Microsoft Internet Security and Acceleration Server 2000 in Education Deployment Kit

 

Chapter 5

Automating ISA Server 2000 Web Proxy and Firewall Client Installation and Configuration

 

 

 

 

 

 

 

 

Dr. Thomas W. Shinder

Debra L. Shinder

January 2004

 

 

 

Table of Contents

Scenarios Layout 4

Automating ISA Server 2000 Web Proxy and Firewall Client Configuration. 6

Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery. 6

Install the DHCP Server 6

Create the DHCP scope. 12

Create the DHCP 252 Scope Option and Add it to the Scope. 27

Configure the client as a DHCP client 34

Configure the Client Browser to Use Autodiscovery. 40

Configure the ISA Server 2000 Firewall to Publish Autodiscovery Information. 44

Making the Connection. 48

Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery. 52

Create the wpad Entry in DNS. 53

Configure the Client to Use the Fully Qualified wpad Alias. 61

Configure the client browser to use autodiscovery. 67

Configure the ISA Server 2000 Firewall to Publish Autodiscovery Information. 71

Making the connection. 75

Automating Web Proxy Client Configuration with Group Policy. 79

Automating Web Proxy Client Configuration with the Internet Explorer Administration Kit (IEAK 6.0 SP1) 86

Automating Installation of the Firewall Client 102

Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console. 102

Group Policy Software Installation. 104

Silent Installation Script 116

Summary. 117

 

 

 


An important aspect of deploying ISA Server 2000 as a firewall and Web acceleration solution on the campus network is selecting, installing and configuring the clients to go through the ISA Server for Internet access. An ISA Server 2000 client is any machine that accesses the Internet via the ISA Server 2000 firewall or Web Proxy server.

 

ISA Server 2000 supports three client types. The type of client determines what protocols are supported, and the operating system used on the client machine dictates which client(s) can be used.The three ISA Server 2000 client types are:

 

  • The SecureNAT client

SecureNAT clients are configured with a default gateway that routes Internet-bound request through the ISA Server 2000 firewall or Web Proxy server. The SecureNAT client does not require software installation or configuration, and any operating system that uses TCP/IP can be a SecureNAT client. No client software is required, but some network configuration changes must be made. Although the SecureNAT client provides a certain level of transparency of client configuration, its drawback is that it provides the lowest level of security and performance of the three client types. The SecureNAT client configuration should typically be reserved for non-Microsoft operating systems and the rare occasions when client browsers do not support the Web Proxy client configuration

 

  • The Web Proxy client

Web Proxy client computers are machines with Web browsers that support the use of a Web Proxy server. Any operating system can be used as long as a browser that meets this criterion is installed. Almost all modern browsers support this configuration. The advantages of the Web Proxy client configuration is that it does not require additional software installation and only requires that the browser be configured to use the Web Proxy server. In addition, the Web Proxy client can benefit from the Web Proxy cache and direct communications with the Web Proxy service. In contrast to the SecureNAT client, which does not support user/group based authentication, access to the Internet for Web Proxy clients can be controlled on a per user/per group basis. The Web Proxy client supports the HTTP, HTTPS, FTP and Gopher protocols.

 

  • The Firewall client

Firewall client computers have the Microsoft Firewall client software installed on them. The Firewall client supports almost all Microsoft 32-bit operating systems, with the exception of the original release of Windows 95. Non-Microsoft operating systems cannot use the Firewall client. The Firewall client is unique in that it provides user/group based access control to all TCP and UDP protocols and sends application information to the Firewall service on the ISA Server 2000 firewall. This enables the Firewall service logs to track which users used which application to access a particular site. This information can be extracted from the Firewall service logs and incorporated into reports to provide detailed information on campus Internet usage. In addition, the Firewall client supports complex protocols that require secondary connections. In contrast, the SecureNAT client does not support complex protocols that require secondary connections without the aid of an application filter.

 

*       Note:

For more information on the various ISA Server 2000 client types, please see the ISA Server 2000 Help on this topic at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/isa/isafp1/isasct.asp

 

Which client type is the best choice for the educational environment? The Web Proxy and Firewall client configurations provide a higher level of security and performance than that obtained via the SecureNAT client configuration. However, these more secure configurations are often avoided because busy campus administrators cannot visit each machine on the educational institution’s network to install the software or configure the browsers. For this reason, many administrators prefer to use the SecureNAT configuration at the expense of performance and security.

 

However, there is a solution to this problem that allows you to deploy a more secure client solution without spending an inordinate amount of time on the task. You can automate the configuration of the Web browser and the installation and configuration of the Firewall client. The busy campus administrator does not need to “touch” each machine on the educational institutions network when these processes are automated. Automated installation and configuration is the most efficient way to deploy the ISA Firewall and Web Proxy client types on a large institution’s network.

 

Also note that a Firewall client or SecureNAT client can also be a Web Proxy client. In this case, the Web Proxy service handles the HTTP, HTTPS, FTP and Gopher traffic, while other protocols are handled by the Firewall client or SecureNAT.

 

In this document, we will cover the following topics:

 

  • Automating ISA Server 2000 Web Proxy and Firewall Client Configuration
  • Automating Installation of the Firewall Client

 

When the installation of the Firewall client and the configuration of the Web Proxy and Firewall clients are automated, almost all machines on the campus network will be able to benefit from the superior performance and security provided by the Firewall and Web Proxy client configurations.

 

Scenarios Layout

The scenarios in this document are based on the lab configuration illustrated in the figure below:

 

 

CLIENT2A is the machine that will be configured as the Web Proxy and Firewall client computer. Its IP settings will be obtained via DHCP testing of obtaining autoconfiguration information via DHCP, and assigned a valid address on network ID 10.0.2.0/24 when testing the autoconfiguration via DNS testing, but no default gateway is configured so only the Web Proxy and Firewall client configurations are active. The operating system is Windows 2000.

 

CLIENT2 is a Windows Server 2003 machine configured as a domain controller in the msfirewall.org domain. The machine is a DNS server and the DNS server is able to resolve Internet host names. A DHCP server will be installed on this machine so that we can test assigning autodiscovery information via DHCP. It has the following IP addressing information:

IP address: 10.0.2.2

Subnet mask: 255.255.255.0

DNS address: 10.0.2.2

Default Gateway: 10.0.2.1

 

ISA2 is a Windows Server 2003 machine with ISA Server 2000 installed on it. An “all open” Protocol Rule that allows access to all IP address is configured, and the default Site and Content Rule which allows access to all sites and content is enabled.

 

 


Automating ISA Server 2000 Web Proxy and Firewall Client Configuration

There are several methods available for automating the Web Proxy and Firewall client configurations. These include:

 

  • Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery
  • Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery
  • Automating Web Proxy Client Configuration with Group Policy
  • Automating Web Proxy Client Configuration with Internet Explorer Administration Kit (IEAK)

 

The following sections discuss how to automate the configuration of Web Proxy and Firewall clients using the Web Proxy AutoDiscovery (WPAD) protocol, Active Directory Group Policy and the Internet Explorer Administration Kit.

 

*       Note:

For more information about the WPAD protocol, please see the ISA Server 2000 Help file information at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/CMT_AutoDetect.asp

Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery

DHCP clients can obtain autoconfiguration information from the ISA Server 2000 firewall computer by using DHCP Inform messages. The Firewall client and Web browser software can issue DHCP Inform messages to query a DHCP server for the address of a machine containing the autoconfiguration information. The DHCP server returns the address of the machine containing the autoconfiguration information and then the Firewall client or Web browser software requests autoconfiguration from the addresses returned by the DHCP server.

 

The DHCP server uses a special DHCP option to provide this information.

 

In this section on configuring Web Proxy and Firewall clients to use DHCP to obtain autoconfiguration information via WPAD, we will discuss the following steps:

 

  • Installing the DHCP Server
  • Creating the DHCP scope
  • Creating the DHCP 252 scope option
  • Configuring the client as a DHCP client
  • Configuring the client browser to use autodiscovery
  • Configuring the ISA Server 2000 firewall to publish autodiscovery information
  • Making the connection

Install the DHCP Server

The first step is to install the DHCP server. In this example, we will use a Windows Server 2003 DHCP server, but you can create the DHCP option on a Windows 2000 DHCP server if required.

 


Perform the following steps on the domain controller computer to install the DHCP server service:

 

  1. Click Start, select All Programs and then Control Panel. Click on Add or Remove Programs.

 

 


  1. In the Add or Remove Programs window, click on the Add/Remove Windows Components button.

 

 


  1. In the Windows Components dialog box, click on the Networking Services entry in the Components list, then click the Details button.

 

 


  1. In the Networking Services dialog box, put a checkmark in the Dynamic Host Configuration Protocol (DHCP) checkbox and click OK.

 

 


  1. Click Next in the Windows Components dialog box.

 

 


  1. Click Finish on the Completing the Windows Components Wizard page.

 

 

  1. Close the Add or Remove Programs window.

 

Now that the DHCP Server service is installed on the domain controller for the domain, the next step is to create a DHCP scope.

Create the DHCP scope

A DHCP scope is a collection of IP addresses that the DHCP server can use to assign to DHCP clients on the network. In addition, a DHCP scope can include additional TCP/IP settings to be assigned to clients, which are referred to as DHCP options. DHCP options can assign various TCP/IP settings such as a DNS server address, WINS server address, and primary domain name to DHCP clients.

 

Perform the following steps on the DHCP server to enable the DHCP server and create the DHCP scope:

 


1.       Click Start and then select Administrative Tools. Click DHCP.

 

 


2.       In the DHCP console, right click on your server name in the left pane of the console. Click on the Authorize command.

 

 


3.       Click the Refresh button in the button bar of the console. You will notice that the icon to the left of the server name changes from a red, down pointing arrow to a green, up pointing arrow.

 

Right click the server name in the left pane of the console again and click the New Scope command.

 

 


4.       Click Next on the Welcome to the New Scope Wizard page.

 

 


5.       Enter a name for the scope on the Scope Name page. This name is descriptive only and does not affect the functionality of the scope. You can also enter a Description in the description box if you wish. Click Next.

 

 


6.       Enter a range of IP addresses that can be assigned to DHCP clients on the IP Address Range page. Enter the first address in the range into the Start IP address range text box and the last IP address in the range in the End IP address text box. Enter the subnet mask for your IP address range in the Subnet mask text box.

 

In our current example, the internal network is on network ID 10.0.2/24. We do not want to assign all the IP addresses on the network ID to the DHCP scope, just a selection of them. So in this example, we enter 10.0.2.100 as the Start IP address and 10.0.2.150 as the end IP address and use a 24 bit subnet mask.

 

Note that on production networks, it is often better to assign the entire network ID to the IP address range used in the scope. You can then create exceptions for hosts on the network that have statically assigned IP addresses that are contained in the scope. This allows you to centrally manage IP address assignment and configuration using DHCP.

 

Click Next.

 

 


7.       Do not enter any exclusions in the Add Exclusions dialog box. Click Next.

 

 


8.       Accept the default settings on the Lease Duration page (8 days, 0 hours and 0 minutes) and click Next.

 

 


9.       On the Configure DHCP Options page, select the Yes, I want to configure these options now option and click Next.

 

 


10.   Do not enter anything on the Router (Default Gateway) page. Note that if we were using SecureNAT clients on the network, we would enter the IP address of the internal interface of the ISA Server 2000 firewall on this page. However, with the current scenario, we want to explicitly test only the Web Proxy and Firewall client configurations.

 

Click Next.

 

 


11.   On the Domain Name and DNS Servers page, enter the primary domain name you want to assign to DHCP clients and the DNS server address you want the DHCP clients to use.

 

The primary domain name is a critical setting for your Firewall and Web Proxy clients. In order for autodiscovery to work correctly for Firewall and Web Proxy clients, these clients must be able to correctly fully qualify the unqualified name wpad. We will discuss this issue in more detail later in this document. In this example, we enter msfirewall.org in the Parent domain text box. This will assign the DHCP clients the primary domain name msfirewall.org, which will be appended to unqualified names.

 

Enter the IP address of the DNS server in the IP address text box. In this example, the IP address of the DNS server is 10.0.2.2. Click Add after entering the IP address.

 

Click Next.

 

 


12.   Do not enter a WINS server address on the WINS Servers page. In this example, we do not use a WINS server. However, WINS servers are very useful in VPN server environments if you wish your VPN clients to be able to browse the campus network using the My Network Places or Network Neighborhood application.

 

Click Next.

 

 


13.   On the Activate Scope page, select the Yes, I want to activate this scope now option and click Next.

 

 


14.   Click Finish on the Completing the New Scope Wizard page.

 

 


15.   In the right pane of the DHCP console, you see the two DHCP options you created in the Wizard.

 

 

The next step is to create a custom DHCP option that will allow DHCP clients to autodiscover Web Proxy and Firewall client settings.

Create the DHCP 252 Scope Option and Add it to the Scope

The DHCP scope option number 252 can be used to automatically configure Web Proxy and Firewall clients. The Web Proxy or Firewall client must be configured as a DHCP client, and the logged on user must be a member of the local administrators group or Power users group (for Windows 2000). On Windows XP systems, the Network Configuration Operators group also has permission to issue DHCP queries (DHCPINFORM messages).

 

*       Note:

For more information about the limitations of using DHCP for autodiscovery for Internet Explorer 6.0, please see KB article Automatic Proxy Discovery in Internet Explorer with DHCP Requires Specific Permissions at http://support.microsoft.com/default.aspx?scid=kb;en-us;312864

 


Perform the following steps at the DHCP server to create the custom DHCP option:

 

1.       Open the DHCP console from the Administrative Tools menu and right click your server name in the left pane of the console. Click the Set Predefined Options command.

 

 


2.       In the Predefined Options and Values dialog box, click the Add button.

 

 


3.       In the Option Type dialog box, enter the following information:

 

Name: wpad

Data type: String

Code: 252

Description: wpad entry

 

Click OK.

 

 

 


4.       In the Value frame, enter the URL to the ISA Server 2000 firewall in the String text box. The format for this value is:

 

http://ISAServername:AutodiscoveryPort Number/wpad.dat

 

The default autodiscovery port number is TCP 80. You can customize this value in the ISA Management console. We will cover this subject in more detail later in this document.

 

In the current example, enter the following into the String text box:

 

http://isa2.msfirewall.org:80/wpad.dat

 

Make sure to enter wpad.dat in all lower case letters. For more information on this problem, please refer to KB article "Automatically Detect Settings" Does Not Work if You Configure DHCP Option 252 at http://support.microsoft.com/default.aspx?scid=kb;en-us;307502

 

Click OK.

 

 


5.       Right click the Scope Options node in the left pane of the console and click the Configure Options command.

 

 


6.       In the Scope Options dialog box, scroll through the list of Available Options and put a checkmark in the 252 wpad checkbox. Click Apply and then click OK.

 

 


7.       The 252 wpad entry now appears in the right pane of the console under the list of Scope Options.

 

 

8.       Close the DHCP console.

 

The next step is to configure the client computer as a DHCP client.

Configure the client as a DHCP client

In order to use DHCP to obtain autodiscovery information for Web Proxy and Firewall clients, the client computer must be configured as a DHCP client. Perform the following steps on the client machine to configure it as a DHCP client.

 

*       Note:

In this example, we configure a Windows 2000 machine as a DHCP client. The procedure varies a bit with each client operating system. All Windows TCP/IP operating systems use DHCP as the default IP address configuration.

 


1.       Right click the My Network Places icon on the desktop and click the Properties command.

 

 


2.       Right click the Local Area Connection entry in the Network and Dial-up Connections window and click the Properties command.

 

 


3.       In the Local Area Connection Properties dialog box, click the Internet Protocol (TCP/IP) entry and click the Properties button.

 

 


4.       In the Internet Protocol (TCP/IP) Properties dialog box, select the Obtain an IP address automatically and Obtain DNS server address automatically options.

 

Click OK.

 

 


5.       Click OK in the Local Area Connection Properties dialog box.

 

 


6.       Close the Network and Dial-up Connections window.

 

 

The next step is to configure the browser to use autodiscovery to automatically discover its Web Proxy client settings.

Configure the Client Browser to Use Autodiscovery

The browser must be configured to use autodiscovery before it can use the DHCP server option 252 to automatically configure itself. This is the default setting for Internet Explorer 6.0, but the default setting may have been changed at some time during the life of the browser on a particular machine. In the following example, we manually configure the browser to use autodiscovery to autoconfigure itself. We will discuss methods you can use to automatically set this option later in this document.

 


Perform the following steps on the Web Proxy client computer:

 

1.       Right click on the Internet Explorer icon on the desktop and click Properties.

 

 


2.       In the Internet Properties dialog box, click the Connections tab. Click the LAN Settings button.

 

 


3.       In the Local Area Network (LAN) Settings dialog box, put a checkmark in the Automatically detect settings checkbox. Click OK.

 

 


4.       Click OK in the Internet Properties dialog box.

 

 

The next step is to configure the ISA Server 2000 firewall to publish autodiscovery information.

Configure the ISA Server 2000 Firewall to Publish Autodiscovery Information

All the settings required for the Web browser to configure itself are contained on the ISA Server 2000 firewall computer. By default, this option is disabled. You can enable publishing of autodiscovery information on the ISA Server 2000 firewall computer so that the Web Proxy client can obtain autoconfiguration settings.

 


Perform the following steps at the ISA Server 2000 firewall to enable publishing of autodiscovery information for Web Proxy and Firewall clients:

 

  1. Open the ISA Management console, expand the Servers and Arrays node and then right click on the server name. Click the Properties command.

 

 


  1. In the server Properties dialog box, click the Auto Discovery tab. Put a checkmark in the Publish automatic discovery information checkbox. Note that the default port number for publishing automatic discovery information is TCP port 80. This is the port number we configured in the DHCP option 252 setting. If you need to change this port number, make sure that you also change the port number used in the DHCP 252 setting.

 

Click Apply.

 

 


  1. Select the Save the changes and restart the service(s) option in the ISA Server Warning dialog box. Click OK.

 

 


  1. Click OK in the server Properties dialog box.

 

 

  1. Close the ISA Management console.

Making the Connection

All the components are now in place for the Web browser to automatically connect to the ISA Server 2000 firewall’s Web Proxy service using autodiscovery.

 


Perform the following steps on the Web Proxy client computer:

 

1.       Open Internet Explorer and enter the URL for the Microsoft ISA Server site at www.microsoft.com/isaserver

 

 


2.       A Network Monitor trace shows the DHCP Inform messages sent by the Web Proxy client. The Web Proxy client uses the DHCP Inform messages to obtain the autodiscovery address contained in the DHCP option 252 entry.

 

 


3.       In this frame, you can see the ACK response to the Web Proxy client’s DHCP inform message. In the bottom pane of the Network Monitor console, you can see that the DHCP server has returned the address you configured in the DHCP option 252 entry.

 

 


4.       After the Web Proxy client receives the address of the ISA Server 2000 containing the autodiscovery settings, the next step is for it to resolve the name of the ISA Server 2000 firewall to its internal IP address. Name resolution is critical for multiple aspects of ISA Server 2000 functioning and this is another example of this fact. You can see in the Network Monitor that the Web Proxy client has issued a query for isa2.msfirewall.org, which was the URL contained in the DHCP 252 option.

 

Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery

Another method that can be used to deliver autodiscovery information to Web Proxy and Firewall clients is DNS. You can create a wpad alias entry in DNS and allow browser clients to use this information to automatically configure themselves. This is in contrast to the situation we saw with the DHCP method, where the logged on user needed to be a member of a specific group in the Windows operating system.

 

Name resolution is a pivotal component to making this method of Web Proxy and Firewall client autodiscovery work correctly. In this case, the client operating system must be able to correctly fully qualify the name wpad. The reason for this is that the Web Proxy and Firewall client only knows that it needs to resolve the name wpad; it does not know what specific domain name it should append to the query to resolve the name wpad. We will cover this issue in detail later in this document.

 

*       Note:

In contrast to the DHCP method of assigning autodiscovery information to Web Proxy and Firewall clients, you do not have the option to use a custom port number to publish autodiscovery information when using the DNS method. You must publish autodiscovery information on TCP 80 when using the DNS method.

 

We will detail the following steps to enable DNS to provide autodiscovery information to Web Proxy and Firewall clients:

 

  • Creating the wpad entry in DNS
  • Configuring the client to use the fully qualified wpad alias
  • Configuring the client browser to use autodiscovery
  • Making the connection

Create the wpad Entry in DNS

The first step is to create a wpad alias entry in DNS. This alias points to a Host (A) record for the ISA Server 2000 firewall, which resolves the name of the ISA Server 2000 firewall to the internal IP address of the firewall. This Host (A) record must be created before you create the CNAME alias entry. If you enable automatic registration in DNS, the ISA Server 2000 firewall’s entry will already be entered into DNS. If you have not enabled automatic registration, you will need to create the Host (A) record for the ISA Server 2000 firewall manually. In the following example, the ISA Server 2000 firewall has automatically registered itself with DNS.

 


Perform the following steps on the DNS server on the domain controller on the internal network:

 

1.       Click Start and select Administrative Tools. Click the DNS entry. In the DNS management console, right click on the forward lookup zone for your domain and click the New Alias (CNAME) command.

 

 


2.       In the New Resource Record dialog box, enter wpad in the Alias name (uses parent domain if left blank) text box. Click the Browse button.

 

 


3.       In the Browse dialog box, double click on your server name in the Records list.

 

 


4.       In the Browse dialog box, double click on the Forward Lookup Zone entry in the Records frame.

 

 


5.       In the Browse dialog box, double click on the name of your forward lookup zone in the Records frame.

 

 


6.       In the Browse dialog box, select the name of the ISA Server 2000 firewall in the Records frame. Click OK.

 

 


7.       Click OK in the New Resource Record dialog box.

 

 


8.       The CNAME (alias) entry appears in the right pane of the DNS management console.

 

 

9.       Close the DNS Management console.

Configure the Client to Use the Fully Qualified wpad Alias

The Web Proxy and Firewall client needs to be able to correctly resolve the name wpad. Both the Web Proxy and Firewall client configurations are not aware of the domain containing the wpad alias. The Web Proxy and Firewall client operating system must be able to provide this information to the Web Proxy and Firewall client.

 

DNS queries must be fully qualified before the query is sent to the DNS server. A fully qualified request contains a host name and a domain name. The Web Proxy and Firewall client only know the host name portion. The Web Proxy and Firewall client operating system must be able to provide the correct domain name, which it appends to the wpad host name, before it can send a DNS query to the DNS server.

 

There are a number of methods you can use to provide a domain name that is appended to the wpad name before the query is sent to the client operating system’s DNS server. Two popular methods for doing this are:

 

  • Using DHCP to assign a primary domain name
  • Configuring a primary domain name in the client operating system’s network identification dialog box.

 

We will detail these two methods in the following steps:

 

1.       Right click the My Computer icon on the desktop and click the Properties command.

 

 


2.       In the System Properties dialog box, click the Network Identification tab. Click the Properties button.

 

 


3.       In the Identification Changes dialog box, click the More button.

 

 


4.       In the DNS Suffix and NetBIOS Computer Name dialog box, enter the domain name that contains your wpad entry in the Primary DNS suffix of this computer text box. This is the domain name that the operating system will append to the wpad name before sending the DNS query to the DNS server. By default, the primary domain name is the same as the domain name the machine belongs to. If the machine is not a member of a domain, then this text box will be empty. Note the Change primary DNS suffix when domain membership changes is enabled by default. In the current example, the machine is not a member of a domain.

 

Cancel out of each of the dialog boxes so that you do not configure a primary domain name at this time.

 

 


5.       Another way to assign a machine a primary domain name is to use DHCP. A DHCP server can be configured to supply DHCP clients a primary domain name by configuring a DHCP scope option. We did this earlier when we created a scope on the DHCP server using the DHCP scope wizard. In the current example, the DNS Domain Name scope option was set to deliver the domain name msfirewall.org to DHCP clients. This option has the same effect as manually setting the primary domain name. DHCP clients will append this name to unqualified DNS queries (such as those for wpad) before sending the DNS query to a DNS server.

 

 


6.       Go to the DHCP client system and open a command prompt. At the command prompt, enter ipconfig /all and press ENTER. Notice that the machine has been assigned a Connection-specific DNS Suffix of msfirewall.org.

 

DHCP is the most efficient way to assign a primary DNS suffix to clients on your network. This feature allows you to automatically configure a DNS suffix on DHCP clients that connect to your network which are not members of your Active Directory domain. These clients can still correctly resolve the wpad name based on your current DNS infrastructure without requiring them to join the domain or manually configuring them.

 

 

Note that if you have multiple domains and clients on your internal network that belong to multiple domains, then you will need to create wpad CNAME alias entries for each of the domains.

Configure the client browser to use autodiscovery

The next step is to configure the browser to use autodiscovery. If you have not already done so, perform the following steps to configure the Web browser to use autodiscovery to automatically configure itself to use the ISA Server 2000 firewall’s Web Proxy service:

 


1.       Right click on the Internet Explorer icon on the desktop and click Properties.

 

 


2.       In the Internet Properties dialog box, click the Connections tab. Click the LAN Settings button.

 

 


3.       In the Local Area Network (LAN) Settings dialog box, put a checkmark in the Automatically detect settings checkbox. Click OK.

 

 


4.       Click Apply and then click OK in the Internet Properties dialog box.

 

 

The next step is to configure the ISA Server 2000 firewall publish autodiscovery information for autodiscovery Web Proxy and Firewall clients.

Configure the ISA Server 2000 Firewall to Publish Autodiscovery Information

Perform the following steps on the ISA Server 2000 firewall computer to enable it to provide autoconfiguration information to Web Proxy and Firewall autodiscovery clients:

 


1.       Open the ISA Management console and expand the Servers and Arrays node. Right click on your server name and click Properties.

 

 


2.       In the server Properties dialog box, click the Auto Discovery tab. Put a checkmark in the Publish automatic discovery information checkbox. You must use the default entry in the Use this port for automatic discovery request text box, which is 80, in order for autodiscovery to work properly with DNS. Click Apply.

 

 


3.       Select the Save the changes and restart the service(s) option in the ISA Server Warning dialog box and click OK.

 

 


4.       Click OK in the server properties dialog box.

 

 

5.       Close the ISA Management console.

Making the connection

All the parts are now in place to allow the Web Proxy and Firewall client machine to use DNS to obtain autoconfiguration information. Perform the following steps on the Web Proxy client computer:

 


1.       Open Internet Explorer and go to the www.microsoft.com/isaserver/ home page.

 

 


2.       A Network Monitor trace shows the Web Proxy client makes a DNS query for wpad.msfirewall.org.

 

 


3.       The DNS server responds to the query with the IP address of the ISA Server 2000 firewall computers.

 

 


4.       After it obtains the IP address of the ISA Server 2000 firewall computer and the port from which it can obtain autoconfiguration information, the Web Proxy client sends a request for wpad autoconfiguration information. You can see this request in the bottom pane of the Network Monitor Window, GET /wpad.dat HTTP/1.1.

 

Automating Web Proxy Client Configuration with Group Policy

When the client operating system belongs to a Windows 2000 or Windows Server 2003 Active Directory domain, you can use Group Policy to automatically configure the browser for all domain member computers. This greatly simplifies the management of Internet Explorer clients throughout the campus. You can even create different Organizational Units (OUs) and configure different browser settings in each OU.

 

In the following example, we’ll configure a domain policy that configures all the browsers in the domain to use the autoconfiguration script.

 


1.       Open the Active Directory Users and Computers console from the Administrative Tools menu. Right click on your domain name and click Properties.

 

 


2.       In the domain Properties dialog box, click on the Group Policy tab. Click on the Default Domain Policy and click the Edit button.

 

 


3.       In the Group Policy Object Editor, expand the User Configuration node and then expand the Internet Explorer Maintenance node. Click on the Connection node. Double click on the Automatic Browser Configuration entry in the right pane of the console.

 

 


4.       In the Automatic Configuration dialog box, put a checkmark in the Automatically detect configuration settings checkbox. Put a checkmark in the Enable Automatic Configuration checkbox. You can enter a custom value in the Automatically configure every X minutes text box. This allows the browser to automatically refresh the browser configuration at regular intervals, based on the number of minutes you configure in this text box. You might consider entering a lower number if you have a caching array and want to enable a degree of failover for Web Proxy clients.

 

Enter the autoconfiguration script URL in the Auto-config URL (.INS file) text box. This will allow the Web browser to use the autoconfiguration script without needing to autodetect.

 

Click OK after making the changes.

 

 


5.       Close the Group Policy Object Editor window.

 

 


6.       Click OK in the domain Properties dialog box.

 

 


7.       Close the Active Directory Users and Computers window.

 

 

8.       Close the Active Directory Users and Computers console.

Automating Web Proxy Client Configuration with the Internet Explorer Administration Kit (IEAK 6.0 SP1)

The Internet Explorer Administration Kit allows you to create highly customized versions of Internet Explorer that you can distribute to campus Internet users. One of the customization features is the proxy configuration parameters, so that you can configure the browsers to autodetect and to use the autoconfiguration script. Note that there are licensing issues you must be aware of before using IEAK to distribute customized versions of Internet Explorer. For more information about the IEAK and for a download link, please check the IEAK home page at http://www.microsoft.com/windows/ieak/downloads/ieak6/ieak6sp1.asp

 

The following example illustrates several components of the Internet Explorer Customization Wizard and how it works to create a custom setup you can use to configure Internet Explorer installation on campus.

 


1.       Download and install the Internet Explorer Administration Kit Service Pack 1 and install it on a workstation on your network. After installing IEAK, click Start, point to Programs and point to Microsoft IEAK 6. Click Internet Explorer Customization Wizard.

 

 


2.       Read the information on the Welcome to the IEAK – Corporate Version page and click Next.

 

 


3.       Click Next on the Stage 1 – Gathering Information page.

 

 


4.       On the File Locations page, use the default Destination Folder or create one of your own. This is the location where the customized Internet Explorer packages will be saved. Click Next.

 

 


5.       On the Language Selection page, select the language of your choice from the Target language drop down box. Click Next.

 

 


6.       On the Media Selection page, select the media type that is most useful for your distribution. We will select the Single disk branding option. This option is the most simple and does not produce an installation package; it does save a configuration file that is used to customize an already installed version of Internet Explorer. Click Next.

 

 


7.       On the Feature Selection page, select the options that you’re interested in customizing. In our current example, we will click the Clear All button, then we will place a checkmark in the Connections Customization checkbox. This will allow us to customize the Proxy server settings on the Internet Explorer browsers.

 

Click Next.

 

 


8.       Click Next on the Stage 2 – Specifying Setup Parameters page.

 

 


9.       During the installation, you will be presented with a number of Security Warning dialog boxes asking if you want to install and run a number of applications. Select Yes for each one to download the applications and installation files so that they can be included in your Internet Explorer packages.

 

 


10.   Click the Synchronize All button. A progress bar displays the download progress of Internet Explorer installation files.

 

 

 


11.   You will see a green checkmark next to each of the installation files that was successfully downloaded. Click Next.

 

 


12.   Click Next on the Stage 4 – Customizing the Browser page.

 

 


13.   On the Connection Settings page, select the Import the current Connection Settings from this machine option. Then click the Modify Settings button to confirm or change the current Internet Proxy settings. The IEAK will copy these settings into the Internet Explorer package it creates. Click Next.

 

 


14.   Click Next on the Wizard Complete page.

 

 


15.   Click Finish on the Wizard Complete page.

 

 

16.   You can then distribute the package to campus Internet Explorer clients based on the type of package you created. Typically, the users will access the installation from a Web server or installation share point, and then they run the IE6setup.exe file.

 

*       Note:
For more information on how to use the IEAK to create and distribute custom Internet Explorer packages, please review The Internet Explorer Administration Kit 6 Deployment Guide at http://www.microsoft.com/windows/ieak/techinfo/deploy/60/en/


Automating Installation of the Firewall Client

The Firewall client software can be installed on virtually any 32-bit version of Windows except the initial release of Windows 95. There are a number of compelling reasons for installing the Firewall client software on all machines that it supports:

 

·         The Firewall client allows you to create user/group based access controls for all TCP and UDP protocols. This is in contrast to the Web Proxy client configuration, which only supports HTTP, HTTPS and FTP.

·         The Firewall client has access to all TCP and UDP based protocols, including those requiring secondary connections. In contrast, the SecureNAT client does not support application protocols that require secondary connections unless there is an application filter to support it.

·         The Firewall client provides much better performance than the SecureNAT client

·         The Firewall client sends application information to the ISA Server 2000 firewall service; this allows the Firewall service logs to collect application usage information

·         The Firewall client sends user information to the Firewall service; this enables the ISA Server 2000 firewall to control access based on user account and record user information in the Firewall service’s access logs. This information can be extracted and put into report form.

 

With these features, the Firewall client provides a level of functionality and access control that no other firewall in its class can match. For this reason, we always recommend that you install the Firewall client on any machine that supports the Firewall client software.

 

However, because the Firewall client configuration requires that the Firewall client software be installed, many campus administrators are hesitant to adopt the full feature set provided by the Firewall client. Many campus network administrators don’t have the time or the resources to “touch” each authorized computer on the campus network in order to install the software.

 

The solution to this problem is to automate the installation of the Firewall client. There are two methods that you can use, which require no additional software purchase, and which can greatly simplify the installation on large numbers of computers on the campus network. These methods are:

 

·         Group Policy based software installation and management

·         Silent installation script

 

In the following section, we will discuss these methods, as well as some key ISA Server client configuration settings that you should make in the ISA Management console.

Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console

There are a few configuration options you should set for the Firewall client installation before you configure Group Policy or a silent installation script to install the Firewall client software. These settings determine autodiscovery behavior and how the Web browser is configured during installation of the Firewall client.

 


Perform the following steps on the ISA Server 2000 firewall computer:

 

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Click on the Client Configuration node and then double click on the Firewall Client entry in the right pane of the console.

 

On the General tab of the Firewall Client Properties dialog box, select the DNS name option and enter the fully qualified domain name into the text box. Do not use the Browse button, as it will not enter the fully qualified domain name into the text box for you. Make sure that the DNS server your Firewall clients are configured to use on the internal network is able to resolve this name to the internal address of the ISA Server 2000 firewall computer.

 

Place a checkmark in the Enable ISA Firewall automatic discovery in Firewall Client checkbox. During installation of the Firewall client software, the client will be configured to use autodiscovery to find the ISA Server 2000 firewall machine. Note that this setting will have no effect after the Firewall client software is installed. You must select this option before the Firewall client software is installed.

 

Click Apply and then click OK.

 

 


2.       Double click on the Web Browser entry in the right pane of the console. On the General tab, enter the fully qualified domain name in the DNS name text box. Note the port is set for 8080 and you cannot change it from this dialog box. This setting is derived from the port configuration for the Outgoing Web Requests listener, which can be configured from the server Properties dialog box.

 

Put a checkmark in the Automatically discover settings checkbox. This will allow the Web browser to use autodiscovery to automatically configure itself.

 

Put a checkmark in the Set Web browsers to use automatic configuration script checkbox and select the Use custom URL option. Change the server name in the text box to the fully qualified domain name of the ISA Server 2000 firewall computer.

 

Click Apply and then click OK.

 

 

3.       Close the ISA Management console.

 

The settings above are enforced only during Firewall client installation. If you install the Firewall client before making changes to these settings, they will not be enforced after the fact.

Group Policy Software Installation

You might not wish to install the Firewall client on all machines on campus. For example, domain controllers and published servers should not be configured as Firewall clients. You can gain granular control over Group Policy based software installation by creating an organizational unit for Firewall clients and then configuring an OU group policy object to install the Firewall client only on computers belonging to that OU.

 

Perform the following steps on the domain controller to create the OU and then configure software installation and management to install the Firewall client on machines belonging to the OU:

 

1.       Click Start and select the Administrative Tools menu. Click the Active Directory Users and Computers entry. Right click on your domain name and click Organizational Unit.

 

 


2.       In the New Object – Organizational Unit dialog box, enter a name for the OU in the Name text box. In this example, we will call the OU FWCLIENTS. Click OK.

 

 


3.       Click on the Computers node in the left pane of the console. Right click your client computer and click the Move command.

 

 


4.       In the Move dialog box, click the FWCLIENTS OU and click OK.

 

 


5.       Click on the FWCLIENTS OU. You should see the computer you moved into this OU.

 

 


6.       Right click the FWCLIENTS OU and click the Properties command.

 

 


7.       Click the Group Policy tab in the FWCLIENTS dialog box. Click the New button to create a New Group Policy Object. Select the New Group Policy Object and click Edit.

 

 


8.       Expand the Computer Configuration node and then expand the Software Settings node. Right click on Software installation, point to New and click Package.

 

 

 


9.       In the Open text box, type the path to the Firewall client’s Microsoft installer package (.msi file) in the File name text box. In this example, the path is:

 

\\isa2\mspclnt\MS_FWC.MSI

 

Where isa2 is the NetBIOS name of the ISA Server 2000 firewall computer, mspclnt is the name of the share on the ISA Server 2000 firewall computer that contains the Firewall client installation files and MS_FWC.MSI is the name of the Firewall client Microsoft installer package.

 

Click Open after entering the path.

 

 


10.   In the Deploy Software dialog box, select the Assigned option and click OK. Notice that you do not have the Published option when installing software using the Computer Configuration node. The software is installed before the user logs on. This is critical because only local administrators can install the Firewall client software if there is a logged on user. In contrast, you can assign software to machines without a logged on user.

 

Click OK.

 

 


11.   The new managed software package appears in the right pane of the console. All machines in the OU will have the Firewall client software installed when they are restarted. You can also manage the Firewall client software from here.

 

*       Note:

For more details on how to take full advantage of Group Policy based software installation and maintenance, please see the Step-by-Step Guide to Software Installation and Maintenance at http://www.microsoft.com/windows2000/techinfo/planning/management/swinstall.asp

 

 

12.   Close the Group Policy Object Editor and the Active Directory Users and Computers console.


13.   When you restart the machines in the FWCLIENTS OU, you will see the log on dialog box provide information about how managed software is being installed on the Windows client operating system.

 

Silent Installation Script

Another useful method you can use to install the Firewall client software on those machines that are not members of the domain is to use a silent installation script. This method is useful when the logged on user is a member of the local administrators group.

 

Open notepad and copy the following line into the new text document and save the file as “fwcinstall.cmd”:

 

msiexec /i \\ISA2\mspclnt\MS_FWC.msi /qn /l*v c:\mspclnt_i.log

 

The \\ISA2 entry is the computer name of the ISA Server 2000 firewall computer and will vary for each installation location. The rest of the line can be used exactly as listed above. Users can then go to a Web page, or click a link in an email message pointing them to this batch file. The process is very simple and only requires the user to click the link to run the script. The installation is completely transparent and the only thing the user will see is a momentary command prompt window and the Firewall client icon in the sytem tray when the procedure is completed.

Summary

In this document we covered a number of methods you can use to automate the installation and configuration of the Firewall and Web Proxy client. Automating configuration of these ISA Server 2000 clients allows machines to configure themselves without requiring the campus network administrator to visit each machine and set it up for the campus user. Methods used to configure the Firewall and Web Proxy clients include DHCP Option 252 and DNS wpad options. You also learned that you can use Active Directory Group Policy and the Internet Explorer Administration Kit to automate the installation and configure of the Firewall and Web Proxy clients.

 

Intrusion detection through centralized NT/2000 security event log monitoring!
Intrusion detection through centralized NT/2000 security event log monitoring!