Automating ISA Server 2000 Client Configuration by pengxuebo

VIEWS: 19 PAGES: 117

									Microsoft Internet
Security and Acceleration
Server 2000 in Education
Deployment Kit

 Chapter 5
 Automating ISA Server 2000 Web Proxy
 and Firewall Client Installation and
 Configuration




 Dr. Thomas W. Shinder
 Debra L. Shinder
 January 2004
                                         ISA Server 2000 in Education Deployment Kit
                     Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration




Table of Contents
Scenarios Layout ............................................................................................................................. 4
Automating ISA Server 2000 Web Proxy and Firewall Client Configuration ................................... 6
  Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery ............... 6
     Install the DHCP Server ........................................................................................................... 6
     Create the DHCP scope ......................................................................................................... 12
     Create the DHCP 252 Scope Option and Add it to the Scope ............................................... 27
     Configure the client as a DHCP client .................................................................................... 34
     Configure the Client Browser to Use Autodiscovery .............................................................. 40
     Configure the ISA Server 2000 Firewall to Publish Autodiscovery Information ..................... 44
     Making the Connection ........................................................................................................... 48
  Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery ................ 52
     Create the wpad Entry in DNS ............................................................................................... 53
     Configure the Client to Use the Fully Qualified wpad Alias .................................................... 61
     Configure the client browser to use autodiscovery ................................................................ 67
     Configure the ISA Server 2000 Firewall to Publish Autodiscovery Information ..................... 71
     Making the connection ........................................................................................................... 75
  Automating Web Proxy Client Configuration with Group Policy ................................................ 79
  Automating Web Proxy Client Configuration with the Internet Explorer Administration Kit (IEAK
  6.0 SP1) ..................................................................................................................................... 86
Automating Installation of the Firewall Client .............................................................................. 102
  Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management
  Console .................................................................................................................................... 102
  Group Policy Software Installation ........................................................................................... 104
  Silent Installation Script ............................................................................................................ 116
Summary ..................................................................................................................................... 117




                                                                                                                                                 2
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


An important aspect of deploying ISA Server 2000 as a firewall and Web acceleration solution on
the campus network is selecting, installing and configuring the clients to go through the ISA
Server for Internet access. An ISA Server 2000 client is any machine that accesses the Internet
via the ISA Server 2000 firewall or Web Proxy server.

ISA Server 2000 supports three client types. The type of client determines what protocols are
supported, and the operating system used on the client machine dictates which client(s) can be
used.The three ISA Server 2000 client types are:

       The SecureNAT client
        SecureNAT clients are configured with a default gateway that routes Internet-bound
        request through the ISA Server 2000 firewall or Web Proxy server. The SecureNAT client
        does not require software installation or configuration, and any operating system that
        uses TCP/IP can be a SecureNAT client. No client software is required, but some
        network configuration changes must be made. Although the SecureNAT client provides a
        certain level of transparency of client configuration, its drawback is that it provides the
        lowest level of security and performance of the three client types. The SecureNAT client
        configuration should typically be reserved for non-Microsoft operating systems and the
        rare occasions when client browsers do not support the Web Proxy client configuration

       The Web Proxy client
        Web Proxy client computers are machines with Web browsers that support the use of a
        Web Proxy server. Any operating system can be used as long as a browser that meets
        this criterion is installed. Almost all modern browsers support this configuration. The
        advantages of the Web Proxy client configuration is that it does not require additional
        software installation and only requires that the browser be configured to use the Web
        Proxy server. In addition, the Web Proxy client can benefit from the Web Proxy cache
        and direct communications with the Web Proxy service. In contrast to the SecureNAT
        client, which does not support user/group based authentication, access to the Internet for
        Web Proxy clients can be controlled on a per user/per group basis. The Web Proxy client
        supports the HTTP, HTTPS, FTP and Gopher protocols.

       The Firewall client
        Firewall client computers have the Microsoft Firewall client software installed on them.
        The Firewall client supports almost all Microsoft 32-bit operating systems, with the
        exception of the original release of Windows 95. Non-Microsoft operating systems cannot
        use the Firewall client. The Firewall client is unique in that it provides user/group based
        access control to all TCP and UDP protocols and sends application information to the
        Firewall service on the ISA Server 2000 firewall. This enables the Firewall service logs to
        track which users used which application to access a particular site. This information can
        be extracted from the Firewall service logs and incorporated into reports to provide
        detailed information on campus Internet usage. In addition, the Firewall client supports
        complex protocols that require secondary connections. In contrast, the SecureNAT client
        does not support complex protocols that require secondary connections without the aid of
        an application filter.

    Note:
    For more information on the various ISA Server 2000 client types, please see the ISA Server
    2000 Help on this topic at
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/isa/isaf
    p1/isasct.asp

Which client type is the best choice for the educational environment? The Web Proxy and
Firewall client configurations provide a higher level of security and performance than that
obtained via the SecureNAT client configuration. However, these more secure configurations are
often avoided because busy campus administrators cannot visit each machine on the educational


3
                                    ISA Server 2000 in Education Deployment Kit
                Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


institution’s network to install the software or configure the browsers. For this reason, many
administrators prefer to use the SecureNAT configuration at the expense of performance and
security.

However, there is a solution to this problem that allows you to deploy a more secure client
solution without spending an inordinate amount of time on the task. You can automate the
configuration of the Web browser and the installation and configuration of the Firewall client. The
busy campus administrator does not need to “touch” each machine on the educational institutions
network when these processes are automated. Automated installation and configuration is the
most efficient way to deploy the ISA Firewall and Web Proxy client types on a large institution’s
network.

Also note that a Firewall client or SecureNAT client can also be a Web Proxy client. In this case,
the Web Proxy service handles the HTTP, HTTPS, FTP and Gopher traffic, while other protocols
are handled by the Firewall client or SecureNAT.

In this document, we will cover the following topics:

       Automating ISA Server 2000 Web Proxy and Firewall Client Configuration
       Automating Installation of the Firewall Client

When the installation of the Firewall client and the configuration of the Web Proxy and Firewall
clients are automated, almost all machines on the campus network will be able to benefit from the
superior performance and security provided by the Firewall and Web Proxy client configurations.



Scenarios Layout
The scenarios in this document are based on the lab configuration illustrated in the figure below:

                         IP/SM: Public
                          DNS: None


           Windows 2003                ISA2
          ISA Server 2000              Protocol Rule: All Open
                                       Default Site/Content Rule

                          IP/SM: 10.0.2.1
                           DNS: 10.0.2.2




                CLIENT2A
                                                         CLIENT2
            `
                                      Windows 2003
 Windows 2000 Server                Domain Controller
                                       DHCP Server
                                        DNS Server
                                    IP/SM: 10.0.2.2/24
                                      DNS: 10.0.2.2
                                       GW: 10.0.2.1


CLIENT2A is the machine that will be configured as the Web Proxy and Firewall client computer.
Its IP settings will be obtained via DHCP testing of obtaining autoconfiguration information via
DHCP, and assigned a valid address on network ID 10.0.2.0/24 when testing the



                                                                                                         4
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


autoconfiguration via DNS testing, but no default gateway is configured so only the Web Proxy
and Firewall client configurations are active. The operating system is Windows 2000.

CLIENT2 is a Windows Server 2003 machine configured as a domain controller in the
msfirewall.org domain. The machine is a DNS server and the DNS server is able to resolve
Internet host names. A DHCP server will be installed on this machine so that we can test
assigning autodiscovery information via DHCP. It has the following IP addressing information:
IP address: 10.0.2.2
Subnet mask: 255.255.255.0
DNS address: 10.0.2.2
Default Gateway: 10.0.2.1

ISA2 is a Windows Server 2003 machine with ISA Server 2000 installed on it. An “all open”
Protocol Rule that allows access to all IP address is configured, and the default Site and Content
Rule which allows access to all sites and content is enabled.




5
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration




Automating ISA Server 2000 Web Proxy and Firewall
Client Configuration
There are several methods available for automating the Web Proxy and Firewall client
configurations. These include:

       Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery
       Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery
       Automating Web Proxy Client Configuration with Group Policy
       Automating Web Proxy Client Configuration with Internet Explorer Administration Kit
        (IEAK)

The following sections discuss how to automate the configuration of Web Proxy and Firewall
clients using the Web Proxy AutoDiscovery (WPAD) protocol, Active Directory Group Policy and
the Internet Explorer Administration Kit.

    Note:
    For more information about the WPAD protocol, please see the ISA Server 2000 Help file
    information at
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs
    /isadocs/CMT_AutoDetect.asp

Configuring DHCP Servers to Support Web Proxy and Firewall
Client Autodiscovery
DHCP clients can obtain autoconfiguration information from the ISA Server 2000 firewall
computer by using DHCP Inform messages. The Firewall client and Web browser software can
issue DHCP Inform messages to query a DHCP server for the address of a machine containing
the autoconfiguration information. The DHCP server returns the address of the machine
containing the autoconfiguration information and then the Firewall client or Web browser software
requests autoconfiguration from the addresses returned by the DHCP server.

The DHCP server uses a special DHCP option to provide this information.

In this section on configuring Web Proxy and Firewall clients to use DHCP to obtain
autoconfiguration information via WPAD, we will discuss the following steps:

       Installing the DHCP Server
       Creating the DHCP scope
       Creating the DHCP 252 scope option
       Configuring the client as a DHCP client
       Configuring the client browser to use autodiscovery
       Configuring the ISA Server 2000 firewall to publish autodiscovery information
       Making the connection

Install the DHCP Server
The first step is to install the DHCP server. In this example, we will use a Windows Server 2003
DHCP server, but you can create the DHCP option on a Windows 2000 DHCP server if required.




                                                                                                      6
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


Perform the following steps on the domain controller computer to install the DHCP server service:

    1. Click Start, select All Programs and then Control Panel. Click on Add or Remove
       Programs.




7
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


2. In the Add or Remove Programs window, click on the Add/Remove Windows
   Components button.




                                                                                                 8
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


    3. In the Windows Components dialog box, click on the Networking Services entry in the
       Components list, then click the Details button.




9
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


4. In the Networking Services dialog box, put a checkmark in the Dynamic Host
   Configuration Protocol (DHCP) checkbox and click OK.




                                                                                                  10
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     5. Click Next in the Windows Components dialog box.




11
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


    6. Click Finish on the Completing the Windows Components Wizard page.




    7. Close the Add or Remove Programs window.

Now that the DHCP Server service is installed on the domain controller for the domain, the next
step is to create a DHCP scope.

Create the DHCP scope
A DHCP scope is a collection of IP addresses that the DHCP server can use to assign to DHCP
clients on the network. In addition, a DHCP scope can include additional TCP/IP settings to be
assigned to clients, which are referred to as DHCP options. DHCP options can assign various
TCP/IP settings such as a DNS server address, WINS server address, and primary domain name
to DHCP clients.

Perform the following steps on the DHCP server to enable the DHCP server and create the
DHCP scope:




                                                                                                      12
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     1. Click Start and then select Administrative Tools. Click DHCP.




13
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


2. In the DHCP console, right click on your server name in the left pane of the console. Click
   on the Authorize command.




                                                                                                  14
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     3. Click the Refresh button in the button bar of the console. You will notice that the icon to
        the left of the server name changes from a red, down pointing arrow to a green, up
        pointing arrow.

         Right click the server name in the left pane of the console again and click the New Scope
         command.




15
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


4. Click Next on the Welcome to the New Scope Wizard page.




                                                                                                 16
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     5. Enter a name for the scope on the Scope Name page. This name is descriptive only and
        does not affect the functionality of the scope. You can also enter a Description in the
        description box if you wish. Click Next.




17
                              ISA Server 2000 in Education Deployment Kit
          Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


6. Enter a range of IP addresses that can be assigned to DHCP clients on the IP Address
   Range page. Enter the first address in the range into the Start IP address range text box
   and the last IP address in the range in the End IP address text box. Enter the subnet
   mask for your IP address range in the Subnet mask text box.

    In our current example, the internal network is on network ID 10.0.2/24. We do not want
    to assign all the IP addresses on the network ID to the DHCP scope, just a selection of
    them. So in this example, we enter 10.0.2.100 as the Start IP address and 10.0.2.150 as
    the end IP address and use a 24 bit subnet mask.

    Note that on production networks, it is often better to assign the entire network ID to the
    IP address range used in the scope. You can then create exceptions for hosts on the
    network that have statically assigned IP addresses that are contained in the scope. This
    allows you to centrally manage IP address assignment and configuration using DHCP.

    Click Next.




                                                                                                   18
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     7. Do not enter any exclusions in the Add Exclusions dialog box. Click Next.




19
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


8. Accept the default settings on the Lease Duration page (8 days, 0 hours and 0 minutes)
   and click Next.




                                                                                                  20
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     9. On the Configure DHCP Options page, select the Yes, I want to configure these
        options now option and click Next.




21
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


10. Do not enter anything on the Router (Default Gateway) page. Note that if we were using
    SecureNAT clients on the network, we would enter the IP address of the internal interface
    of the ISA Server 2000 firewall on this page. However, with the current scenario, we want
    to explicitly test only the Web Proxy and Firewall client configurations.

    Click Next.




                                                                                                  22
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     11. On the Domain Name and DNS Servers page, enter the primary domain name you want
         to assign to DHCP clients and the DNS server address you want the DHCP clients to
         use.

        The primary domain name is a critical setting for your Firewall and Web Proxy clients. In
        order for autodiscovery to work correctly for Firewall and Web Proxy clients, these clients
        must be able to correctly fully qualify the unqualified name wpad. We will discuss this
        issue in more detail later in this document. In this example, we enter msfirewall.org in the
        Parent domain text box. This will assign the DHCP clients the primary domain name
        msfirewall.org, which will be appended to unqualified names.

        Enter the IP address of the DNS server in the IP address text box. In this example, the
        IP address of the DNS server is 10.0.2.2. Click Add after entering the IP address.

        Click Next.




23
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


12. Do not enter a WINS server address on the WINS Servers page. In this example, we do
    not use a WINS server. However, WINS servers are very useful in VPN server
    environments if you wish your VPN clients to be able to browse the campus network
    using the My Network Places or Network Neighborhood application.

   Click Next.




                                                                                                  24
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     13. On the Activate Scope page, select the Yes, I want to activate this scope now option
         and click Next.




25
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


14. Click Finish on the Completing the New Scope Wizard page.




                                                                                                 26
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     15. In the right pane of the DHCP console, you see the two DHCP options you created in the
         Wizard.




The next step is to create a custom DHCP option that will allow DHCP clients to autodiscover
Web Proxy and Firewall client settings.

Create the DHCP 252 Scope Option and Add it to the Scope
The DHCP scope option number 252 can be used to automatically configure Web Proxy and
Firewall clients. The Web Proxy or Firewall client must be configured as a DHCP client, and the
logged on user must be a member of the local administrators group or Power users group (for
Windows 2000). On Windows XP systems, the Network Configuration Operators group also has
permission to issue DHCP queries (DHCPINFORM messages).

     Note:
     For more information about the limitations of using DHCP for autodiscovery for Internet
     Explorer 6.0, please see KB article Automatic Proxy Discovery in Internet Explorer with
     DHCP Requires Specific Permissions at
     http://support.microsoft.com/default.aspx?scid=kb;en-us;312864




27
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


Perform the following steps at the DHCP server to create the custom DHCP option:

   1. Open the DHCP console from the Administrative Tools menu and right click your server
      name in the left pane of the console. Click the Set Predefined Options command.




                                                                                                      28
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     2. In the Predefined Options and Values dialog box, click the Add button.




29
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


3. In the Option Type dialog box, enter the following information:

    Name: wpad
    Data type: String
    Code: 252
    Description: wpad entry

    Click OK.




                                                                                                  30
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     4. In the Value frame, enter the URL to the ISA Server 2000 firewall in the String text box.
        The format for this value is:

         http://ISAServername:AutodiscoveryPort Number/wpad.dat

         The default autodiscovery port number is TCP 80. You can customize this value in the
         ISA Management console. We will cover this subject in more detail later in this
         document.

         In the current example, enter the following into the String text box:

         http://isa2.msfirewall.org:80/wpad.dat

         Make sure to enter wpad.dat in all lower case letters. For more information on this
         problem, please refer to KB article "Automatically Detect Settings" Does Not Work if
         You Configure DHCP Option 252 at
         http://support.microsoft.com/default.aspx?scid=kb;en-us;307502

         Click OK.




31
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


5. Right click the Scope Options node in the left pane of the console and click the
   Configure Options command.




                                                                                                  32
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     6. In the Scope Options dialog box, scroll through the list of Available Options and put a
        checkmark in the 252 wpad checkbox. Click Apply and then click OK.




33
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


    7. The 252 wpad entry now appears in the right pane of the console under the list of Scope
       Options.




    8. Close the DHCP console.

The next step is to configure the client computer as a DHCP client.

Configure the client as a DHCP client
In order to use DHCP to obtain autodiscovery information for Web Proxy and Firewall clients, the
client computer must be configured as a DHCP client. Perform the following steps on the client
machine to configure it as a DHCP client.

    Note:
    In this example, we configure a Windows 2000 machine as a DHCP client. The procedure
    varies a bit with each client operating system. All Windows TCP/IP operating systems use
    DHCP as the default IP address configuration.




                                                                                                       34
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     1. Right click the My Network Places icon on the desktop and click the Properties
        command.




35
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


2. Right click the Local Area Connection entry in the Network and Dial-up Connections
   window and click the Properties command.




                                                                                                  36
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     3. In the Local Area Connection Properties dialog box, click the Internet Protocol
        (TCP/IP) entry and click the Properties button.




37
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


4. In the Internet Protocol (TCP/IP) Properties dialog box, select the Obtain an IP
   address automatically and Obtain DNS server address automatically options.

   Click OK.




                                                                                                  38
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     5. Click OK in the Local Area Connection Properties dialog box.




39
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


    6. Close the Network and Dial-up Connections window.




The next step is to configure the browser to use autodiscovery to automatically discover its Web
Proxy client settings.

Configure the Client Browser to Use Autodiscovery
The browser must be configured to use autodiscovery before it can use the DHCP server option
252 to automatically configure itself. This is the default setting for Internet Explorer 6.0, but the
default setting may have been changed at some time during the life of the browser on a particular
machine. In the following example, we manually configure the browser to use autodiscovery to
autoconfigure itself. We will discuss methods you can use to automatically set this option later in
this document.




                                                                                                       40
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


Perform the following steps on the Web Proxy client computer:

     1. Right click on the Internet Explorer icon on the desktop and click Properties.




41
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


2. In the Internet Properties dialog box, click the Connections tab. Click the LAN
   Settings button.




                                                                                                  42
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     3. In the Local Area Network (LAN) Settings dialog box, put a checkmark in the
        Automatically detect settings checkbox. Click OK.




43
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


    4. Click OK in the Internet Properties dialog box.




The next step is to configure the ISA Server 2000 firewall to publish autodiscovery information.

Configure the ISA Server 2000 Firewall to Publish Autodiscovery
Information
All the settings required for the Web browser to configure itself are contained on the ISA Server
2000 firewall computer. By default, this option is disabled. You can enable publishing of
autodiscovery information on the ISA Server 2000 firewall computer so that the Web Proxy client
can obtain autoconfiguration settings.




                                                                                                       44
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


Perform the following steps at the ISA Server 2000 firewall to enable publishing of autodiscovery
information for Web Proxy and Firewall clients:

     1. Open the ISA Management console, expand the Servers and Arrays node and then
        right click on the server name. Click the Properties command.




45
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


2. In the server Properties dialog box, click the Auto Discovery tab. Put a checkmark in
   the Publish automatic discovery information checkbox. Note that the default port
   number for publishing automatic discovery information is TCP port 80. This is the port
   number we configured in the DHCP option 252 setting. If you need to change this port
   number, make sure that you also change the port number used in the DHCP 252 setting.

   Click Apply.




                                                                                                  46
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     3. Select the Save the changes and restart the service(s) option in the ISA Server
        Warning dialog box. Click OK.




47
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


   4. Click OK in the server Properties dialog box.




   5. Close the ISA Management console.

Making the Connection
All the components are now in place for the Web browser to automatically connect to the ISA
Server 2000 firewall’s Web Proxy service using autodiscovery.




                                                                                                      48
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


Perform the following steps on the Web Proxy client computer:

     1. Open Internet Explorer and enter the URL for the Microsoft ISA Server site at
        www.microsoft.com/isaserver




49
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


2. A Network Monitor trace shows the DHCP Inform messages sent by the Web Proxy
   client. The Web Proxy client uses the DHCP Inform messages to obtain the
   autodiscovery address contained in the DHCP option 252 entry.




                                                                                                 50
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     3. In this frame, you can see the ACK response to the Web Proxy client’s DHCP inform
        message. In the bottom pane of the Network Monitor console, you can see that the
        DHCP server has returned the address you configured in the DHCP option 252 entry.




51
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


    4. After the Web Proxy client receives the address of the ISA Server 2000 containing the
       autodiscovery settings, the next step is for it to resolve the name of the ISA Server 2000
       firewall to its internal IP address. Name resolution is critical for multiple aspects of ISA
       Server 2000 functioning and this is another example of this fact. You can see in the
       Network Monitor that the Web Proxy client has issued a query for isa2.msfirewall.org,
       which was the URL contained in the DHCP 252 option.




Configuring DNS Servers to Support Web Proxy and Firewall
Client Autodiscovery
Another method that can be used to deliver autodiscovery information to Web Proxy and Firewall
clients is DNS. You can create a wpad alias entry in DNS and allow browser clients to use this
information to automatically configure themselves. This is in contrast to the situation we saw with
the DHCP method, where the logged on user needed to be a member of a specific group in the
Windows operating system.

Name resolution is a pivotal component to making this method of Web Proxy and Firewall client
autodiscovery work correctly. In this case, the client operating system must be able to correctly
fully qualify the name wpad. The reason for this is that the Web Proxy and Firewall client only
knows that it needs to resolve the name wpad; it does not know what specific domain name it
should append to the query to resolve the name wpad. We will cover this issue in detail later in
this document.




                                                                                                       52
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     Note:
     In contrast to the DHCP method of assigning autodiscovery information to Web Proxy and
     Firewall clients, you do not have the option to use a custom port number to publish
     autodiscovery information when using the DNS method. You must publish autodiscovery
     information on TCP 80 when using the DNS method.

We will detail the following steps to enable DNS to provide autodiscovery information to Web
Proxy and Firewall clients:

        Creating the wpad entry in DNS
        Configuring the client to use the fully qualified wpad alias
        Configuring the client browser to use autodiscovery
        Making the connection

Create the wpad Entry in DNS
The first step is to create a wpad alias entry in DNS. This alias points to a Host (A) record for the
ISA Server 2000 firewall, which resolves the name of the ISA Server 2000 firewall to the internal
IP address of the firewall. This Host (A) record must be created before you create the CNAME
alias entry. If you enable automatic registration in DNS, the ISA Server 2000 firewall’s entry will
already be entered into DNS. If you have not enabled automatic registration, you will need to
create the Host (A) record for the ISA Server 2000 firewall manually. In the following example, the
ISA Server 2000 firewall has automatically registered itself with DNS.




53
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


Perform the following steps on the DNS server on the domain controller on the internal network:

    1. Click Start and select Administrative Tools. Click the DNS entry. In the DNS
       management console, right click on the forward lookup zone for your domain and click
       the New Alias (CNAME) command.




                                                                                                      54
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     2. In the New Resource Record dialog box, enter wpad in the Alias name (uses parent
        domain if left blank) text box. Click the Browse button.




55
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


3. In the Browse dialog box, double click on your server name in the Records list.




                                                                                                  56
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     4. In the Browse dialog box, double click on the Forward Lookup Zone entry in the
        Records frame.




57
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


5. In the Browse dialog box, double click on the name of your forward lookup zone in the
   Records frame.




                                                                                                  58
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     6. In the Browse dialog box, select the name of the ISA Server 2000 firewall in the
        Records frame. Click OK.




59
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


7. Click OK in the New Resource Record dialog box.




                                                                                                 60
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     8. The CNAME (alias) entry appears in the right pane of the DNS management console.




     9. Close the DNS Management console.

Configure the Client to Use the Fully Qualified wpad Alias
The Web Proxy and Firewall client needs to be able to correctly resolve the name wpad. Both the
Web Proxy and Firewall client configurations are not aware of the domain containing the wpad
alias. The Web Proxy and Firewall client operating system must be able to provide this
information to the Web Proxy and Firewall client.

DNS queries must be fully qualified before the query is sent to the DNS server. A fully qualified
request contains a host name and a domain name. The Web Proxy and Firewall client only know
the host name portion. The Web Proxy and Firewall client operating system must be able to
provide the correct domain name, which it appends to the wpad host name, before it can send a
DNS query to the DNS server.

There are a number of methods you can use to provide a domain name that is appended to the
wpad name before the query is sent to the client operating system’s DNS server. Two popular
methods for doing this are:

        Using DHCP to assign a primary domain name
        Configuring a primary domain name in the client operating system’s network identification
         dialog box.


61
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration




We will detail these two methods in the following steps:

    1. Right click the My Computer icon on the desktop and click the Properties command.




                                                                                                       62
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     2. In the System Properties dialog box, click the Network Identification tab. Click the
        Properties button.




63
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


3. In the Identification Changes dialog box, click the More button.




                                                                                                  64
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     4. In the DNS Suffix and NetBIOS Computer Name dialog box, enter the domain name
        that contains your wpad entry in the Primary DNS suffix of this computer text box. This
        is the domain name that the operating system will append to the wpad name before
        sending the DNS query to the DNS server. By default, the primary domain name is the
        same as the domain name the machine belongs to. If the machine is not a member of a
        domain, then this text box will be empty. Note the Change primary DNS suffix when
        domain membership changes is enabled by default. In the current example, the
        machine is not a member of a domain.

        Cancel out of each of the dialog boxes so that you do not configure a primary domain
        name at this time.




65
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


5. Another way to assign a machine a primary domain name is to use DHCP. A DHCP
   server can be configured to supply DHCP clients a primary domain name by configuring
   a DHCP scope option. We did this earlier when we created a scope on the DHCP server
   using the DHCP scope wizard. In the current example, the DNS Domain Name scope
   option was set to deliver the domain name msfirewall.org to DHCP clients. This option
   has the same effect as manually setting the primary domain name. DHCP clients will
   append this name to unqualified DNS queries (such as those for wpad) before sending
   the DNS query to a DNS server.




                                                                                                  66
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     6. Go to the DHCP client system and open a command prompt. At the command prompt,
        enter ipconfig /all and press ENTER. Notice that the machine has been assigned a
        Connection-specific DNS Suffix of msfirewall.org.

        DHCP is the most efficient way to assign a primary DNS suffix to clients on your network.
        This feature allows you to automatically configure a DNS suffix on DHCP clients that
        connect to your network which are not members of your Active Directory domain. These
        clients can still correctly resolve the wpad name based on your current DNS
        infrastructure without requiring them to join the domain or manually configuring them.




Note that if you have multiple domains and clients on your internal network that belong to multiple
domains, then you will need to create wpad CNAME alias entries for each of the domains.

Configure the client browser to use autodiscovery
The next step is to configure the browser to use autodiscovery. If you have not already done so,
perform the following steps to configure the Web browser to use autodiscovery to automatically
configure itself to use the ISA Server 2000 firewall’s Web Proxy service:




67
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


1. Right click on the Internet Explorer icon on the desktop and click Properties.




                                                                                                  68
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     2. In the Internet Properties dialog box, click the Connections tab. Click the LAN
        Settings button.




69
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


3. In the Local Area Network (LAN) Settings dialog box, put a checkmark in the
   Automatically detect settings checkbox. Click OK.




                                                                                                  70
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     4. Click Apply and then click OK in the Internet Properties dialog box.




The next step is to configure the ISA Server 2000 firewall publish autodiscovery information for
autodiscovery Web Proxy and Firewall clients.

Configure the ISA Server 2000 Firewall to Publish Autodiscovery
Information
Perform the following steps on the ISA Server 2000 firewall computer to enable it to provide
autoconfiguration information to Web Proxy and Firewall autodiscovery clients:




71
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


1. Open the ISA Management console and expand the Servers and Arrays node. Right
   click on your server name and click Properties.




                                                                                                 72
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     2. In the server Properties dialog box, click the Auto Discovery tab. Put a checkmark in
        the Publish automatic discovery information checkbox. You must use the default
        entry in the Use this port for automatic discovery request text box, which is 80, in
        order for autodiscovery to work properly with DNS. Click Apply.




73
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


3. Select the Save the changes and restart the service(s) option in the ISA Server
   Warning dialog box and click OK.




                                                                                                  74
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     4. Click OK in the server properties dialog box.




     5. Close the ISA Management console.

Making the connection
All the parts are now in place to allow the Web Proxy and Firewall client machine to use DNS to
obtain autoconfiguration information. Perform the following steps on the Web Proxy client
computer:




75
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


1. Open Internet Explorer and go to the www.microsoft.com/isaserver/ home page.




                                                                                                  76
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     2. A Network Monitor trace shows the Web Proxy client makes a DNS query for
        wpad.msfirewall.org.




77
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


3. The DNS server responds to the query with the IP address of the ISA Server 2000
   firewall computers.




                                                                                                  78
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     4. After it obtains the IP address of the ISA Server 2000 firewall computer and the port from
        which it can obtain autoconfiguration information, the Web Proxy client sends a request
        for wpad autoconfiguration information. You can see this request in the bottom pane of
        the Network Monitor Window, GET /wpad.dat HTTP/1.1.




Automating Web Proxy Client Configuration with Group Policy
When the client operating system belongs to a Windows 2000 or Windows Server 2003 Active
Directory domain, you can use Group Policy to automatically configure the browser for all domain
member computers. This greatly simplifies the management of Internet Explorer clients
throughout the campus. You can even create different Organizational Units (OUs) and configure
different browser settings in each OU.

In the following example, we’ll configure a domain policy that configures all the browsers in the
domain to use the autoconfiguration script.




79
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


1. Open the Active Directory Users and Computers console from the Administrative
   Tools menu. Right click on your domain name and click Properties.




                                                                                                 80
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     2. In the domain Properties dialog box, click on the Group Policy tab. Click on the Default
        Domain Policy and click the Edit button.




81
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


3. In the Group Policy Object Editor, expand the User Configuration node and then
   expand the Internet Explorer Maintenance node. Click on the Connection node.
   Double click on the Automatic Browser Configuration entry in the right pane of the
   console.




                                                                                                  82
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     4. In the Automatic Configuration dialog box, put a checkmark in the Automatically
        detect configuration settings checkbox. Put a checkmark in the Enable Automatic
        Configuration checkbox. You can enter a custom value in the Automatically configure
        every X minutes text box. This allows the browser to automatically refresh the browser
        configuration at regular intervals, based on the number of minutes you configure in this
        text box. You might consider entering a lower number if you have a caching array and
        want to enable a degree of failover for Web Proxy clients.

        Enter the autoconfiguration script URL in the Auto-config URL (.INS file) text box. This
        will allow the Web browser to use the autoconfiguration script without needing to
        autodetect.

        Click OK after making the changes.




83
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


5. Close the Group Policy Object Editor window.




                                                                                                 84
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     6. Click OK in the domain Properties dialog box.




85
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


    7. Close the Active Directory Users and Computers window.




    8. Close the Active Directory Users and Computers console.

Automating Web Proxy Client Configuration with the Internet
Explorer Administration Kit (IEAK 6.0 SP1)
The Internet Explorer Administration Kit allows you to create highly customized versions of
Internet Explorer that you can distribute to campus Internet users. One of the customization
features is the proxy configuration parameters, so that you can configure the browsers to
autodetect and to use the autoconfiguration script. Note that there are licensing issues you must
be aware of before using IEAK to distribute customized versions of Internet Explorer. For more
information about the IEAK and for a download link, please check the IEAK home page at
http://www.microsoft.com/windows/ieak/downloads/ieak6/ieak6sp1.asp

The following example illustrates several components of the Internet Explorer Customization
Wizard and how it works to create a custom setup you can use to configure Internet Explorer
installation on campus.




                                                                                                       86
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     1. Download and install the Internet Explorer Administration Kit Service Pack 1 and install it
        on a workstation on your network. After installing IEAK, click Start, point to Programs
        and point to Microsoft IEAK 6. Click Internet Explorer Customization Wizard.




87
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


2. Read the information on the Welcome to the IEAK – Corporate Version page and click
   Next.




                                                                                                  88
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     3. Click Next on the Stage 1 – Gathering Information page.




89
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


4. On the File Locations page, use the default Destination Folder or create one of your
   own. This is the location where the customized Internet Explorer packages will be saved.
   Click Next.




                                                                                                  90
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     5. On the Language Selection page, select the language of your choice from the Target
        language drop down box. Click Next.




91
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


6. On the Media Selection page, select the media type that is most useful for your
   distribution. We will select the Single disk branding option. This option is the most
   simple and does not produce an installation package; it does save a configuration file that
   is used to customize an already installed version of Internet Explorer. Click Next.




                                                                                                  92
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     7. On the Feature Selection page, select the options that you’re interested in customizing.
        In our current example, we will click the Clear All button, then we will place a checkmark
        in the Connections Customization checkbox. This will allow us to customize the Proxy
        server settings on the Internet Explorer browsers.

         Click Next.




93
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


8. Click Next on the Stage 2 – Specifying Setup Parameters page.




                                                                                                  94
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     9. During the installation, you will be presented with a number of Security Warning dialog
        boxes asking if you want to install and run a number of applications. Select Yes for each
        one to download the applications and installation files so that they can be included in your
        Internet Explorer packages.




95
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


10. Click the Synchronize All button. A progress bar displays the download progress of
    Internet Explorer installation files.




                                                                                                  96
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     11. You will see a green checkmark next to each of the installation files that was successfully
         downloaded. Click Next.




97
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


12. Click Next on the Stage 4 – Customizing the Browser page.




                                                                                                  98
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


     13. On the Connection Settings page, select the Import the current Connection Settings
         from this machine option. Then click the Modify Settings button to confirm or change
         the current Internet Proxy settings. The IEAK will copy these settings into the Internet
         Explorer package it creates. Click Next.




99
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


14. Click Next on the Wizard Complete page.




                                                                                                  100
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


      15. Click Finish on the Wizard Complete page.




      16. You can then distribute the package to campus Internet Explorer clients based on the
          type of package you created. Typically, the users will access the installation from a Web
          server or installation share point, and then they run the IE6setup.exe file.

      Note:
      For more information on how to use the IEAK to create and distribute custom Internet
      Explorer packages, please review The Internet Explorer Administration Kit 6 Deployment
      Guide at http://www.microsoft.com/windows/ieak/techinfo/deploy/60/en/




101
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration




Automating Installation of the Firewall Client
The Firewall client software can be installed on virtually any 32-bit version of Windows except the
initial release of Windows 95. There are a number of compelling reasons for installing the Firewall
client software on all machines that it supports:

   The Firewall client allows you to create user/group based access controls for all TCP and
    UDP protocols. This is in contrast to the Web Proxy client configuration, which only supports
    HTTP, HTTPS and FTP.
   The Firewall client has access to all TCP and UDP based protocols, including those requiring
    secondary connections. In contrast, the SecureNAT client does not support application
    protocols that require secondary connections unless there is an application filter to support it.
   The Firewall client provides much better performance than the SecureNAT client
   The Firewall client sends application information to the ISA Server 2000 firewall service; this
    allows the Firewall service logs to collect application usage information
   The Firewall client sends user information to the Firewall service; this enables the ISA Server
    2000 firewall to control access based on user account and record user information in the
    Firewall service’s access logs. This information can be extracted and put into report form.

With these features, the Firewall client provides a level of functionality and access control that no
other firewall in its class can match. For this reason, we always recommend that you install the
Firewall client on any machine that supports the Firewall client software.

However, because the Firewall client configuration requires that the Firewall client software be
installed, many campus administrators are hesitant to adopt the full feature set provided by the
Firewall client. Many campus network administrators don’t have the time or the resources to
“touch” each authorized computer on the campus network in order to install the software.

The solution to this problem is to automate the installation of the Firewall client. There are two
methods that you can use, which require no additional software purchase, and which can greatly
simplify the installation on large numbers of computers on the campus network. These methods
are:

   Group Policy based software installation and management
   Silent installation script

In the following section, we will discuss these methods, as well as some key ISA Server client
configuration settings that you should make in the ISA Management console.

Configuring Firewall Client and Web Proxy Client Configuration
in the ISA Management Console
There are a few configuration options you should set for the Firewall client installation before you
configure Group Policy or a silent installation script to install the Firewall client software. These
settings determine autodiscovery behavior and how the Web browser is configured during
installation of the Firewall client.




                                                                                                       102
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


Perform the following steps on the ISA Server 2000 firewall computer:

      1. In the ISA Management console, expand the Servers and Arrays node and then
         expand the server name. Click on the Client Configuration node and then double click
         on the Firewall Client entry in the right pane of the console.

         On the General tab of the Firewall Client Properties dialog box, select the DNS name
         option and enter the fully qualified domain name into the text box. Do not use the Browse
         button, as it will not enter the fully qualified domain name into the text box for you. Make
         sure that the DNS server your Firewall clients are configured to use on the internal
         network is able to resolve this name to the internal address of the ISA Server 2000
         firewall computer.

         Place a checkmark in the Enable ISA Firewall automatic discovery in Firewall Client
         checkbox. During installation of the Firewall client software, the client will be configured to
         use autodiscovery to find the ISA Server 2000 firewall machine. Note that this setting will
         have no effect after the Firewall client software is installed. You must select this option
         before the Firewall client software is installed.

         Click Apply and then click OK.




103
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


    2. Double click on the Web Browser entry in the right pane of the console. On the General
       tab, enter the fully qualified domain name in the DNS name text box. Note the port is set
       for 8080 and you cannot change it from this dialog box. This setting is derived from the
       port configuration for the Outgoing Web Requests listener, which can be configured
       from the server Properties dialog box.

        Put a checkmark in the Automatically discover settings checkbox. This will allow the
        Web browser to use autodiscovery to automatically configure itself.

        Put a checkmark in the Set Web browsers to use automatic configuration script
        checkbox and select the Use custom URL option. Change the server name in the text
        box to the fully qualified domain name of the ISA Server 2000 firewall computer.

        Click Apply and then click OK.




    3. Close the ISA Management console.

The settings above are enforced only during Firewall client installation. If you install the Firewall
client before making changes to these settings, they will not be enforced after the fact.

Group Policy Software Installation
You might not wish to install the Firewall client on all machines on campus. For example, domain
controllers and published servers should not be configured as Firewall clients. You can gain



                                                                                                       104
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


granular control over Group Policy based software installation by creating an organizational unit
for Firewall clients and then configuring an OU group policy object to install the Firewall client only
on computers belonging to that OU.

Perform the following steps on the domain controller to create the OU and then configure
software installation and management to install the Firewall client on machines belonging to the
OU:

      1. Click Start and select the Administrative Tools menu. Click the Active Directory Users
         and Computers entry. Right click on your domain name and click Organizational Unit.




105
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


2. In the New Object – Organizational Unit dialog box, enter a name for the OU in the
   Name text box. In this example, we will call the OU FWCLIENTS. Click OK.




                                                                                                  106
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


      3. Click on the Computers node in the left pane of the console. Right click your client
         computer and click the Move command.




107
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


4. In the Move dialog box, click the FWCLIENTS OU and click OK.




                                                                                                  108
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


      5. Click on the FWCLIENTS OU. You should see the computer you moved into this OU.




109
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


6. Right click the FWCLIENTS OU and click the Properties command.




                                                                                                 110
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


      7. Click the Group Policy tab in the FWCLIENTS dialog box. Click the New button to
         create a New Group Policy Object. Select the New Group Policy Object and click
         Edit.




111
                            ISA Server 2000 in Education Deployment Kit
        Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


8. Expand the Computer Configuration node and then expand the Software Settings
   node. Right click on Software installation, point to New and click Package.




                                                                                                 112
                                    ISA Server 2000 in Education Deployment Kit
                Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


      9. In the Open text box, type the path to the Firewall client’s Microsoft installer package
         (.msi file) in the File name text box. In this example, the path is:

          \\isa2\mspclnt\MS_FWC.MSI

          Where isa2 is the NetBIOS name of the ISA Server 2000 firewall computer, mspclnt is
          the name of the share on the ISA Server 2000 firewall computer that contains the Firewall
          client installation files and MS_FWC.MSI is the name of the Firewall client Microsoft
          installer package.

          Click Open after entering the path.




113
                             ISA Server 2000 in Education Deployment Kit
         Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


10. In the Deploy Software dialog box, select the Assigned option and click OK. Notice that
    you do not have the Published option when installing software using the Computer
    Configuration node. The software is installed before the user logs on. This is critical
    because only local administrators can install the Firewall client software if there is a
    logged on user. In contrast, you can assign software to machines without a logged on
    user.

    Click OK.




                                                                                                  114
                                   ISA Server 2000 in Education Deployment Kit
               Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


      11. The new managed software package appears in the right pane of the console. All
          machines in the OU will have the Firewall client software installed when they are
          restarted. You can also manage the Firewall client software from here.

      Note:
      For more details on how to take full advantage of Group Policy based software installation
      and maintenance, please see the Step-by-Step Guide to Software Installation and
      Maintenance at
      http://www.microsoft.com/windows2000/techinfo/planning/management/swinstall.asp




      12. Close the Group Policy Object Editor and the Active Directory Users and Computers
          console.




115
                                  ISA Server 2000 in Education Deployment Kit
              Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration


    13. When you restart the machines in the FWCLIENTS OU, you will see the log on dialog
        box provide information about how managed software is being installed on the Windows
        client operating system.




Silent Installation Script
Another useful method you can use to install the Firewall client software on those machines that
are not members of the domain is to use a silent installation script. This method is useful when
the logged on user is a member of the local administrators group.

Open notepad and copy the following line into the new text document and save the file as
“fwcinstall.cmd”:

msiexec /i \\ISA2\mspclnt\MS_FWC.msi /qn /l*v c:\mspclnt_i.log

The \\ISA2 entry is the computer name of the ISA Server 2000 firewall computer and will vary for
each installation location. The rest of the line can be used exactly as listed above. Users can then
go to a Web page, or click a link in an email message pointing them to this batch file. The process
is very simple and only requires the user to click the link to run the script. The installation is
completely transparent and the only thing the user will see is a momentary command prompt
window and the Firewall client icon in the sytem tray when the procedure is completed.




                                                                                                       116
                                 ISA Server 2000 in Education Deployment Kit
             Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration



Summary
In this document we covered a number of methods you can use to automate the installation and
configuration of the Firewall and Web Proxy client. Automating configuration of these ISA Server
2000 clients allows machines to configure themselves without requiring the campus network
administrator to visit each machine and set it up for the campus user. Methods used to configure
the Firewall and Web Proxy clients include DHCP Option 252 and DNS wpad options. You also
learned that you can use Active Directory Group Policy and the Internet Explorer Administration
Kit to automate the installation and configure of the Firewall and Web Proxy clients.




117

								
To top