Change ISA firewall client to use automatic discovery

Hello all -

Hopefully I am missing something and one of you can assist me here.

Here is the situation - single site with an ISA 2000 server.  That server is being replaced with an ISA 2004 server.  The ISA 2004 server has been configured and tested by a small group of users and is works just fine.  Now we want to kick over to the new box...and here is the problem:

All clients use the Firewall client set to "manually select ISA server" that points to the old ISA 2000 server.  We want to set the client to automatically detect the new ISA server but how do we do this?

I know I can use either DNS or DHCP to configure the firewall client, but I need to get the client on "automatically detect ISA Server" - how can I do this without hitting each client?

Thanks in advance.
Who is Participating?
Keith AlabasterEnterprise ArchitectCommented:
Still working on this but having a problem with the ini file.
Keith AlabasterEnterprise ArchitectCommented:

Open the gui.
Click configuration - networks
Double click on the local network to get into its properties.
Select firewall client.
Its in the middle.



dasmail2000Author Commented:
Keith -

That is set....but it does not change the setting on the firewall client on the PCs.  They are currently set to 'manual' and what you are refering to is the web proxy settings.

If you open the firewall client on a PC and loko at the General Tab - there are two settings - "manually select ISA server" and "automatically detect ISA server".  All clients are currently on 'manally select' - I need that changed to 'automatically detect'.

That clear things up?
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Keith AlabasterEnterprise ArchitectCommented:
No, I am talking about the firewall client tab. Not the web proxy tab, not the web browser tab. This is on the ISA server. not the individual clients.

However, you are on 2004, not 2006 so you also need to click on the check box on the auto discovery tab in the same location, next to the firewall tab.

Are you running DNS or DHCP to pass out the wpad info?
If dhcp, open the dhcp manager.
expand your server,
then right-click the server name.
click predefined options
Click add.
Call it WPAD
choose STRING and in the code box, add 252
In the Value area, in the string box, type in http://the_isa_server_name:80/wpad.dat

In your dhcp scope(s), add option 252 to it.

If you are doing it from DNS,

Open your DNS manager
go into your forward lookup zones
open your local domain dns zone
create a new alias (cname) record
In the alias box, type WPAD
In the FQDN, put the full FQDN of the ISA server

You may need to do a dhcp or dns refresh on the client.
dasmail2000Author Commented:
OK...we aren't connecting here....

I know what you are refering to....that is all cool.  And I am using DNS for WPAD info.

The problem is the following -

On the client, if the firewall client is set to auto detect, then all is cool.

However, I have over 200 clients which were originally set for manual detect (and still are set for manual detect).  They were manually set to use the old ISA 2000 server (when it was originally deployed).  If I goto the client PC and change the setting on the firewall client to auto detect, then they do see the new ISA 2004 server and it works great.  

But I do not want to have to physically go to all 218 clients to change the firewall client to auto detect - is there any way to reconfigure the clients to auto from manual?

(I did also deploy wpad with DHCP hoping that would work....but as long as the firewall client was set to "manually select" it would only use the ISA 2000 server and not get the new settings.  If I changed it to auto detect then all is cool.  But again, that was a visit to the PC - that's what I want to avoid if possible.)
Keith AlabasterEnterprise ArchitectCommented:
Penny drops.

First thing is that you are going to have to redeploy anyway as the ISA2000 client is not ratified with isa2004. The client is slightly different and the 2000 ISA client needs removing and the new one installing. It works, but it can cause problems. I am told (but not seen myself) that there are some additional registry entries for the 2004 client also. It is possible that this may be why it is not autodetecting the 2004 server?

(Reference: MCSA/MCSE Internet Security & Acceleration Server 2004 - Training Kit by MS Press)

dasmail2000Author Commented:
Well - I hear you about updating the client to the new one...and that is in the works.

However, for testing I have some clients using the new 2004 client set to 'manual select' pointing to the ISA 2000 server.  It works fine but I have to manually change it to autodetect in order for it to 'see' the new ISA 2004 server.

This same bahavior is exhibited by the older 2000 firewall clients.

Any other thoughts?
Keith AlabasterEnterprise ArchitectCommented:
Do you have access to group policies?
dasmail2000Author Commented:
Sure - but I do not know of a GPO that can change this.

If you do - hit me with it!

Keith AlabasterEnterprise ArchitectCommented:
Morning. OK, so you are making me work......

I'l see what I can find.
dasmail2000Author Commented:

Yup...and is just me or do you also hear the Jepordy theme song in the background?  ;)

Thanks for your efforts - I failed to find anything that would do it but I am hoping you'll find something I missed.

Keith AlabasterEnterprise ArchitectCommented:
OK, just got home from work so will get abck on it.

There are a couple of items here though:

1. The optimal solution is to remove the isa2000 client and to install the isa2004 client via GPO. As long as the settings are in place in the shared isa client directory, the settings should get pulled off as part of the install with Automatic already checked.

2. Another option may be to issue an alternative .ini file via the login script.

3. i am also talking to one of the guys in the MS scripts area to see if something can be done.

I am sure we will come up with something :)
dasmail2000Author Commented:
Thanks....but don't kill yourself.

We are thinking of just dong it manually at this point - we have come up with some other reasons to hit the boxes as well.

Out of curiosity, I'd love to see what you do come up with though.

You've been helpful and I appreciate it.


Keith AlabasterEnterprise ArchitectCommented:
Thats kind of you, thanks. I've added this call to my bookmarks so I don't lose it.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.