Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Automating ISA Server 2000 Client Configuration

advertisement 
Microsoft Internet
Security and Acceleration
Server 2000 in Education
Deployment Kit
Chapter 5
Automating ISA Server 2000 Web Proxy
and Firewall Client Installation and
Configuration
Dr. Thomas W. Shinder
Debra L. Shinder
January 2004
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Table of Contents
Scenarios Layout ............................................................................................................................. 4
Automating ISA Server 2000 Web Proxy and Firewall Client Configuration ................................... 6
Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery ............... 6
Install the DHCP Server ........................................................................................................... 6
Create the DHCP scope ......................................................................................................... 12
Create the DHCP 252 Scope Option and Add it to the Scope ............................................... 27
Configure the client as a DHCP client .................................................................................... 34
Configure the Client Browser to Use Autodiscovery .............................................................. 40
Configure the ISA Server 2000 Firewall to Publish Autodiscovery Information ..................... 44
Making the Connection ........................................................................................................... 48
Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery ................ 52
Create the wpad Entry in DNS ............................................................................................... 53
Configure the Client to Use the Fully Qualified wpad Alias .................................................... 61
Configure the client browser to use autodiscovery ................................................................ 67
Configure the ISA Server 2000 Firewall to Publish Autodiscovery Information ..................... 71
Making the connection ........................................................................................................... 75
Automating Web Proxy Client Configuration with Group Policy ................................................ 79
Automating Web Proxy Client Configuration with the Internet Explorer Administration Kit (IEAK
6.0 SP1) ..................................................................................................................................... 86
Automating Installation of the Firewall Client .............................................................................. 102
Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management
Console .................................................................................................................................... 102
Group Policy Software Installation ........................................................................................... 104
Silent Installation Script ............................................................................................................ 116
Summary ..................................................................................................................................... 117
2
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
An important aspect of deploying ISA Server 2000 as a firewall and Web acceleration solution on
the campus network is selecting, installing and configuring the clients to go through the ISA
Server for Internet access. An ISA Server 2000 client is any machine that accesses the Internet
via the ISA Server 2000 firewall or Web Proxy server.
ISA Server 2000 supports three client types. The type of client determines what protocols are
supported, and the operating system used on the client machine dictates which client(s) can be
used.The three ISA Server 2000 client types are:

The SecureNAT client
SecureNAT clients are configured with a default gateway that routes Internet-bound
request through the ISA Server 2000 firewall or Web Proxy server. The SecureNAT client
does not require software installation or configuration, and any operating system that
uses TCP/IP can be a SecureNAT client. No client software is required, but some
network configuration changes must be made. Although the SecureNAT client provides a
certain level of transparency of client configuration, its drawback is that it provides the
lowest level of security and performance of the three client types. The SecureNAT client
configuration should typically be reserved for non-Microsoft operating systems and the
rare occasions when client browsers do not support the Web Proxy client configuration

The Web Proxy client
Web Proxy client computers are machines with Web browsers that support the use of a
Web Proxy server. Any operating system can be used as long as a browser that meets
this criterion is installed. Almost all modern browsers support this configuration. The
advantages of the Web Proxy client configuration is that it does not require additional
software installation and only requires that the browser be configured to use the Web
Proxy server. In addition, the Web Proxy client can benefit from the Web Proxy cache
and direct communications with the Web Proxy service. In contrast to the SecureNAT
client, which does not support user/group based authentication, access to the Internet for
Web Proxy clients can be controlled on a per user/per group basis. The Web Proxy client
supports the HTTP, HTTPS, FTP and Gopher protocols.

The Firewall client
Firewall client computers have the Microsoft Firewall client software installed on them.
The Firewall client supports almost all Microsoft 32-bit operating systems, with the
exception of the original release of Windows 95. Non-Microsoft operating systems cannot
use the Firewall client. The Firewall client is unique in that it provides user/group based
access control to all TCP and UDP protocols and sends application information to the
Firewall service on the ISA Server 2000 firewall. This enables the Firewall service logs to
track which users used which application to access a particular site. This information can
be extracted from the Firewall service logs and incorporated into reports to provide
detailed information on campus Internet usage. In addition, the Firewall client supports
complex protocols that require secondary connections. In contrast, the SecureNAT client
does not support complex protocols that require secondary connections without the aid of
an application filter.
Note:
For more information on the various ISA Server 2000 client types, please see the ISA Server
2000 Help on this topic at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/isa/isaf
p1/isasct.asp
Which client type is the best choice for the educational environment? The Web Proxy and
Firewall client configurations provide a higher level of security and performance than that
obtained via the SecureNAT client configuration. However, these more secure configurations are
often avoided because busy campus administrators cannot visit each machine on the educational
3
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
institution’s network to install the software or configure the browsers. For this reason, many
administrators prefer to use the SecureNAT configuration at the expense of performance and
security.
However, there is a solution to this problem that allows you to deploy a more secure client
solution without spending an inordinate amount of time on the task. You can automate the
configuration of the Web browser and the installation and configuration of the Firewall client. The
busy campus administrator does not need to “touch” each machine on the educational institutions
network when these processes are automated. Automated installation and configuration is the
most efficient way to deploy the ISA Firewall and Web Proxy client types on a large institution’s
network.
Also note that a Firewall client or SecureNAT client can also be a Web Proxy client. In this case,
the Web Proxy service handles the HTTP, HTTPS, FTP and Gopher traffic, while other protocols
are handled by the Firewall client or SecureNAT.
In this document, we will cover the following topics:


Automating ISA Server 2000 Web Proxy and Firewall Client Configuration
Automating Installation of the Firewall Client
When the installation of the Firewall client and the configuration of the Web Proxy and Firewall
clients are automated, almost all machines on the campus network will be able to benefit from the
superior performance and security provided by the Firewall and Web Proxy client configurations.
Scenarios Layout
The scenarios in this document are based on the lab configuration illustrated in the figure below:
IP/SM: Public
DNS: None
Windows 2003
ISA Server 2000
ISA2
Protocol Rule: All Open
Default Site/Content Rule
IP/SM: 10.0.2.1
DNS: 10.0.2.2
CLIENT2A
CLIENT2
`
Windows 2000 Server
Windows 2003
Domain Controller
DHCP Server
DNS Server
IP/SM: 10.0.2.2/24
DNS: 10.0.2.2
GW: 10.0.2.1
CLIENT2A is the machine that will be configured as the Web Proxy and Firewall client computer.
Its IP settings will be obtained via DHCP testing of obtaining autoconfiguration information via
DHCP, and assigned a valid address on network ID 10.0.2.0/24 when testing the
4
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
autoconfiguration via DNS testing, but no default gateway is configured so only the Web Proxy
and Firewall client configurations are active. The operating system is Windows 2000.
CLIENT2 is a Windows Server 2003 machine configured as a domain controller in the
msfirewall.org domain. The machine is a DNS server and the DNS server is able to resolve
Internet host names. A DHCP server will be installed on this machine so that we can test
assigning autodiscovery information via DHCP. It has the following IP addressing information:
IP address: 10.0.2.2
Subnet mask: 255.255.255.0
DNS address: 10.0.2.2
Default Gateway: 10.0.2.1
ISA2 is a Windows Server 2003 machine with ISA Server 2000 installed on it. An “all open”
Protocol Rule that allows access to all IP address is configured, and the default Site and Content
Rule which allows access to all sites and content is enabled.
5
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Automating ISA Server 2000 Web Proxy and Firewall
Client Configuration
There are several methods available for automating the Web Proxy and Firewall client
configurations. These include:




Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery
Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery
Automating Web Proxy Client Configuration with Group Policy
Automating Web Proxy Client Configuration with Internet Explorer Administration Kit
(IEAK)
The following sections discuss how to automate the configuration of Web Proxy and Firewall
clients using the Web Proxy AutoDiscovery (WPAD) protocol, Active Directory Group Policy and
the Internet Explorer Administration Kit.
Note:
For more information about the WPAD protocol, please see the ISA Server 2000 Help file
information at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs
/isadocs/CMT_AutoDetect.asp
Configuring DHCP Servers to Support Web Proxy and Firewall
Client Autodiscovery
DHCP clients can obtain autoconfiguration information from the ISA Server 2000 firewall
computer by using DHCP Inform messages. The Firewall client and Web browser software can
issue DHCP Inform messages to query a DHCP server for the address of a machine containing
the autoconfiguration information. The DHCP server returns the address of the machine
containing the autoconfiguration information and then the Firewall client or Web browser software
requests autoconfiguration from the addresses returned by the DHCP server.
The DHCP server uses a special DHCP option to provide this information.
In this section on configuring Web Proxy and Firewall clients to use DHCP to obtain
autoconfiguration information via WPAD, we will discuss the following steps:







Installing the DHCP Server
Creating the DHCP scope
Creating the DHCP 252 scope option
Configuring the client as a DHCP client
Configuring the client browser to use autodiscovery
Configuring the ISA Server 2000 firewall to publish autodiscovery information
Making the connection
Install the DHCP Server
The first step is to install the DHCP server. In this example, we will use a Windows Server 2003
DHCP server, but you can create the DHCP option on a Windows 2000 DHCP server if required.
6
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Perform the following steps on the domain controller computer to install the DHCP server service:
1. Click Start, select All Programs and then Control Panel. Click on Add or Remove
Programs.
7
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the Add or Remove Programs window, click on the Add/Remove Windows
Components button.
8
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. In the Windows Components dialog box, click on the Networking Services entry in the
Components list, then click the Details button.
9
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. In the Networking Services dialog box, put a checkmark in the Dynamic Host
Configuration Protocol (DHCP) checkbox and click OK.
10
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
5. Click Next in the Windows Components dialog box.
11
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
6. Click Finish on the Completing the Windows Components Wizard page.
7. Close the Add or Remove Programs window.
Now that the DHCP Server service is installed on the domain controller for the domain, the next
step is to create a DHCP scope.
Create the DHCP scope
A DHCP scope is a collection of IP addresses that the DHCP server can use to assign to DHCP
clients on the network. In addition, a DHCP scope can include additional TCP/IP settings to be
assigned to clients, which are referred to as DHCP options. DHCP options can assign various
TCP/IP settings such as a DNS server address, WINS server address, and primary domain name
to DHCP clients.
Perform the following steps on the DHCP server to enable the DHCP server and create the
DHCP scope:
12
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
1. Click Start and then select Administrative Tools. Click DHCP.
13
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the DHCP console, right click on your server name in the left pane of the console. Click
on the Authorize command.
14
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. Click the Refresh button in the button bar of the console. You will notice that the icon to
the left of the server name changes from a red, down pointing arrow to a green, up
pointing arrow.
Right click the server name in the left pane of the console again and click the New Scope
command.
15
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. Click Next on the Welcome to the New Scope Wizard page.
16
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
5. Enter a name for the scope on the Scope Name page. This name is descriptive only and
does not affect the functionality of the scope. You can also enter a Description in the
description box if you wish. Click Next.
17
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
6. Enter a range of IP addresses that can be assigned to DHCP clients on the IP Address
Range page. Enter the first address in the range into the Start IP address range text box
and the last IP address in the range in the End IP address text box. Enter the subnet
mask for your IP address range in the Subnet mask text box.
In our current example, the internal network is on network ID 10.0.2/24. We do not want
to assign all the IP addresses on the network ID to the DHCP scope, just a selection of
them. So in this example, we enter 10.0.2.100 as the Start IP address and 10.0.2.150 as
the end IP address and use a 24 bit subnet mask.
Note that on production networks, it is often better to assign the entire network ID to the
IP address range used in the scope. You can then create exceptions for hosts on the
network that have statically assigned IP addresses that are contained in the scope. This
allows you to centrally manage IP address assignment and configuration using DHCP.
Click Next.
18
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
7. Do not enter any exclusions in the Add Exclusions dialog box. Click Next.
19
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
8. Accept the default settings on the Lease Duration page (8 days, 0 hours and 0 minutes)
and click Next.
20
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
9. On the Configure DHCP Options page, select the Yes, I want to configure these
options now option and click Next.
21
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
10. Do not enter anything on the Router (Default Gateway) page. Note that if we were using
SecureNAT clients on the network, we would enter the IP address of the internal interface
of the ISA Server 2000 firewall on this page. However, with the current scenario, we want
to explicitly test only the Web Proxy and Firewall client configurations.
Click Next.
22
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
11. On the Domain Name and DNS Servers page, enter the primary domain name you want
to assign to DHCP clients and the DNS server address you want the DHCP clients to
use.
The primary domain name is a critical setting for your Firewall and Web Proxy clients. In
order for autodiscovery to work correctly for Firewall and Web Proxy clients, these clients
must be able to correctly fully qualify the unqualified name wpad. We will discuss this
issue in more detail later in this document. In this example, we enter msfirewall.org in the
Parent domain text box. This will assign the DHCP clients the primary domain name
msfirewall.org, which will be appended to unqualified names.
Enter the IP address of the DNS server in the IP address text box. In this example, the
IP address of the DNS server is 10.0.2.2. Click Add after entering the IP address.
Click Next.
23
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
12. Do not enter a WINS server address on the WINS Servers page. In this example, we do
not use a WINS server. However, WINS servers are very useful in VPN server
environments if you wish your VPN clients to be able to browse the campus network
using the My Network Places or Network Neighborhood application.
Click Next.
24
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
13. On the Activate Scope page, select the Yes, I want to activate this scope now option
and click Next.
25
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
14. Click Finish on the Completing the New Scope Wizard page.
26
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
15. In the right pane of the DHCP console, you see the two DHCP options you created in the
Wizard.
The next step is to create a custom DHCP option that will allow DHCP clients to autodiscover
Web Proxy and Firewall client settings.
Create the DHCP 252 Scope Option and Add it to the Scope
The DHCP scope option number 252 can be used to automatically configure Web Proxy and
Firewall clients. The Web Proxy or Firewall client must be configured as a DHCP client, and the
logged on user must be a member of the local administrators group or Power users group (for
Windows 2000). On Windows XP systems, the Network Configuration Operators group also has
permission to issue DHCP queries (DHCPINFORM messages).
Note:
For more information about the limitations of using DHCP for autodiscovery for Internet
Explorer 6.0, please see KB article Automatic Proxy Discovery in Internet Explorer with
DHCP Requires Specific Permissions at
http://support.microsoft.com/default.aspx?scid=kb;en-us;312864
27
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Perform the following steps at the DHCP server to create the custom DHCP option:
1. Open the DHCP console from the Administrative Tools menu and right click your server
name in the left pane of the console. Click the Set Predefined Options command.
28
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the Predefined Options and Values dialog box, click the Add button.
29
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. In the Option Type dialog box, enter the following information:
Name: wpad
Data type: String
Code: 252
Description: wpad entry
Click OK.
30
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. In the Value frame, enter the URL to the ISA Server 2000 firewall in the String text box.
The format for this value is:
http://ISAServername:AutodiscoveryPort Number/wpad.dat
The default autodiscovery port number is TCP 80. You can customize this value in the
ISA Management console. We will cover this subject in more detail later in this
document.
In the current example, enter the following into the String text box:
http://isa2.msfirewall.org:80/wpad.dat
Make sure to enter wpad.dat in all lower case letters. For more information on this
problem, please refer to KB article "Automatically Detect Settings" Does Not Work if
You Configure DHCP Option 252 at
http://support.microsoft.com/default.aspx?scid=kb;en-us;307502
Click OK.
31
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
5. Right click the Scope Options node in the left pane of the console and click the
Configure Options command.
32
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
6. In the Scope Options dialog box, scroll through the list of Available Options and put a
checkmark in the 252 wpad checkbox. Click Apply and then click OK.
33
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
7. The 252 wpad entry now appears in the right pane of the console under the list of Scope
Options.
8. Close the DHCP console.
The next step is to configure the client computer as a DHCP client.
Configure the client as a DHCP client
In order to use DHCP to obtain autodiscovery information for Web Proxy and Firewall clients, the
client computer must be configured as a DHCP client. Perform the following steps on the client
machine to configure it as a DHCP client.
Note:
In this example, we configure a Windows 2000 machine as a DHCP client. The procedure
varies a bit with each client operating system. All Windows TCP/IP operating systems use
DHCP as the default IP address configuration.
34
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
1. Right click the My Network Places icon on the desktop and click the Properties
command.
35
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. Right click the Local Area Connection entry in the Network and Dial-up Connections
window and click the Properties command.
36
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. In the Local Area Connection Properties dialog box, click the Internet Protocol
(TCP/IP) entry and click the Properties button.
37
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. In the Internet Protocol (TCP/IP) Properties dialog box, select the Obtain an IP
address automatically and Obtain DNS server address automatically options.
Click OK.
38
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
5. Click OK in the Local Area Connection Properties dialog box.
39
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
6. Close the Network and Dial-up Connections window.
The next step is to configure the browser to use autodiscovery to automatically discover its Web
Proxy client settings.
Configure the Client Browser to Use Autodiscovery
The browser must be configured to use autodiscovery before it can use the DHCP server option
252 to automatically configure itself. This is the default setting for Internet Explorer 6.0, but the
default setting may have been changed at some time during the life of the browser on a particular
machine. In the following example, we manually configure the browser to use autodiscovery to
autoconfigure itself. We will discuss methods you can use to automatically set this option later in
this document.
40
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Perform the following steps on the Web Proxy client computer:
1. Right click on the Internet Explorer icon on the desktop and click Properties.
41
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the Internet Properties dialog box, click the Connections tab. Click the LAN
Settings button.
42
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. In the Local Area Network (LAN) Settings dialog box, put a checkmark in the
Automatically detect settings checkbox. Click OK.
43
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. Click OK in the Internet Properties dialog box.
The next step is to configure the ISA Server 2000 firewall to publish autodiscovery information.
Configure the ISA Server 2000 Firewall to Publish Autodiscovery
Information
All the settings required for the Web browser to configure itself are contained on the ISA Server
2000 firewall computer. By default, this option is disabled. You can enable publishing of
autodiscovery information on the ISA Server 2000 firewall computer so that the Web Proxy client
can obtain autoconfiguration settings.
44
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Perform the following steps at the ISA Server 2000 firewall to enable publishing of autodiscovery
information for Web Proxy and Firewall clients:
1. Open the ISA Management console, expand the Servers and Arrays node and then
right click on the server name. Click the Properties command.
45
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the server Properties dialog box, click the Auto Discovery tab. Put a checkmark in
the Publish automatic discovery information checkbox. Note that the default port
number for publishing automatic discovery information is TCP port 80. This is the port
number we configured in the DHCP option 252 setting. If you need to change this port
number, make sure that you also change the port number used in the DHCP 252 setting.
Click Apply.
46
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. Select the Save the changes and restart the service(s) option in the ISA Server
Warning dialog box. Click OK.
47
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. Click OK in the server Properties dialog box.
5. Close the ISA Management console.
Making the Connection
All the components are now in place for the Web browser to automatically connect to the ISA
Server 2000 firewall’s Web Proxy service using autodiscovery.
48
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Perform the following steps on the Web Proxy client computer:
1. Open Internet Explorer and enter the URL for the Microsoft ISA Server site at
www.microsoft.com/isaserver
49
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. A Network Monitor trace shows the DHCP Inform messages sent by the Web Proxy
client. The Web Proxy client uses the DHCP Inform messages to obtain the
autodiscovery address contained in the DHCP option 252 entry.
50
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. In this frame, you can see the ACK response to the Web Proxy client’s DHCP inform
message. In the bottom pane of the Network Monitor console, you can see that the
DHCP server has returned the address you configured in the DHCP option 252 entry.
51
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. After the Web Proxy client receives the address of the ISA Server 2000 containing the
autodiscovery settings, the next step is for it to resolve the name of the ISA Server 2000
firewall to its internal IP address. Name resolution is critical for multiple aspects of ISA
Server 2000 functioning and this is another example of this fact. You can see in the
Network Monitor that the Web Proxy client has issued a query for isa2.msfirewall.org,
which was the URL contained in the DHCP 252 option.
Configuring DNS Servers to Support Web Proxy and Firewall
Client Autodiscovery
Another method that can be used to deliver autodiscovery information to Web Proxy and Firewall
clients is DNS. You can create a wpad alias entry in DNS and allow browser clients to use this
information to automatically configure themselves. This is in contrast to the situation we saw with
the DHCP method, where the logged on user needed to be a member of a specific group in the
Windows operating system.
Name resolution is a pivotal component to making this method of Web Proxy and Firewall client
autodiscovery work correctly. In this case, the client operating system must be able to correctly
fully qualify the name wpad. The reason for this is that the Web Proxy and Firewall client only
knows that it needs to resolve the name wpad; it does not know what specific domain name it
should append to the query to resolve the name wpad. We will cover this issue in detail later in
this document.
52
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Note:
In contrast to the DHCP method of assigning autodiscovery information to Web Proxy and
Firewall clients, you do not have the option to use a custom port number to publish
autodiscovery information when using the DNS method. You must publish autodiscovery
information on TCP 80 when using the DNS method.
We will detail the following steps to enable DNS to provide autodiscovery information to Web
Proxy and Firewall clients:




Creating the wpad entry in DNS
Configuring the client to use the fully qualified wpad alias
Configuring the client browser to use autodiscovery
Making the connection
Create the wpad Entry in DNS
The first step is to create a wpad alias entry in DNS. This alias points to a Host (A) record for the
ISA Server 2000 firewall, which resolves the name of the ISA Server 2000 firewall to the internal
IP address of the firewall. This Host (A) record must be created before you create the CNAME
alias entry. If you enable automatic registration in DNS, the ISA Server 2000 firewall’s entry will
already be entered into DNS. If you have not enabled automatic registration, you will need to
create the Host (A) record for the ISA Server 2000 firewall manually. In the following example, the
ISA Server 2000 firewall has automatically registered itself with DNS.
53
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Perform the following steps on the DNS server on the domain controller on the internal network:
1. Click Start and select Administrative Tools. Click the DNS entry. In the DNS
management console, right click on the forward lookup zone for your domain and click
the New Alias (CNAME) command.
54
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the New Resource Record dialog box, enter wpad in the Alias name (uses parent
domain if left blank) text box. Click the Browse button.
55
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. In the Browse dialog box, double click on your server name in the Records list.
56
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. In the Browse dialog box, double click on the Forward Lookup Zone entry in the
Records frame.
57
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
5. In the Browse dialog box, double click on the name of your forward lookup zone in the
Records frame.
58
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
6. In the Browse dialog box, select the name of the ISA Server 2000 firewall in the
Records frame. Click OK.
59
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
7. Click OK in the New Resource Record dialog box.
60
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
8. The CNAME (alias) entry appears in the right pane of the DNS management console.
9. Close the DNS Management console.
Configure the Client to Use the Fully Qualified wpad Alias
The Web Proxy and Firewall client needs to be able to correctly resolve the name wpad. Both the
Web Proxy and Firewall client configurations are not aware of the domain containing the wpad
alias. The Web Proxy and Firewall client operating system must be able to provide this
information to the Web Proxy and Firewall client.
DNS queries must be fully qualified before the query is sent to the DNS server. A fully qualified
request contains a host name and a domain name. The Web Proxy and Firewall client only know
the host name portion. The Web Proxy and Firewall client operating system must be able to
provide the correct domain name, which it appends to the wpad host name, before it can send a
DNS query to the DNS server.
There are a number of methods you can use to provide a domain name that is appended to the
wpad name before the query is sent to the client operating system’s DNS server. Two popular
methods for doing this are:


61
Using DHCP to assign a primary domain name
Configuring a primary domain name in the client operating system’s network identification
dialog box.
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
We will detail these two methods in the following steps:
1. Right click the My Computer icon on the desktop and click the Properties command.
62
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the System Properties dialog box, click the Network Identification tab. Click the
Properties button.
63
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. In the Identification Changes dialog box, click the More button.
64
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. In the DNS Suffix and NetBIOS Computer Name dialog box, enter the domain name
that contains your wpad entry in the Primary DNS suffix of this computer text box. This
is the domain name that the operating system will append to the wpad name before
sending the DNS query to the DNS server. By default, the primary domain name is the
same as the domain name the machine belongs to. If the machine is not a member of a
domain, then this text box will be empty. Note the Change primary DNS suffix when
domain membership changes is enabled by default. In the current example, the
machine is not a member of a domain.
Cancel out of each of the dialog boxes so that you do not configure a primary domain
name at this time.
65
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
5. Another way to assign a machine a primary domain name is to use DHCP. A DHCP
server can be configured to supply DHCP clients a primary domain name by configuring
a DHCP scope option. We did this earlier when we created a scope on the DHCP server
using the DHCP scope wizard. In the current example, the DNS Domain Name scope
option was set to deliver the domain name msfirewall.org to DHCP clients. This option
has the same effect as manually setting the primary domain name. DHCP clients will
append this name to unqualified DNS queries (such as those for wpad) before sending
the DNS query to a DNS server.
66
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
6. Go to the DHCP client system and open a command prompt. At the command prompt,
enter ipconfig /all and press ENTER. Notice that the machine has been assigned a
Connection-specific DNS Suffix of msfirewall.org.
DHCP is the most efficient way to assign a primary DNS suffix to clients on your network.
This feature allows you to automatically configure a DNS suffix on DHCP clients that
connect to your network which are not members of your Active Directory domain. These
clients can still correctly resolve the wpad name based on your current DNS
infrastructure without requiring them to join the domain or manually configuring them.
Note that if you have multiple domains and clients on your internal network that belong to multiple
domains, then you will need to create wpad CNAME alias entries for each of the domains.
Configure the client browser to use autodiscovery
The next step is to configure the browser to use autodiscovery. If you have not already done so,
perform the following steps to configure the Web browser to use autodiscovery to automatically
configure itself to use the ISA Server 2000 firewall’s Web Proxy service:
67
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
1. Right click on the Internet Explorer icon on the desktop and click Properties.
68
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the Internet Properties dialog box, click the Connections tab. Click the LAN
Settings button.
69
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. In the Local Area Network (LAN) Settings dialog box, put a checkmark in the
Automatically detect settings checkbox. Click OK.
70
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. Click Apply and then click OK in the Internet Properties dialog box.
The next step is to configure the ISA Server 2000 firewall publish autodiscovery information for
autodiscovery Web Proxy and Firewall clients.
Configure the ISA Server 2000 Firewall to Publish Autodiscovery
Information
Perform the following steps on the ISA Server 2000 firewall computer to enable it to provide
autoconfiguration information to Web Proxy and Firewall autodiscovery clients:
71
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
1. Open the ISA Management console and expand the Servers and Arrays node. Right
click on your server name and click Properties.
72
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the server Properties dialog box, click the Auto Discovery tab. Put a checkmark in
the Publish automatic discovery information checkbox. You must use the default
entry in the Use this port for automatic discovery request text box, which is 80, in
order for autodiscovery to work properly with DNS. Click Apply.
73
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. Select the Save the changes and restart the service(s) option in the ISA Server
Warning dialog box and click OK.
74
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. Click OK in the server properties dialog box.
5. Close the ISA Management console.
Making the connection
All the parts are now in place to allow the Web Proxy and Firewall client machine to use DNS to
obtain autoconfiguration information. Perform the following steps on the Web Proxy client
computer:
75
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
1. Open Internet Explorer and go to the www.microsoft.com/isaserver/ home page.
76
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. A Network Monitor trace shows the Web Proxy client makes a DNS query for
wpad.msfirewall.org.
77
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. The DNS server responds to the query with the IP address of the ISA Server 2000
firewall computers.
78
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. After it obtains the IP address of the ISA Server 2000 firewall computer and the port from
which it can obtain autoconfiguration information, the Web Proxy client sends a request
for wpad autoconfiguration information. You can see this request in the bottom pane of
the Network Monitor Window, GET /wpad.dat HTTP/1.1.
Automating Web Proxy Client Configuration with Group Policy
When the client operating system belongs to a Windows 2000 or Windows Server 2003 Active
Directory domain, you can use Group Policy to automatically configure the browser for all domain
member computers. This greatly simplifies the management of Internet Explorer clients
throughout the campus. You can even create different Organizational Units (OUs) and configure
different browser settings in each OU.
In the following example, we’ll configure a domain policy that configures all the browsers in the
domain to use the autoconfiguration script.
79
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
1. Open the Active Directory Users and Computers console from the Administrative
Tools menu. Right click on your domain name and click Properties.
80
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the domain Properties dialog box, click on the Group Policy tab. Click on the Default
Domain Policy and click the Edit button.
81
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. In the Group Policy Object Editor, expand the User Configuration node and then
expand the Internet Explorer Maintenance node. Click on the Connection node.
Double click on the Automatic Browser Configuration entry in the right pane of the
console.
82
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. In the Automatic Configuration dialog box, put a checkmark in the Automatically
detect configuration settings checkbox. Put a checkmark in the Enable Automatic
Configuration checkbox. You can enter a custom value in the Automatically configure
every X minutes text box. This allows the browser to automatically refresh the browser
configuration at regular intervals, based on the number of minutes you configure in this
text box. You might consider entering a lower number if you have a caching array and
want to enable a degree of failover for Web Proxy clients.
Enter the autoconfiguration script URL in the Auto-config URL (.INS file) text box. This
will allow the Web browser to use the autoconfiguration script without needing to
autodetect.
Click OK after making the changes.
83
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
5. Close the Group Policy Object Editor window.
84
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
6. Click OK in the domain Properties dialog box.
85
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
7. Close the Active Directory Users and Computers window.
8. Close the Active Directory Users and Computers console.
Automating Web Proxy Client Configuration with the Internet
Explorer Administration Kit (IEAK 6.0 SP1)
The Internet Explorer Administration Kit allows you to create highly customized versions of
Internet Explorer that you can distribute to campus Internet users. One of the customization
features is the proxy configuration parameters, so that you can configure the browsers to
autodetect and to use the autoconfiguration script. Note that there are licensing issues you must
be aware of before using IEAK to distribute customized versions of Internet Explorer. For more
information about the IEAK and for a download link, please check the IEAK home page at
http://www.microsoft.com/windows/ieak/downloads/ieak6/ieak6sp1.asp
The following example illustrates several components of the Internet Explorer Customization
Wizard and how it works to create a custom setup you can use to configure Internet Explorer
installation on campus.
86
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
1. Download and install the Internet Explorer Administration Kit Service Pack 1 and install it
on a workstation on your network. After installing IEAK, click Start, point to Programs
and point to Microsoft IEAK 6. Click Internet Explorer Customization Wizard.
87
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. Read the information on the Welcome to the IEAK – Corporate Version page and click
Next.
88
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. Click Next on the Stage 1 – Gathering Information page.
89
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. On the File Locations page, use the default Destination Folder or create one of your
own. This is the location where the customized Internet Explorer packages will be saved.
Click Next.
90
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
5. On the Language Selection page, select the language of your choice from the Target
language drop down box. Click Next.
91
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
6. On the Media Selection page, select the media type that is most useful for your
distribution. We will select the Single disk branding option. This option is the most
simple and does not produce an installation package; it does save a configuration file that
is used to customize an already installed version of Internet Explorer. Click Next.
92
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
7. On the Feature Selection page, select the options that you’re interested in customizing.
In our current example, we will click the Clear All button, then we will place a checkmark
in the Connections Customization checkbox. This will allow us to customize the Proxy
server settings on the Internet Explorer browsers.
Click Next.
93
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
8. Click Next on the Stage 2 – Specifying Setup Parameters page.
94
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
9. During the installation, you will be presented with a number of Security Warning dialog
boxes asking if you want to install and run a number of applications. Select Yes for each
one to download the applications and installation files so that they can be included in your
Internet Explorer packages.
95
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
10. Click the Synchronize All button. A progress bar displays the download progress of
Internet Explorer installation files.
96
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
11. You will see a green checkmark next to each of the installation files that was successfully
downloaded. Click Next.
97
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
12. Click Next on the Stage 4 – Customizing the Browser page.
98
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
13. On the Connection Settings page, select the Import the current Connection Settings
from this machine option. Then click the Modify Settings button to confirm or change
the current Internet Proxy settings. The IEAK will copy these settings into the Internet
Explorer package it creates. Click Next.
99
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
14. Click Next on the Wizard Complete page.
100
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
15. Click Finish on the Wizard Complete page.
16. You can then distribute the package to campus Internet Explorer clients based on the
type of package you created. Typically, the users will access the installation from a Web
server or installation share point, and then they run the IE6setup.exe file.
Note:
For more information on how to use the IEAK to create and distribute custom Internet
Explorer packages, please review The Internet Explorer Administration Kit 6 Deployment
Guide at http://www.microsoft.com/windows/ieak/techinfo/deploy/60/en/
101
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Automating Installation of the Firewall Client
The Firewall client software can be installed on virtually any 32-bit version of Windows except the
initial release of Windows 95. There are a number of compelling reasons for installing the Firewall
client software on all machines that it supports:





The Firewall client allows you to create user/group based access controls for all TCP and
UDP protocols. This is in contrast to the Web Proxy client configuration, which only supports
HTTP, HTTPS and FTP.
The Firewall client has access to all TCP and UDP based protocols, including those requiring
secondary connections. In contrast, the SecureNAT client does not support application
protocols that require secondary connections unless there is an application filter to support it.
The Firewall client provides much better performance than the SecureNAT client
The Firewall client sends application information to the ISA Server 2000 firewall service; this
allows the Firewall service logs to collect application usage information
The Firewall client sends user information to the Firewall service; this enables the ISA Server
2000 firewall to control access based on user account and record user information in the
Firewall service’s access logs. This information can be extracted and put into report form.
With these features, the Firewall client provides a level of functionality and access control that no
other firewall in its class can match. For this reason, we always recommend that you install the
Firewall client on any machine that supports the Firewall client software.
However, because the Firewall client configuration requires that the Firewall client software be
installed, many campus administrators are hesitant to adopt the full feature set provided by the
Firewall client. Many campus network administrators don’t have the time or the resources to
“touch” each authorized computer on the campus network in order to install the software.
The solution to this problem is to automate the installation of the Firewall client. There are two
methods that you can use, which require no additional software purchase, and which can greatly
simplify the installation on large numbers of computers on the campus network. These methods
are:


Group Policy based software installation and management
Silent installation script
In the following section, we will discuss these methods, as well as some key ISA Server client
configuration settings that you should make in the ISA Management console.
Configuring Firewall Client and Web Proxy Client Configuration
in the ISA Management Console
There are a few configuration options you should set for the Firewall client installation before you
configure Group Policy or a silent installation script to install the Firewall client software. These
settings determine autodiscovery behavior and how the Web browser is configured during
installation of the Firewall client.
102
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Perform the following steps on the ISA Server 2000 firewall computer:
1. In the ISA Management console, expand the Servers and Arrays node and then
expand the server name. Click on the Client Configuration node and then double click
on the Firewall Client entry in the right pane of the console.
On the General tab of the Firewall Client Properties dialog box, select the DNS name
option and enter the fully qualified domain name into the text box. Do not use the Browse
button, as it will not enter the fully qualified domain name into the text box for you. Make
sure that the DNS server your Firewall clients are configured to use on the internal
network is able to resolve this name to the internal address of the ISA Server 2000
firewall computer.
Place a checkmark in the Enable ISA Firewall automatic discovery in Firewall Client
checkbox. During installation of the Firewall client software, the client will be configured to
use autodiscovery to find the ISA Server 2000 firewall machine. Note that this setting will
have no effect after the Firewall client software is installed. You must select this option
before the Firewall client software is installed.
Click Apply and then click OK.
103
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. Double click on the Web Browser entry in the right pane of the console. On the General
tab, enter the fully qualified domain name in the DNS name text box. Note the port is set
for 8080 and you cannot change it from this dialog box. This setting is derived from the
port configuration for the Outgoing Web Requests listener, which can be configured
from the server Properties dialog box.
Put a checkmark in the Automatically discover settings checkbox. This will allow the
Web browser to use autodiscovery to automatically configure itself.
Put a checkmark in the Set Web browsers to use automatic configuration script
checkbox and select the Use custom URL option. Change the server name in the text
box to the fully qualified domain name of the ISA Server 2000 firewall computer.
Click Apply and then click OK.
3. Close the ISA Management console.
The settings above are enforced only during Firewall client installation. If you install the Firewall
client before making changes to these settings, they will not be enforced after the fact.
Group Policy Software Installation
You might not wish to install the Firewall client on all machines on campus. For example, domain
controllers and published servers should not be configured as Firewall clients. You can gain
104
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
granular control over Group Policy based software installation by creating an organizational unit
for Firewall clients and then configuring an OU group policy object to install the Firewall client only
on computers belonging to that OU.
Perform the following steps on the domain controller to create the OU and then configure
software installation and management to install the Firewall client on machines belonging to the
OU:
1. Click Start and select the Administrative Tools menu. Click the Active Directory Users
and Computers entry. Right click on your domain name and click Organizational Unit.
105
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
2. In the New Object – Organizational Unit dialog box, enter a name for the OU in the
Name text box. In this example, we will call the OU FWCLIENTS. Click OK.
106
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
3. Click on the Computers node in the left pane of the console. Right click your client
computer and click the Move command.
107
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
4. In the Move dialog box, click the FWCLIENTS OU and click OK.
108
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
5. Click on the FWCLIENTS OU. You should see the computer you moved into this OU.
109
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
6. Right click the FWCLIENTS OU and click the Properties command.
110
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
7. Click the Group Policy tab in the FWCLIENTS dialog box. Click the New button to
create a New Group Policy Object. Select the New Group Policy Object and click
Edit.
111
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
8. Expand the Computer Configuration node and then expand the Software Settings
node. Right click on Software installation, point to New and click Package.
112
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
9. In the Open text box, type the path to the Firewall client’s Microsoft installer package
(.msi file) in the File name text box. In this example, the path is:
\\isa2\mspclnt\MS_FWC.MSI
Where isa2 is the NetBIOS name of the ISA Server 2000 firewall computer, mspclnt is
the name of the share on the ISA Server 2000 firewall computer that contains the Firewall
client installation files and MS_FWC.MSI is the name of the Firewall client Microsoft
installer package.
Click Open after entering the path.
113
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
10. In the Deploy Software dialog box, select the Assigned option and click OK. Notice that
you do not have the Published option when installing software using the Computer
Configuration node. The software is installed before the user logs on. This is critical
because only local administrators can install the Firewall client software if there is a
logged on user. In contrast, you can assign software to machines without a logged on
user.
Click OK.
114
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
11. The new managed software package appears in the right pane of the console. All
machines in the OU will have the Firewall client software installed when they are
restarted. You can also manage the Firewall client software from here.
Note:
For more details on how to take full advantage of Group Policy based software installation
and maintenance, please see the Step-by-Step Guide to Software Installation and
Maintenance at
http://www.microsoft.com/windows2000/techinfo/planning/management/swinstall.asp
12. Close the Group Policy Object Editor and the Active Directory Users and Computers
console.
115
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
13. When you restart the machines in the FWCLIENTS OU, you will see the log on dialog
box provide information about how managed software is being installed on the Windows
client operating system.
Silent Installation Script
Another useful method you can use to install the Firewall client software on those machines that
are not members of the domain is to use a silent installation script. This method is useful when
the logged on user is a member of the local administrators group.
Open notepad and copy the following line into the new text document and save the file as
“fwcinstall.cmd”:
msiexec /i \\ISA2\mspclnt\MS_FWC.msi /qn /l*v c:\mspclnt_i.log
The \\ISA2 entry is the computer name of the ISA Server 2000 firewall computer and will vary for
each installation location. The rest of the line can be used exactly as listed above. Users can then
go to a Web page, or click a link in an email message pointing them to this batch file. The process
is very simple and only requires the user to click the link to run the script. The installation is
completely transparent and the only thing the user will see is a momentary command prompt
window and the Firewall client icon in the sytem tray when the procedure is completed.
116
ISA Server 2000 in Education Deployment Kit
Chapter 5: Automating the Firewall and Web Proxy Client Installation and Configuration
Summary
In this document we covered a number of methods you can use to automate the installation and
configuration of the Firewall and Web Proxy client. Automating configuration of these ISA Server
2000 clients allows machines to configure themselves without requiring the campus network
administrator to visit each machine and set it up for the campus user. Methods used to configure
the Firewall and Web Proxy clients include DHCP Option 252 and DNS wpad options. You also
learned that you can use Active Directory Group Policy and the Internet Explorer Administration
Kit to automate the installation and configure of the Firewall and Web Proxy clients.
117
Related documents
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
The Impact Map
The Impact Map
Barracuda Web Application Firewall
Barracuda Web Application Firewall
LN4
LN4
Information and Educational Technology University of California, Davis
Information and Educational Technology University of California, Davis
Datasheet SNET SMB
Datasheet SNET SMB
Guidelines for Petitioning the Firewall Advisory Committee
Guidelines for Petitioning the Firewall Advisory Committee
Download
advertisement