Working with Clients

Configuring clients to work with ISA Server is easy, but there are a few things to set up or change on the ISA server, and of course, you'll also need to configure client systems.

The next sections discuss how to change the way ISA Server configures firewall and Web browser clients, how to set up DHCP and DNS to permit clients to automatically locate a nearby ISA server, and how to manually set up clients to work with ISA Server.

Changing Default Settings for Web Browser Clients

Although the default settings for Web browser clients are adequate, there are a few settings to change, such as whether clients use the IP address or the computer name to connect to the server, and whether the Web browser is automatically configured during client setup. You can also modify the automatic browser configuration script. To change these settings, follow these steps:

  1. Open the Client Configuration container located under the desired server or array in the console tree, and then double-click the Web Browser object.
  2. To prevent the Firewall client software from configuring the client's Web browser when installed, in the Web Browser Properties dialog box, shown in Figure 31-51, clear the Configure Web Browser During Firewall Client Setup check box. This preserves the client browser's current Web proxy settings.

    Figure 31-51. Changing the way Web browser clients are configured.

  3. To specify that clients should connect to the ISA server using its IP address instead of its DNS name, enter the IP address of the ISA server's internal network adapter in the DNS Name box.
  4. If the network contains many roaming clients (such as laptops) and you've set up the network's DHCP and DNS servers to support Web Proxy Auto Discover (WPAD) as discussed in the section entitled Setting Up ISA Server Auto Discovery, later in this chapter, select the Automatically Discover Settings check box. This allows clients to automatically discover the nearest ISA server when they launch their Web browser.

    Automatic Discover only works with Microsoft Internet Explorer 5 and later Web browsers. Autoconfiguration scripts work with Internet Explorer 3.02 or later and Netscape Navigator 2 or later.

  5. To specify that Web browsers should use an automatic configuration script to get their Web proxy settings, select the Set Web Browsers To Use Automatic Configuration Script check box. ISA Server automatically creates a configuration script, but you can use your own instead by selecting the Use Custom URL option and entering the URL of the script.
  6. Use the Direct Access tab to specify which computers clients should access directly (thereby bypassing the ISA server).
  7. Use the Backup Route tab to optionally specify a backup route for clients to use if the ISA server is unavailable (such as a direct connection to the Internet, or another ISA server).
  8. Click OK when you're done.

Changing Default Settings for Firewall Clients

For the most part, ISA Server's default settings for Firewall clients are appropriate, but you might want to force Firewall clients to connect through an IP address to the ISA server, or make clients automatically detect the nearest ISA server (if you have the network set up appropriately, as discussed in the next section).

To change these settings, or to change the way applications pass through the ISA Server firewall, use the following steps:

  1. Open the Client Configuration container located under the desired server or array in the console tree, and then double-click the Firewall Client object.
  2. To specify that clients should connect to the ISA server using its IP address instead of its DNS name, enter the IP address of the ISA server's internal network adapter in the DNS Name box, as shown in Figure 31-52.

    Figure 31-52. Changing Firewall client settings.

  3. If the network contains many roaming clients (such as laptops) and you've set up the network's DHCP and DNS servers to support Winsock Proxy Auto Discover (WSPAD) as discussed in the section entitled Setting Up ISA Server Auto Discovery later in this chapter, select the Enable ISA Firewall Automatic Discovery In Firewall Client check box. This allows clients to automatically discover the nearest ISA server when they obtain a DHCP lease.
  4. To change the way ISA Server interacts with applications such as RealPlayer, click the Application Settings tab. Most of the time, you won't need to alter these settings. Consult the Microsoft Knowledge Base at http://support.microsoft.com or contact the software developer if you do.

Setting Up ISA Server Auto Discovery

Normally, for a client to access the Internet through an ISA server, the client needs to either install the Firewall client software (for Windows clients), configure TCP/IP settings to take the ISA server as the default gateway (this can be done using DHCP), or set up the Web browser to use the ISA server as the proxy server.

Unfortunately, if the client then moves to another location on the network where it can't access the original ISA server, such as might be the case with a laptop user who visits a different division of the company, it might lose Internet connectivity. So if the network uses multiple ISA servers in different locations, set up the network to provide clients with the ability to automatically discover the nearest ISA server.

To do this, you should configure the DHCP server as well as the DNS server. Use the following steps to accomplish this task:

  1. Open the DNS Administration MMC snap-in by clicking Start, pointing to Programs, pointing to Administrative Tools, and then choosing DNS (make sure DNS is installed and configured properly first).
  2. Right-click the forward lookup zone containing the ISA server and choose New Alias from the shortcut menu.
  3. Type WPAD in the Alias Name box, as shown in Figure 31-53.
  4. Enter the fully qualified domain name of the ISA server or click Browse to locate the server in the DNS namespace. Click OK when you're done.
  5. Open the DHCP Administration MMC snap-in by clicking Start, pointing to Programs, pointing to Administrative Tools, and then choosing DHCP (make sure DHCP is installed and configured properly first).

    Figure 31-53. Setting up DNS for Web Proxy auto discovery.

  6. Right-click the desired DHCP server in the console tree and choose Set Predefined Options from the shortcut menu.

    You should perform this procedure on all DHCP servers that service clients that you want to automatically locate an ISA server.

  7. In the Predefined Options And Values dialog box, click Add.
  8. In the Name box, type WPAD, as shown in Figure 31-54.

    Figure 31-54. Setting up DHCP for Web Proxy auto discovery.

  9. Select String from the Data Type box.
  10. In the Code box, type 252.
  11. Optionally enter a description, such as Web Proxy AutoDiscovery Protocol, and then click OK.
  12. Back in the Predefined Options And Values dialog box (shown in Figure 31-55), type http://WPAD/wpad.dat in the String text box if you've configured DNS to work with autodetection as described in steps 1 through 4. Otherwise type http://isa_server/wpad.dat, where isa_server is the DNS name or IP address of the ISA server, and then click OK.

    Figure 31-55. Setting up DHCP for Web Proxy auto discovery.

  13. Select the DHCP server you're configuring from the console tree, right-click the Server Options folder, and choose Configure Options from the shortcut menu.
  14. Scroll down and select the check box next to 252 WPAD in the Available Options box. Click OK. Your server options should reflect the addition of the WPAD protocol, as shown in Figure 31-56.

    Figure 31-56. WPAD set up as a DHCP server option.

Setting Up Client Systems

As discussed at the beginning of this chapter, there are three ways that clients can connect to an ISA server: using the Firewall client software, using the ISA Server as the default gateway in the client's TCP/IP properties (this is a SecureNAT client), and configuring a Web browser to use the ISA server as a proxy server.

The following sections discuss how to use each method on a client system.

Installing the Firewall Client

If you're on a big network and the client systems are running fairly recent versions of Windows (Windows 3.x and Windows NT versions 3.5 and earlier need not apply), you can use ISA Server's Firewall client software. This allows you to manage access policies through user groups, among other things.

To install the Firewall client software, use the following procedure:

  1. Connect to the server_name\mspclnt share (where server_name is the DNS name of the ISA server).
  2. Double-click the Setup file in the directory to install the client software.
  3. Use the install program to specify the desired folder in which to install the software. ISA Server automatically configures the Web browser to use the ISA server as its proxy server as well (unless you changed this in the default settings for Firewall clients, described earlier in this chapter).

Do not install the Firewall client on an ISA server.

If you have any significant number of clients to set up as Firewall clients, use Windows Server's software deployment features (discussed in Chapter 25) to mass deploy the software.

Configuring SecureNAT Clients

SecureNAT clients are easy to set up. All you have to do is configure the TCP/IP properties for the computer or device to use the ISA server as the default gateway. (We're not going to tell you how to do this here. For help with configuring TCP/IP properties for Windows-based systems, see Chapter 6. Otherwise consult the manual or help system for the computer or device.)

Better yet, you can specify an ISA server as the default gateway in the DHCP server's scope or server options. This ensures that any client obtaining an IP address from the DHCP server is automatically set up as a SecureNAT client.

SecureNAT clients are only supported in ISA Server's Firewall Mode. If you have set up ISA Server in Cache Mode only, SecureNAT clients are not supported. You will need to configure them as Web Proxy clients if they are non-Windows computers, or as Firewall clients for supported Windows computers.

Configuring Web Proxy

To configure Internet Explorer to use the ISA server, use the following procedure:

  1. Open Internet Options in Control Panel.
  2. Click the Connections tab.
  3. Click LAN Settings, as shown in Figure 31-57.
  4. If the network network's DHCP and DNS servers are configured to support Web Proxy Auto Discover (WPAD) as discussed in the section entitled Setting Up ISA Server Auto Discovery earlier in this chapter, select the Automatically Detect Settings check box, shown in Figure 31-58. This allows clients to automatically discover the nearest ISA server when they launch their Web browser, which is useful for roaming clients such as laptops.

    Figure 31-57. The Connections tab of the Internet Properties dialog box.

    Figure 31-58. Setting up a Web browser to use ISA Server as a Web proxy.

  5. To specify that the Web browsers should use an automatic configuration script to get their Web proxy settings, select the Use Automatic Configuration Script check box. The default location of the automatic configuration script created by ISA Server is http://server_name/array.dll?Get.Routing.Script, where server_name is the DNS name of the ISA server.
  6. Alternatively, to manually specify the proxy server, select the Use A Proxy Server check box and then enter the IP address or domain name of the ISA server in the box provided. Enter the port used by ISA Server as well (8080 by default). To bypass the ISA server for locations on the local network, select the Bypass Proxy Server For Local Addresses check box.
  7. Click OK when you're done.


Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net