[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Change ISA firewall client to use automatic discovery

Posted on 2006-05-31
14
Medium Priority
?
548 Views
Last Modified: 2013-11-16
Hello all -

Hopefully I am missing something and one of you can assist me here.

Here is the situation - single site with an ISA 2000 server.  That server is being replaced with an ISA 2004 server.  The ISA 2004 server has been configured and tested by a small group of users and is works just fine.  Now we want to kick over to the new box...and here is the problem:

All clients use the Firewall client set to "manually select ISA server" that points to the old ISA 2000 server.  We want to set the client to automatically detect the new ISA server but how do we do this?

I know I can use either DNS or DHCP to configure the firewall client, but I need to get the client on "automatically detect ISA Server" - how can I do this without hitting each client?

Thanks in advance.
0
Comment
Question by:dasmail2000
  • 8
  • 6
14 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16801552
Sure.

Open the gui.
Click configuration - networks
Double click on the local network to get into its properties.
Select firewall client.
Its in the middle.

Regards

keith
ISA MCT

0
 
LVL 1

Author Comment

by:dasmail2000
ID: 16801659
Keith -

That is set....but it does not change the setting on the firewall client on the PCs.  They are currently set to 'manual' and what you are refering to is the web proxy settings.

If you open the firewall client on a PC and loko at the General Tab - there are two settings - "manually select ISA server" and "automatically detect ISA server".  All clients are currently on 'manally select' - I need that changed to 'automatically detect'.

That clear things up?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16801804
No, I am talking about the firewall client tab. Not the web proxy tab, not the web browser tab. This is on the ISA server. not the individual clients.

However, you are on 2004, not 2006 so you also need to click on the check box on the auto discovery tab in the same location, next to the firewall tab.

Are you running DNS or DHCP to pass out the wpad info?
If dhcp, open the dhcp manager.
expand your server,
then right-click the server name.
click predefined options
Click add.
Call it WPAD
choose STRING and in the code box, add 252
In the Value area, in the string box, type in http://the_isa_server_name:80/wpad.dat

In your dhcp scope(s), add option 252 to it.

If you are doing it from DNS,

Open your DNS manager
go into your forward lookup zones
open your local domain dns zone
create a new alias (cname) record
In the alias box, type WPAD
In the FQDN, put the full FQDN of the ISA server

You may need to do a dhcp or dns refresh on the client.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 1

Author Comment

by:dasmail2000
ID: 16802285
OK...we aren't connecting here....

I know what you are refering to....that is all cool.  And I am using DNS for WPAD info.

The problem is the following -

On the client, if the firewall client is set to auto detect, then all is cool.

However, I have over 200 clients which were originally set for manual detect (and still are set for manual detect).  They were manually set to use the old ISA 2000 server (when it was originally deployed).  If I goto the client PC and change the setting on the firewall client to auto detect, then they do see the new ISA 2004 server and it works great.  

But I do not want to have to physically go to all 218 clients to change the firewall client to auto detect - is there any way to reconfigure the clients to auto from manual?

(I did also deploy wpad with DHCP hoping that would work....but as long as the firewall client was set to "manually select" it would only use the ISA 2000 server and not get the new settings.  If I changed it to auto detect then all is cool.  But again, that was a visit to the PC - that's what I want to avoid if possible.)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16802374
Penny drops.

First thing is that you are going to have to redeploy anyway as the ISA2000 client is not ratified with isa2004. The client is slightly different and the 2000 ISA client needs removing and the new one installing. It works, but it can cause problems. I am told (but not seen myself) that there are some additional registry entries for the 2004 client also. It is possible that this may be why it is not autodetecting the 2004 server?

(Reference: MCSA/MCSE Internet Security & Acceleration Server 2004 - Training Kit by MS Press)




0
 
LVL 1

Author Comment

by:dasmail2000
ID: 16802417
Well - I hear you about updating the client to the new one...and that is in the works.

However, for testing I have some clients using the new 2004 client set to 'manual select' pointing to the ISA 2000 server.  It works fine but I have to manually change it to autodetect in order for it to 'see' the new ISA 2004 server.

This same bahavior is exhibited by the older 2000 firewall clients.

Any other thoughts?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16802426
Do you have access to group policies?
0
 
LVL 1

Author Comment

by:dasmail2000
ID: 16802439
Sure - but I do not know of a GPO that can change this.

If you do - hit me with it!

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16804763
Morning. OK, so you are making me work......


I'l see what I can find.
0
 
LVL 1

Author Comment

by:dasmail2000
ID: 16805821
LOL

Yup...and is just me or do you also hear the Jepordy theme song in the background?  ;)

Thanks for your efforts - I failed to find anything that would do it but I am hoping you'll find something I missed.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16808384
OK, just got home from work so will get abck on it.

There are a couple of items here though:

1. The optimal solution is to remove the isa2000 client and to install the isa2004 client via GPO. As long as the settings are in place in the shared isa client directory, the settings should get pulled off as part of the install with Automatic already checked.

2. Another option may be to issue an alternative .ini file via the login script.

3. i am also talking to one of the guys in the MS scripts area to see if something can be done.

I am sure we will come up with something :)
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 16832548
Still working on this but having a problem with the ini file.
0
 
LVL 1

Author Comment

by:dasmail2000
ID: 16834340
Thanks....but don't kill yourself.

We are thinking of just dong it manually at this point - we have come up with some other reasons to hit the boxes as well.

Out of curiosity, I'd love to see what you do come up with though.

You've been helpful and I appreciate it.

Thanks!

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16834363
Thats kind of you, thanks. I've added this call to my bookmarks so I don't lose it.

Regards
keith
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 8 hours left to enroll

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question