Discussion:
ISA 2006 & Firewall client
(too old to reply)
Chris Rendall
2007-12-10 17:07:54 UTC
Permalink
I've upgrade our ISA 2004 Standard server to ISA 2006 Standard. The
Firewall client now says "no ISA Server detected". I've installed
Firewall client version 4.0.3442.654 and I still get the error.

When I use IE7 to go to URL
http://proxy:8080/array.dll?Get.Routing.Script I get prompted for my
username/password instead of the option to save the file. I've read
through Microsoft's KB article 885683 and I configure the registry
entry to skip authentication but it didn't make a difference. The KB
article says its for ISA 2004, but doesn't explictly say ISA 2006. Is
there something else I need to do for ISA 2006 to get my Firewall
clients to be able to find the ISA Server?

Thanks,
Chris
Phillip Windell
2007-12-10 22:27:48 UTC
Permalink
Post by Chris Rendall
I've upgrade our ISA 2004 Standard server to ISA 2006 Standard. The
Firewall client now says "no ISA Server detected". I've installed
Firewall client version 4.0.3442.654 and I still get the error.
You broke the proxy autodetection in the upgrade. The DNS or the DHPC
components of the WPAD process may be incorrect or mispelled. You may have
forgot to enable the Autodetection Publishing within ISA2006 (it is off by
default).

To smooth out authentication issues the new ISA box needed to be made a
member before ISA2006 was installed.

Proper TCP/IP Config on both Nics is critical and so is the Binding Order.

If the Server OS is SP2 then you *might* need to disable some of the
"additions" made by SP2.

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

EnableRSS = 0
DisableTaskOffload = 1
EnableTCPA = 0

They are all DWord values.
They may not preexist, you may have to create some of them.
This is only suggestion, you don't have to do it, and if you do you may not
have to do all three. It is up to you to experiment with them.
--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
Phillip Windell
2007-12-10 23:31:50 UTC
Permalink
Post by Phillip Windell
You broke the proxy autodetection in the upgrade. The DNS or the DHPC
components of the WPAD process may be incorrect or mispelled.
Kinda like I just mispelled D-H-C-P above. {:-|
--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Chris Rendall
2007-12-11 15:00:15 UTC
Permalink
Post by Phillip Windell
Post by Chris Rendall
I've upgrade our ISA 2004 Standard server to ISA 2006 Standard. The
Firewall client now says "no ISA Server detected". I've installed
Firewall client version 4.0.3442.654 and I still get the error.
You broke the proxy autodetection in the upgrade. The DNS or the DHPC
components of the WPAD process may be incorrect or mispelled. You may have
forgot to enable the Autodetection Publishing within ISA2006 (it is off by
default).
To smooth out authentication issues the new ISA box needed to be made a
member before ISA2006 was installed.
Proper TCP/IP Config on both Nics is critical and so is the Binding Order.
If the Server OS is SP2 then you *might* need to disable some of the
"additions" made by SP2.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
EnableRSS = 0
DisableTaskOffload = 1
EnableTCPA = 0
They are all DWord values.
They may not preexist, you may have to create some of them.
This is only suggestion, you don't have to do it, and if you do you may not
have to do all three. It is up to you to experiment with them.
I upgraded the ISA 2004 server that was working perfectly with ISA
2006. I didn't make any changes to the DNS or DHCP settings. The ISA
server was a domain member before the upgrade to ISA 2006.
Autodetection is enabled and configured the same as it was for ISA
2004. I installed SP2 for Windows 2003 after I upgraded to ISA 2006.
Phillip Windell
2007-12-11 16:17:53 UTC
Permalink
I upgraded the ISA 2004 server that was working perfectly with ISA 2006.
I didn't make any changes to the DNS or DHCP settings. The ISA server was
a domain member before the upgrade to ISA 2006. Autodetection is enabled
and configured the same as it was for ISA
All I can think of is that you need to go step by step through the process
of setting up autodetection to see if anything was unexpectantly changed.
2004. I installed SP2 for Windows 2003 after I upgraded to ISA 2006.
Then you may need to do the registry entries I mentioned and then reboot the
machine.
--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
Chris Rendall
2007-12-11 19:48:12 UTC
Permalink
Post by Phillip Windell
I upgraded the ISA 2004 server that was working perfectly with ISA 2006.
I didn't make any changes to the DNS or DHCP settings. The ISA server was
a domain member before the upgrade to ISA 2006. Autodetection is enabled
and configured the same as it was for ISA
All I can think of is that you need to go step by step through the process
of setting up autodetection to see if anything was unexpectantly changed.
2004. I installed SP2 for Windows 2003 after I upgraded to ISA 2006.
Then you may need to do the registry entries I mentioned and then reboot the
machine.
I found Microsoft KB article 889035 that contains a VBS script that
needs to be run on the ISA 2006 server. After running the script and
restarting Microsoft Firewall the autoproxy detection started working
again!!
Phillip Windell
2007-12-11 20:02:08 UTC
Permalink
I found Microsoft KB article 889035 that contains a VBS script that needs
to be run on the ISA 2006 server. After running the script and restarting
Microsoft Firewall the autoproxy detection started working again!!
Ok.
Very good Chris!
--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Loading...