Microsoft Internet Security and Acceleration Server 2000 in Education Deployment Kit

 

Chapter 3

Optimizing Campus Web Browser Configuration

 

 

 

 

 

 

 

 

 

Dr. Thomas W Shinder

Debra Shinder

December 2003

Table of Contents

Configuring the Web Proxy Client 4

Configuring the Web Proxy Client Browser Settings. 4

Configuring the Web Proxy Client Direct Access. 10

Configuring the SecureNAT and Firewall Clients for Direct Access and the HTTP Redirector Filter 16

Summary. 20

 


The Web is an important research tool for students and faculty alike, and ensuring Web performance and reliability is an important part of the campus network administrator’s job. A key component to insuring a fast and reliable Web access connection for campus browsers is Web browser configuration. When the Web Browser is configured to work directly with the Web Proxy service on the ISA Server 2000 machine, users will experience the fastest and most reliable connections to the Internet.

 

In this document, we will discuss the following issues:

 

  • Web Proxy client configuration, including Direct Access considerations
  • SecureNAT and Firewall client configuration and the HTTP Redirector filter

Configuring the Web Proxy Client

There are a number of methods you can use to configure the Web Proxy client. These Web Proxy client configurations are discussed in the ISA Server 2000 in Education document Automating ISA Server 2000 Web Proxy and Firewall Client Installation and Configuration. In this document, we will discuss the meaning of specific configuration options and provide step by step instructions for implementing these options. This will enable you to configure the Web Proxy clients on your network for the greatest level of performance and flexibility. When you understand the Web Proxy client configuration options, you can then automate the configuration of the Web Proxy clients, saving administrative time.

Configuring the Web Proxy Client Browser Settings

First, we will manually configure the Internet Explorer 6.0 Web Proxy client to highlight the Web Proxy client configuration options available to you. Perform the following steps to learn about the configuration of the Web Proxy client:

 

1.       Right click on the Internet Explorer icon on the desktop and click Properties. In the Internet Properties dialog box, click the Connections tab. Click the LAN Settings button (you can also access these settings from an open browser by clicking Tools and then Internet Options to access the Connections tab).

 

In the Local Area Network (LAN) Settings dialog box, you have the following options:

 

·         Automatically detect settings  This setting enables the Web Proxy client to automatically configure itself to use the ISA Server 2000 Web Proxy server to connect to the Internet. When the Web browser is configured to automatically detect settings, it contacts either a DHCP server (if the machine is a DHCP client) or a DNS server to obtain the address of the ISA Server 2000 Web Proxy server. After the Web Proxy client machine obtains the address of the ISA Server 2000 Web Proxy server, it then contacts that machine to obtain Web Proxy client configuration information. This information is based on the browser configuration options set for the ISA server in the ISA Management console. Please refer to the ISA Server 2000 Education Kit document Automating ISA Server 2000 Web Proxy and Firewall Client Installation and Configuration for a detailed explanation of how autodetection works and how to configure the DHCP and DNS servers to support Web Proxy autodetection and autoconfiguration.

 

·         Use automatic configuration script  This option allows you to enter the address from which the Web Proxy client computer can obtain the autoconfiguration script. The autoconfiguration script contains detailed information regarding which sites the Web Proxy client should not use the Web Proxy service to contact, the names of the servers in a Web Proxy array, and information on how to perform client side routing. Client side routing can enhance the Web browsing performance of the Web Proxy client. For more information on how client side routing works, please refer to the ISA Server in Education Kit document Accelerating the Web Browsing Experience with ISA Server 2000. The autoconfiguration script information can be found in the ISA Management console in the Clients node when you open the Web Proxy client Properties dialog box. All campus browsers should be configured to use an autoconfiguration script to optimize performance.

 

·         Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections). You can enter the IP address of the internal interface of the ISA Server 2000 Web Proxy server in the Address text box. The Port number of the Outgoing Web Requests listener on the ISA Server 2000 Web Proxy server is 8080 by default. Enter 8080 in the Port text box if you have not changed the listener port number for the listener.

 

·         The Bypass proxy server for local addresses option informs the browser that it should not forward requests for single label names (names that do not contain a period or “dot”; for example, a server’s NetBIOS computer name) to the Web Proxy service and should contact these servers directly. For example, if a user connects to a server with the URL http://webserver1, the browser will not forward the request to the Web Proxy service. Instead, the Web Proxy client computer will resolve the name webserver1 to its internal IP address and send the request directly to the Web server on the internal network. The process of connecting to a machine without using the Web Proxy service is referred to as Direct Access.

 

*       Note:

The option to Bypass proxy server for local addresses does not bypass the proxy server when connecting via an IP address. For example, if the user enters the URL http://192.168.1.1, the connection will be made through the Web Proxy service. Remember that this option enables direct access only for single label names. Any name or address that has a dot (“.”) in it, such as IP addresses and hierarchical fully qualified domain names, will be forwarded to the Web Proxy service.

 

 Click OK to close the Local Area Network (LAN) Settings dialog box.

 

 

2.       Click the Advanced tab in the Internet Properties dialog box. Scroll through the list of Settings and find the HTTP 1.1 settings. Place a checkmark in the Use HTTP 1.1 through proxy connections checkbox. Enabling this option will significantly enhance the performance of the Web Proxy client.

 

Click OK in the Internet Properties dialog box.

 

 

3.       There are some configuration options available in the ISA Management console that allow you to set up the Web browsers on the Web Proxy client computers. Open the ISA Management console on the ISA Server 2000 machine to which the Web Proxy client will connect. Expand the Servers and Arrays node and then expand the server name or array name. Click on the Client Configuration node and then double click on the Web Browser option.

 

On the General tab, you are provided with a number of configuration options to set up the Web Proxy client when the Firewall client is installed on the machine. One of the many advantages of installing the Firewall client software on campus machines is that the Web browsers can be automatically configured as Web Proxy clients during the Firewall client software installation.

 

The Web browsers will be automatically configured as Web Proxy clients during Firewall client installation when the Configure Web browser during Firewall client setup checkbox is enabled. Enter into the DNS name text box the name of the ISA Server 2000 Web Proxy server. This can be a single label NetBIOS name or a multiple label fully qualified domain name. You can use single label names if your have a WINS infrastructure in place, or if the client machines are configured with the proper primary domain name to fully qualify an unqualified DNS name. If you don’t have WINS, and you’re not sure whether your clients can properly fully qualify unqualified requests, then you should enter a fully qualified domain name in this text box. The Web Proxy client computers must be able to resolve this name to the IP address of the ISA Server 2000 Proxy server computer.

 

We discussed the meaning of the Automatically discover settings option earlier.

 

When you enable the Set Web browsers to use automatic configuration script option, the Web browsers will be configured to use the autoconfiguration script you enter here. You can use the default URL or you can enter a URL of your own if you have created your own .pac file (proxy autoconfiguration file). If you want to use the autoconfiguration script generated by ISA Server 2000, and if you choose to use a fully qualified domain name in the DNS name text box, then you need to fully qualify the name in the address for the autoconfiguration script. To do this, select the Use custom URL option and change the URL to use a fully qualified domain name.

 

 


4.       Click the Direct Access tab. These settings apply to all machines that are configured to use the autoconfiguration script. These settings will not be applied to machines that are not configured to use the autoconfiguration script. We will talk more about Direct Access later in this document.

 

 


5.       Click on the Backup Route tab. Enable the If ISA Server is unavailable, use this backup route to connect to the Internet option. When this is enabled, you have two options:

 

·         Direct access  If the Web Proxy service on this ISA Server is disabled, the Web Proxy client can use a Direct Access configuration to access the requested resource. We will discuss the details of Direct Access later in this document.

·         Alternative ISA Server  This option allows the Web Proxy client to redirect its request to another ISA Server 2000 machine if the Web Proxy service on the ISA Server 2000 that the Web Proxy client is configured to use is unavailable. Note that there is no option available to configure authentication credentials. The alternate ISA Server machine must be able to authenticate the Web Proxy client user if the alternate Web Proxy client requires authentication.

 

 


6.       The figure below shows the Alternative ISA Server option enabled and the fully qualified domain name of another ISA Server 2000 machine in the text box.

 

 

Configuring the Web Proxy Client Direct Access

There are times when Web Proxy clients need to bypass the Web Proxy service. Some network applications and services are not fully compliant with Internet standards and this makes it difficult for Internet standards based Web Proxy servers to work correctly with these applications.

 

ISA Server 2000 Web Proxy clients can take advantage of Direct Access to connect to Internet resources and Web sites that do not fully support Web Proxy connections. When a site is configured for Direct Access, the Web Proxy client will not forward the connection request to the ISA Server 2000 Web Proxy service. Instead, the Web Proxy client computer will attempt to use other means to connect to the requested resource.

 

Connecting to Hotmail via a Web Proxy client provides a good example of when you need to use Direct Access. There is a documented problem with Web Proxy clients connecting to Hotmail Web sites because of the method by which authentication information is sent from the Web Proxy client to the Web Proxy service. The issues involved and solutions for this problem are noted in the Microsoft KB article ISA Server Configuration Options for Hotmail Access When You Use Outlook Express at http://support.microsoft.com/default.aspx?scid=kb;en-us;287921.

 

The best way to solve this issue is to use Direct Access. When the Web Proxy client is configured to use Direct Access to connect to the Hotmail and MSN sites, it does not forward these requests to the Web Proxy service. Instead, it uses alternate means to connect to the Hotmail site. This means that the Web Proxy client computer must also be configured as a SecureNAT or Firewall client computer. The Web Proxy client computer can then use the SecureNAT or Firewall client configuration to connect to the Hotmail Web site.

 

The figure below shows how the Web Proxy and Firewall clients connect to Web sites. Normally, the Web Proxy client sends its requests to the Web Proxy service and the Web Proxy service forwards the connection request to the Internet server. This is what happens when the Web Proxy client connects to the www.microsoft.com Web site. However, when the Web Proxy client seeks to connect to the www.hotmail.com, it will need to fall back on either the SecureNAT or Firewall client configuration and then go through the Firewall service to connect to the site.

 

The figure below also shows the inverse of this situation. When the HTTP Redirector filter is enabled, connections from SecureNAT and Firewall clients can be forwarded to the Web Proxy service and then the Web Proxy service can send the request to the Internet Web site. This is what happens when the SecureNAT and Firewall client attempt to access the www.microsoft.com site (red arrows). However, when the SecureNAT and Firewall client attempt to connect to the www.hotmail.com site, they can fall back on their SecureNAT and Firewall client settings to access the site.

 

In both these cases (the Web Proxy client and the SecureNAT/Firewall client), the machines must be configured for Direct Access. The methods used to configure sites for Direct Access vary between the Web Proxy and SecureNAT/Firewall clients because the SecureNAT/Firewall clients cannot take advantage of the autoconfiguration script. You will need to change the configuration of the HTTP Redirector filter to allow the SecureNAT/Firewall clients access.

 

 

 


Perform the following steps to learn more about how to configure the Web Proxy client for Direct Access:

 

1.       At the ISA Management console, expand the Servers and Arrays node and then expand your server or array name. Click the Client Configuration node and double click on the Web Browser node in the right pane. In the Web Browser Properties dialog box, click the Direct Access tab.

 

The settings applied on the Direct Access tab are assigned only to Web Proxy clients that are configured to use the autoconfiguration script. Web Proxy clients that are not configured to use the autoconfiguration script will not be able to benefit from the Direct Access settings you configure here.

 

Put a checkmark in the Bypass proxy for local servers checkbox. This prevents Web Proxy clients from looping back through the ISA Server 2000 Web Proxy service to access servers on the internal network. “Local servers” in the context of this checkmark means servers accessed via a single label name, such as http://server1.

 

The Directly access computers specified in the Local Domain Table (LDT) option (which is grayed out in this example because the ISA Server 2000 machine is configured in Caching only mode) informs the Web Proxy client that it should not loop back through the ISA Server 2000 Web Proxy servers to access internal network domains. You should always enable this option if you wish to reduce the overall load on your Web Proxy server. Internal network Web Proxy clients should be able to connect directly to servers on the internal network and not require a Web Proxy server.

 

This option is also very helpful for well designed DNS environments in which you have decided to use a split DNS infrastructure, when you use the same domain name for internal and external network resources that are hosted on the internal network.

 

 


2.       Click the Add button. This allows you to add IP addresses or domains for which the Web Proxy client should use Direct Access to connect. Note that although you can’t use the option to bypass proxy for local servers to use Direct Access to connect to internal network servers on your internal network if they are accessed via a fully qualified domain name, you can add your internal network IP addresses ranges and force Direct Access when connecting to any internal network resource.

 

In this example, select the Domain or computer option and enter *.msn.com. You can then repeat this process using the *.hotmail.com domain. This will enable the Web Proxy clients to bypass the Web Proxy service to access the Hotmail site.

 

Click OK.

 

 


3.       Click OK in the Web Browser Properties dialog box.

 

 


Configuring the SecureNAT and Firewall Clients for Direct Access and the HTTP Redirector Filter

Web Proxy clients connect directly to the Web Proxy service on the ISA Server 2000 Web Proxy server. Requests for Web resources from Web Proxy clients are forwarded to TCP 8080 on the Web Proxy server and then the Web Proxy server proxies the requests to the Web server on the Internet. The Web content requested by the Web Proxy clients is placed in the Web Proxy cache and other Web Proxy clients can access the information in the cache. In contrast, SecureNAT and Firewall clients send their requests to the Firewall service on the ISA Server 2000 Web Proxy server. The SecureNAT and Firewall clients are not able to automatically access the Web Proxy cache.

 

The HTTP Redirector filter enables SecureNAT and Firewall clients to access the Web Proxy cache. SecureNAT and Firewall clients send their requests to the Firewall service, and then the Firewall service forwards these requests to the Web Proxy service. The Web Proxy service then proxies these requests and enables the SecureNAT and Firewall clients to benefit from the Web Proxy cache.

 

The figure below shows the path for outbound requests from SecureNAT and Firewall clients when the HTTP Redirector Filter is enabled.

 

 

In general, we prefer to disable the HTTP redirector because of problems pointed out in the article by Stefaan Pouseele, The Mystery of the HTTP Redirector and Site and Content Rules at http://www.isaserver.org/tutorials/The_Mystery_of_the_HTTP_Redirector_and_SiteContent_Rules.html. However, you may wish to leave the HTTP Redirector enabled while being mindful of the issues discussed in that article.

 

One issue that you must be aware of regarding the HTTP Redirector filter is that it does not forward user credentials sent by the Firewall client to the Firewall service on the ISA Server 2000 machine. For example, suppose a user is logged on as user1, and you have a Protocol Rule that allows outbound access to HTTP and HTTPS for a group to which user1 belongs. Normally, user1 would be allowed access to the HTTP protocol. However, when user1 tries to connect to a Web server, the connection request is denied. The reason is that the Firewall service forwarded the request from the Firewall client as an anonymous request.

 

The figure below illustrates the effects of the HTTP Redirector filter on authentication.

 

 

If you choose not to use the autoconfiguration script for your Web Proxy clients, you should configure the browsers to use Direct Access for sites that have problems with Web Proxy servers. You can configure the browsers manually, or you can use Group Policy or IEAK to set these values.

 

In the following example, we will configure the browser manually and disable the HTTP Redirector filter. Perform the following steps to configure the browser to support Direct Access via browser configuration:

 


1.       Right click on the Internet Explorer icon on the desktop and click Properties. In the Internet Properties dialog box, click on the Connections tab. Click on the LAN Settings button. In the Local Area Network (LAN) Settings dialog box, click on the Advanced button.

 

In the Proxy Settings dialog box, enter the servers or domains to which connections should be made via Direct Access in the Do not use proxy server for addresses beginning with text box in the Exceptions frame. The browser will not forward requests for these servers or domains to the Web Proxy service for these sites.

 

Click OK in the Proxy Settings dialog box and then click OK in the Local Area Network (LAN) Settings dialog box. Click OK in the Internet Properties dialog box.

 

 


2.       To disable the HTTP Redirector filter, open the ISA Management console on the ISA Server 2000 machine, expand the Servers and Arrays node and then expand your server or array name. Expand the Extensions node and then double click the HTTP Redirector Filter node. Remove the checkmark from the Enable this filter checkbox.

 


Summary

Web browsing is vital to many of the research activities performed on school, college and university campuses. The better the Web experience you can provide, the more satisfied your network users will be. In this document, we discussed several methods you can use to optimize campus Web browser configurations. The optimal Web browser configuration uses the autoconfiguration script to provide valuable information to Web browsers regarding the names of Web Proxy servers in a caching array and which sites should be connected to via Direct Access. We discussed and demonstrated Web browser configuration options and examined the effects of each of these options. In addition, we discussed the effects of the HTTP Redirector filter on SecureNAT and Firewall clients and how authentication can potentially block Web connections from these clients.

 

Intrusion detection through centralized NT/2000 security event log monitoring!
Intrusion detection through centralized NT/2000 security event log monitoring!