Configuring the ISA Server for proxy functionality is only one half of the puzzle for enabling web proxy capabilities. If the ISA Server is to be used for this purpose, the clients must be configured in one way or another. Several different options exist for setting this up, including some that are more labor intensive and other options that streamline the process. Understanding how the clients can be configured is therefore important when deploying a proxy infrastructure.
Enabling an ISA Transparent Proxy
The simplest way to configure clients to use ISA as a proxy server is to not configure anything on the clients at all. If an ISA server can be configured to be inline to the web browsing traffic, such as when it is set up as an edge firewall, then the ISA server automatically caches the HTTP client requests, assuming that caching has been enabled on the server. This type of proxy is referred to as a transparent proxy, in that it does not require any client configuration and requires clients to have only a normal TCP/IP stack.
The downside to transparent proxy is that the traffic is not optimized, and the server has to work twice as hard to process the requests because the client cannot optimize the requests based on the presence of a proxy server. In addition, certain HTTP-based applications may not work properly through a transparent proxy, so it is important to test application compatibility in advance of deploying this type of scenario.
Transparent proxy is effective when it's necessary to enable proxy capability on heterogeneous clients that utilize multiple operating systems and different types of browsers. It intercepts the HTTP commands as they pass through the system. This does not require any additional customization on the part of the client.
Manually Configuring Client Proxy Settings
If a forward proxy, rather than a transparent proxy, is to be set up for clients to use, they must be directed to use that client through a modification to their Internet Explorer settings. This modification can be done through different techniques. The most straightforward (albeit most user-intensive) technique is to simply manually enter the forward proxy information directly into Internet Explorer. To do this, perform the following tasks:
Different versions of Internet Explorer and other browsers utilize slightly different methods for changing these settings. Although the options are different, the settings are typically similar. Check the Help file for the browser to identify how to change proxy server settings.
Creating an Active Directory Group Policy Object (GPO) to Streamline the Deployment of Client Cache Settings
In an Active Directory domain that is inhabited by clients that use Internet Explorer, the setting for configuring a forward proxy server can be automatically applied to client workstations through the use of a Group Policy Object (GPO). GPOs allow for bulk enforcement of settings on systems in a domain, and can be very useful in the automation of proxy server settings. To create a GPO, perform the following tasks:
The step-by-step process outlined here utilizes a tool known as the Group Policy Management Console (GPMC), which greatly simplifies the way that Active Directory GPOs are applied. It is highly recommended to install this tool for the application and modification of GPO settings. It can be downloaded from Microsoft at the following URL:
Group Policy settings can be very powerful, and they should be tested on a small subset of users initially. After the desired functionality has been verified, the GPO can then be linked to a more global OU and applied to all users.
Configuring Proxy Client Autodiscovery with DHCP
If all clients are not domain members, or if an alternate approach to automatically configuring clients with proxy server settings is needed, clients can be configured for auto discovery of proxy settings. Autodiscovery can be set up to use one of two methods: discovery via the Dynamic Host Configuration Protocol (DHCP) or via the Domain Name System (DNS). Depending on how an environment is set up, one or both of the options can be set up to ensure that the client proxy settings are properly configured.
If both DHCP and DNS autodiscovery are enabled, the client attempts to use DHCP first, and, that failing, then uses DNS.
For autodiscovery to work, the Internet Explorer systems first need to be configured to automatically detect proxy settings. They do so when the Automatically Detect Settings check box is checked in the dialog box shown in the previous diagram 8.10. Because this is the default setting, it should make this easier to configure.
Autodiscovery uses a file that is automatically generated on the ISA server, known as the Web Proxy Autodiscovery (WPAD) file. Clients that are pointed to this file are automatically configured to use a proxy server.
Assuming that a DHCP server has already been set up in the internal network, use the following steps to set up client autodiscovery through DHCP:
With this setting enabled, every client that receives a DHCP lease and is configured for autodiscovery is eligible to point to the ISA server as a proxy.
The biggest downside to DHCP Autodiscovery is that clients must have local administrator rights on their machines to have the proxy server setting changed via this technique. If local users do not have those rights, then DNS autodiscovery should be used instead of, or in combination with, DHCP autodiscovery.
Configuring Proxy Client Autodiscovery with DNS
The Domain Name Service (DNS) is also a likely place for autodiscovery information to be published. Using a WPAD entry in each forward lookup zone where clients need proxy server settings configured is an ideal way to automate the deployment of the settings.
Assuming DNS and a Forward Lookup Zone is set up in an environment, autodiscovery can be enabled through the following technique:
A host record that corresponds with ISA is required, so it is necessary to set one up in advance if it hasn't already been configured. To create one, right-click on the forward lookup zone and select New Host (A), enter a name for the host (such as proxy. companyabc.com) and the internal IP Address of the ISA server, and click Add Host. This hostname is used in later steps.
To create the CNAME record for the ISA server, do the following:
This technique enables all Internet Explorer clients that are configured to use the forward lookup zone in DNS to automatically configure their proxy server information, which can be highly useful in automating the deployment of the proxy client.