A question came up recently regarding redundancy for ISA Firewall Web Proxy clients. There are several ways you can do this, including using NLB or client side CARP. However, if you’re using the standard edition of the ISA Firewall, both NLB and client side CARP aren’t available to you. However, there is still a failover option for Web Proxy clients of Standard Edition ISA Firewalls.
If you go into the Networks node in the left pane of the ISA Firewall console and then click the Networks tab in the middle pane, you can select an ISA Firewall Network for which you want Web Proxy clients to fail over to another ISA Firewall.
For example, double click the default Internal ISA Firewall Network and then click the Web Browser tab. At the bottom of the dialog box you’ll see the option If ISA Server is unavailable, use this backup route to connect to the Internet. The default setting is Direct Access, which means that the client will try to use it’s SecureNAT or Firewall client configuration to access the site if the Web Proxy Filter becomes unavailable. However, it’s unlikely that just the Web Proxy Filter will fail, and it more likely if the Web Proxy Filter fails, the entire machine has failed and it probably off or blue screened.
In this case, you can use the Alternative ISA Server option and then enter the name of the ISA Firewall that you want the Web Proxy clients to use if the Web Proxy clients can’t communicate with the primary ISA Firewall’s Web Proxy Filter. You can see the alternate address in the figure below.
It’s important to note that this only works if you configure the Web Proxy clients to use the autoconfiguration script. This can be done most easily by provisioning the Web Proxy clients to be configured by the Firewall client installation. You can choose either the autodiscovery option (Automatically detect settings) or the autoconfiguration script option, as seen in the figure below.
Note that you’ll need to setup WPAD entries if you want to use the Automatically detect settings options.