The Web proxy client works with any HTTP 1.1 CERN-compatible browser, and allows access to HTTP, HTTPS, FTP, and Gopher. Your clients' browsers must be configured to point to the Web proxy. You can set up this configuration through the use of an automatic configuration script, Group Policy settings in Active Directory domain environments, using logon scripts, or manually. The Web proxy service works with non-Windows 32-bit clients.
The Web proxy client supports user authentication, which provides the ability to restrict access by a client's NT user account.
Note that only a limited range of protocols is supported using the Web proxy alone; if clients require access to other Winsock applications, install the Firewall client.
To work with Web proxy, you must take several steps, which we discuss next:
Enable Web proxy for networks.
Configure the Web proxy settings on clients.
Set up automated configuration, if desired.
You don't have to install any software to enable Web proxy clients. Rather, you need to have a few prerequisites in place on your ISA Server and on your clients. The clients are the easy part: you simply need browsers and applications that are HTTP 1.1 CERN–compatible (which includes most common browsers on the market today, including Microsoft Internet Explorer 5 and above, Mozilla's Firefox, Netscape, and Opera). The next step is to simply configure the browsers' proxy settings (which we cover in the next section).
On ISA Server, you need to enable the Web proxy clients for the networks you want to support. Normally this would only be internal and perimeter networks.
To enable Web proxy clients on selected networks, follow these steps:
Open the ISA Server Management console, expand the Configuration node, and then click the Networks node.
In the details pane, click the Networks tab and select the network for which you're enabling Web proxy clients. In the task pane, click the Tasks tab, then click Edit Selected Network (or you may simply right-click the network in the details view, then select Properties).
Click the Web Proxy tab, then select the Enable Web Proxy Clients check box as shown in Figure 4-3. Selecting this check box allows you to configure the port(s) that clients will use to connect to ISA Server for HTTP and HTTPS traffic. Select the appropriate check box to enable HTTP or enable SSL, then type the appropriate port number in the field. To enable HTTPS/SSL traffic, you need to have a certificate available (for more information on how to issue certificates, see the Windows Help file).
To configure the type of authentication allowed for Web connections, click Authentication to open the Authentication dialog box, as shown in Figure 4-4. You can choose to use a single authentication method or a combination of methods. When you are done configuring your authentication methods, click OK.
On the Web Proxy tab, click Advanced, which opens the Advanced Settings dialog box. Here you can limit the number of connections allowed to your ISA server, and you can configure the Connection Timeout setting, which is set to a default of 120 seconds. Click OK when you are done configuring these settings.
Figure 4-3: You can configure the Web Proxy properties on the ISA server by selecting the properties of the network.
Figure 4-4: You can configure the Web Proxy authentication properties to control how clients identify themselves to the ISA server.
You can configure your Web proxy clients in several different ways: manually, through a configuration script on the ISA server, through settings included in the distribution of the Firewall client, or through a Group Policy object (GPO) in an Active Directory domain.
Configure Internet Explorer 6 clients by following these steps:
Open Internet Explorer, click the Tools menu, then click Internet Options.
Click the Connections tab, then click LAN Settings. The Local Area Network (LAN) Settings dialog box opens.
In the Proxy Server area, select the Use A Proxy Server For Your LAN check box. Note that the settings will not apply to your dial-up or VPN connections.
In the Address field, type the name of the ISA server, and in the Port field, type the port number that the clients will use to connect to ISA Server.
If you have configured ISA Server with a configuration script, you can configure the client to automatically detect this information. Follow these steps:
In the Automatic Configuration section of the Local Area Network (LAN) Settings dialog box, select the Automatically Detect Settings and Use Automatic Configuration Script check boxes.
In the Address field, type the URL for the ISA server (or another location, if you have configured it differently).
You may also use GPOs to configure Internet Explorer settings on your clients. Follow these steps to create a GPO:
Using your Active Directory Users And Computers console, or the Group Policy Management console (see Windows Server Help for more information about these consoles), create or open the GPO you will use to manage clients.
In the Group Policy Object Editor snap-in, navigate to the User Configuration, then Windows Settings, then Internet Explorer Maintenance. Click the Connection node.
In the right pane, you can configure Automatic Configuration by double-clicking Automatic Browser Configuration.
To configure the settings for Internet Explorer to connect to your ISA server, double-click Proxy Settings.
Save the GPO, and ensure that it is applied to the appropriate clients.
One common issue in which ISA Server ignores Web Proxy client requests occurs if you have removed and readded an IP address, or added or enabled a network adapter on the ISA Server computer. One quick workaround to address this problem is to restart the Firewall service on the ISA Server (go to the Services console, right-click Microsoft Firewall service, and then select Restart). However, to prevent this from occurring in the future, you can modify the registry by following these steps:
Open the Registry Editor (Regedit.exe).
Navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet \Services\FwSrv\Parameters key.
Double-click SocketsInAcceptReuseList. If the DWORD entry does not exist, create it.
Set the value to be 0, and then restart the Microsoft Firewall service.
Another common problem is that you are consistently prompted for credentials when using a Web Proxy client. If you are trying to authenticate to a site that uses Kerberos authentication, then you will simply need to re-enter your credentials, as the ISA Server 2004 Web proxy client doesn't support Kerberos pass-through authentication. See http://support.microsoft.com/kb/840613 for more information.
See the "Additional Resources" appendix for more information on troubleshooting.