An important aspect of deploying ISA Server 2000 as a firewall and Web acceleration solution on the campus network is selecting, installing and configuring the clients to go through the ISA Server for Internet access. An ISA Server 2000 client is any machine that accesses the Internet via the ISA Server 2000 firewall or Web Proxy server.

ISA Server 2000 supports three client types. The type of client determines what protocols are supported, and the operating system used on the client machine dictates which client(s) can be used.The three ISA Server 2000 client types are:

The SecureNAT client

SecureNAT clients are configured with a default gateway that routes Internet-bound request through the ISA Server 2000 firewall or Web Proxy server. The SecureNAT client does not require software installation or configuration, and any operating system that uses TCP/IP can be a SecureNAT client. No client software is required, but some network configuration changes must be made. Although the SecureNAT client provides a certain level of transparency of client configuration, its drawback is that it provides the lowest level of security and performance of the three client types. The SecureNAT client configuration should typically be reserved for non-Microsoft operating systems and the rare occasions when client browsers do not support the Web Proxy client configuration

The Web Proxy client

Web Proxy client computers are machines with Web browsers that support the use of a Web Proxy server. Any operating system can be used as long as a browser that meets this criterion is installed. Almost all modern browsers support this configuration. The advantages of the Web Proxy client configuration is that it does not require additional software installation and only requires that the browser be configured to use the Web Proxy server. In addition, the Web Proxy client can benefit from the Web Proxy cache and direct communications with the Web Proxy service. In contrast to the SecureNAT client, which does not support user/group based authentication, access to the Internet for Web Proxy clients can be controlled on a per user/per group basis. The Web Proxy client supports the HTTP, HTTPS, FTP and Gopher protocols.

The Firewall client

Firewall client computers have the Microsoft Firewall client software installed on them. The Firewall client supports almost all Microsoft 32-bit operating systems, with the exception of the original release of Windows 95. Non-Microsoft operating systems cannot use the Firewall client. The Firewall client is unique in that it provides user/group based access control to all TCP and UDP protocols and sends application information to the Firewall service on the ISA Server 2000 firewall. This enables the Firewall service logs to track which users used which application to access a particular site. This information can be extracted from the Firewall service logs and incorporated into reports to provide detailed information on campus Internet usage. In addition, the Firewall client supports complex protocols that require secondary connections. In contrast, the SecureNAT client does not support complex protocols that require secondary connections without the aid of an application filter.

Note:

For more information on the various ISA Server 2000 client types, please see the ISA Server 2000 Help on this topic at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/isa/isafp1/isasct.asp

Which client type is the best choice for the educational environment? The Web Proxy and Firewall client configurations provide a higher level of security and performance than that obtained via the SecureNAT client configuration. However, these more secure configurations are often avoided because busy campus administrators cannot visit each machine on the educational institution’s network to install the software or configure the browsers. For this reason, many administrators prefer to use the SecureNAT configuration at the expense of performance and security.

However, there is a solution to this problem that allows you to deploy a more secure client solution without spending an inordinate amount of time on the task. You can automate the configuration of the Web browser and the installation and configuration of the Firewall client. The busy campus administrator does not need to “touch” each machine on the educational institutions network when these processes are automated. Automated installation and configuration is the most efficient way to deploy the ISA Firewall and Web Proxy client types on a large institution’s network.

Also note that a Firewall client or SecureNAT client can also be a Web Proxy client. In this case, the Web Proxy service handles the HTTP, HTTPS, FTP and Gopher traffic, while other protocols are handled by the Firewall client or SecureNAT.

In this document, we will cover the following topics:

Automating ISA Server 2000 Web Proxy and Firewall Client Configuration
Automating Installation of the Firewall Client

When the installation of the Firewall client and the configuration of the Web Proxy and Firewall clients are automated, almost all machines on the campus network will be able to benefit from the superior performance and security provided by the Firewall and Web Proxy client configurations.

Scenarios Layout

The scenarios in this document are based on the lab configuration illustrated in the figure below:

CLIENT2A is the machine that will be configured as the Web Proxy and Firewall client computer. Its IP settings will be obtained via DHCP testing of obtaining autoconfiguration information via DHCP, and assigned a valid address on network ID 10.0.2.0/24 when testing the autoconfiguration via DNS testing, but no default gateway is configured so only the Web Proxy and Firewall client configurations are active. The operating system is Windows 2000.

CLIENT2 is a Windows Server 2003 machine configured as a domain controller in the msfirewall.org domain. The machine is a DNS server and the DNS server is able to resolve Internet host names. A DHCP server will be installed on this machine so that we can test assigning autodiscovery information via DHCP. It has the following IP addressing information:

IP address: 10.0.2.2

Subnet mask: 255.255.255.0

DNS address: 10.0.2.2

Default Gateway: 10.0.2.1

ISA2 is a Windows Server 2003 machine with ISA Server 2000 installed on it. An “all open” Protocol Rule that allows access to all IP address is configured, and the default Site and Content Rule which allows access to all sites and content is enabled.

Automating ISA Server 2000 Web Proxy and Firewall Client Configuration

There are several methods available for automating the Web Proxy and Firewall client configurations. These include:

Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery
Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery
Automating Web Proxy Client Configuration with Group Policy
Automating Web Proxy Client Configuration with Internet Explorer Administration Kit (IEAK)

The following sections discuss how to automate the configuration of Web Proxy and Firewall clients using the Web Proxy AutoDiscovery (WPAD) protocol, Active Directory Group Policy and the Internet Explorer Administration Kit.

Note:

For more information about the WPAD protocol, please see the ISA Server 2000 Help file information at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/CMT_AutoDetect.asp

Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery

DHCP clients can obtain autoconfiguration information from the ISA Server 2000 firewall computer by using DHCP Inform messages. The Firewall client and Web browser software can issue DHCP Inform messages to query a DHCP server for the address of a machine containing the autoconfiguration information. The DHCP server returns the address of the machine containing the autoconfiguration information and then the Firewall client or Web browser software requests autoconfiguration from the addresses returned by the DHCP server.

The DHCP server uses a special DHCP option to provide this information.

In this section on configuring Web Proxy and Firewall clients to use DHCP to obtain autoconfiguration information via WPAD, we will discuss the following steps:

Installing the DHCP Server
Creating the DHCP scope
Creating the DHCP 252 scope option
Configuring the client as a DHCP client
Configuring the client browser to use autodiscovery
Configuring the ISA Server 2000 firewall to publish autodiscovery information
Making the connection

Install the DHCP Server

The first step is to install the DHCP server. In this example, we will use a Windows Server 2003 DHCP server, but you can create the DHCP option on a Windows 2000 DHCP server if required.

Perform the following steps on the domain controller computer to install the DHCP server service:

Click Start, select All Programs and then Control Panel. Click on Add or Remove Programs.

In the Add or Remove Programs window, click on the Add/Remove Windows Components button.

In the Windows Components dialog box, click on the Networking Services entry in the Components list, then click the Details button.

In the Networking Services dialog box, put a checkmark in the Dynamic Host Configuration Protocol (DHCP) checkbox and click OK.

Click Next in the Windows Components dialog box.

Click Finish on the Completing the Windows Components Wizard page.

Close the Add or Remove Programs window.

Now that the DHCP Server service is installed on the domain controller for the domain, the next step is to create a DHCP scope.

Create the DHCP scope

A DHCP scope is a collection of IP addresses that the DHCP server can use to assign to DHCP clients on the network. In addition, a DHCP scope can include additional TCP/IP settings to be assigned to clients, which are referred to as DHCP options. DHCP options can assign various TCP/IP settings such as a DNS server address, WINS server address, and primary domain name to DHCP clients.

Perform the following steps on the DHCP server to enable the DHCP server and create the DHCP scope:

1. Click Start and then select Administrative Tools. Click DHCP.

2. In the DHCP console, right click on your server name in the left pane of the console. Click on the Authorize command.

3. Click the Refresh button in the button bar of the console. You will notice that the icon to the left of the server name changes from a red, down pointing arrow to a green, up pointing arrow.

Right click the server name in the left pane of the console again and click the New Scope command.

4. Click Next on the Welcome to the New Scope Wizard page.

5. Enter a name for the scope on the Scope Name page. This name is descriptive only and does not affect the functionality of the scope. You can also enter a Description in the description box if you wish. Click Next.

6. Enter a range of IP addresses that can be assigned to DHCP clients on the IP Address Range page. Enter the first address in the range into the Start IP address range text box and the last IP address in the range in the End IP address text box. Enter the subnet mask for your IP address range in the Subnet mask text box.

In our current example, the internal network is on network ID 10.0.2/24. We do not want to assign all the IP addresses on the network ID to the DHCP scope, just a selection of them. So in this example, we enter 10.0.2.100 as the Start IP address and 10.0.2.150 as the end IP address and use a 24 bit subnet mask.

Note that on production networks, it is often better to assign the entire network ID to the IP address range used in the scope. You can then create exceptions for hosts on the network that have statically assigned IP addresses that are contained in the scope. This allows you to centrally manage IP address assignment and configuration using DHCP.

Click Next.

7. Do not enter any exclusions in the Add Exclusions dialog box. Click Next.

8. Accept the default settings on the Lease Duration page (8 days, 0 hours and 0 minutes) and click Next.

9. On the Configure DHCP Options page, select the Yes, I want to configure these options now option and click Next.

10. Do not enter anything on the Router (Default Gateway) page. Note that if we were using SecureNAT clients on the network, we would enter the IP address of the internal interface of the ISA Server 2000 firewall on this page. However, with the current scenario, we want to explicitly test only the Web Proxy and Firewall client configurations.

Click Next.

11. On the Domain Name and DNS Servers page, enter the primary domain name you want to assign to DHCP clients and the DNS server address you want the DHCP clients to use.

The primary domain name is a critical setting for your Firewall and Web Proxy clients. In order for autodiscovery to work correctly for Firewall and Web Proxy clients, these clients must be able to correctly fully qualify the unqualified name wpad. We will discuss this issue in more detail later in this document. In this example, we enter msfirewall.org in the Parent domain text box. This will assign the DHCP clients the primary domain name msfirewall.org, which will be appended to unqualified names.

Enter the IP address of the DNS server in the IP address text box. In this example, the IP address of the DNS server is 10.0.2.2. Click Add after entering the IP address.

Click Next.

12. Do not enter a WINS server address on the WINS Servers page. In this example, we do not use a WINS server. However, WINS servers are very useful in VPN server environments if you wish your VPN clients to be able to browse the campus network using the My Network Places or Network Neighborhood application.

Click Next.

13. On the Activate Scope page, select the Yes, I want to activate this scope now option and click Next.

14.