LDT, the Web Proxy client computer will have to resolve the name itself. Since these LDT entries are for internal network domains, your internal network DNS servers will have the appropriate internal address for these servers. The Web Proxy clients therefore are able to resolve the names of their internal network servers and access them without having to go through the ISA Server’s Web Proxy service.
Click on the Backup Route tab. You’ll see what appears in the figure below.
The Backup Route page allows you to configure the Autoconfiguration script to tell the Web Proxy Client what to do when the Web Proxy Service on the ISA Server is not available. Notice the you must configure the browsers to use the Autoconfiguration script for this to work. The Direct Access option tells the Web Proxy Client to try and attempt to directly access the web object, which means that the Web Proxy client computer will not use the Web Proxy service. Of course, if the Web Proxy Client does not have a method, such as a modem or a SecureNAT/Firewall client configuration to directly access the resource, it won’t work.
If you choose to redirect the request to an Alternative ISA Server, type in the name or IP address of another ISA Server. If the Web Proxy Service on this ISA Server should become unavailable, the Web Proxy Client request will be forwarded to the ISA Server configured here.
Be aware that this backup configuration applies only when the Web Proxy service is unavailable. Its has NOTHING to do with whether the connection on the external interface is active. The Backup Route only applies when the Web Proxy service is down.
Automating the Firewall client setup and configuration can make your life a lot easier! Not only is the Firewall client installed (which you should always do on your Windows clients), but the Web browser is configured at the same time. Life just doesn’t get any better than that.
I hope you enjoyed this article and that you were able to learn something useful. If you have any questions or comments on this article, please feel free to write to me at [email protected] and I’ll get to you as soon as I can. Thanks! –Tom.