By default, ISA Server 2004 does not automatically enable an environment for support and installation of the Firewall client component. Specific steps must be taken to enable systems on a network to utilize the Firewall client. Understanding these prerequisites and how the installation of the Firewall client can be automated can help to ease the administration of the Firewall client.
Installing the ISA Firewall Client Share
The first step in enabling support for the Firewall client is to set up a networked share location that contains the binaries for the firewall client itself. The ISA Server 2004 media contains an installation option for the Firewall client share, which is effectively a shared folder on a server that contains a copy of the ISA Firewall client software. Although it is on the ISA Server CD, this does not mean that it is a good idea to install it on the ISA Server itself. It is best practice from a security perspective to install the Firewall client share on a different system from ISA entirely, to eliminate the need for the ISA Server to perform file server functions for internal network clients.
One of the most dangerous roles that can be granted to an ISA Server is one of a file server. It requires Server Message Block (SMB) support and File and Print Sharing capabilities, greatly increasing the attack surface of the ISA Server. It is for this reason that it is recommended that the ISA Firewall client share be placed on a separate system.
To install the ISA Server Firewall client share on a server, perform the following steps:
After the Client is installed, it is critical to update the server on which the Firewall Client was installed with the latest Service Pack for ISA Server 2004, which will contain the latest version of the Firewall Client. If the server running the share is not updated, the Firewall client directory will not contain the latest files and the clients will not get the proper version.
After it is installed, the Firewall Client Installation Share resides in the default location, \Program Files\Microsoft ISA Server\clients, and will be shared as \\servername\ mspclnt. Clients can connect to this share and install the client, either manually or though automated procedures.
Using DHCP to Configure ISA Server for Auto Detection
Creating the ISA Client Installation Share is only one step in the automation and distribution of the ISA Client. To fully automate deployment, the network must be configured to know which server is the ISA Server. This process is accomplished through the publishing of a record in either the Dynamic Host Configuration Protocol (DHCP) environment or the Domain Name System (DNS) Environment, or both, depending on the needs of the environment.
This information is published in either DHCP or DNS via a Web Proxy Autodiscovery (Wpad) file. With this file published on the server, and with Auto Discovery enabled on the ISA Server (described in the next section of this chapter), the Firewall clients, when installed, automatically detect which IP address is associated with the ISA Server, which can be used to automate the way that the ISA Client configures the proxy server settings for the system.
If both DHCP and DNS autodiscovery are enabled, the requesting client attempts to use DHCP first, and, that failing, attempts DNS. It may be useful to enable both because some clients may not resolve the DHCP Wpad entry, but instead use the DNS entry.
Assuming that a DHCP server has already been set up in the internal network, use the following steps to set up client autodiscovery through DHCP:
With this setting enabled, every Firewall client that receives a DHCP lease can set its proxy settings to point to ISA Server.
The biggest downside to DHCP Autodiscovery is that clients must have local administrator rights on their machines to have the proxy server setting changed via this technique. If local users do not have those rights, then DNS autodiscovery should be used instead of, or in combination with, DHCP autodiscovery.
Configuring Proxy Client Autodiscovery with DNS
The Domain Name Service (DNS) is also a likely candidate for autodiscovery information to be published. Using a Wpad entry in each forward lookup zone where clients need proxy server settings configured is an ideal way to automate the deployment of the settings.
Assuming DNS and a Forward Lookup Zone is set up in an environment, autodiscovery can be enabled through the following technique:
A host record that corresponds with ISA is required, so it is necessary to set one up in advance if it hasn't already been configured. To create one, right-click on the forward lookup zone and select New Host (A). Enter a name for the host (such as isa.companyabc.com) and the internal IP address of the ISA server and click Add Host. This host name will be used in later steps. After the host record is created, the CNAME record for Wpad needs to be created via the following procedure:
This technique enables all Internet Explorer clients that are configured to use the forward lookup zone in DNS to automatically configure their proxy server information, which can be highly useful in automating the deployment of the proxy configuration for the ISA Firewall clients (and other clients on the network).
Enabling Auto Discovery from ISA Server
After Wpad entries have been created to ease in the proxy server settings, auto-discovery of the ISA Server itself must be enabled on a per-network basis. To enable this functionality, do the following: