Configuring Proxy Clients
Configuring the ISA Server for proxy functionality is only one half of the puzzle for enabling web proxy capabilities. If the ISA Server is to be used for this purpose, the clients must be configured in one way or another. Several different options exist for setting this up, including some that are more labor intensive and other options that streamline the process. Understanding how the clients can be configured is therefore important when deploying a proxy infrastructure.
Enabling an ISA Transparent Proxy
The simplest way to configure clients to use ISA as a proxy server is to not configure anything on the clients at all. If an ISA server can be configured to be inline to the web browsing traffic, such as when it is set up as an edge firewall, then the ISA server automatically caches the HTTP client requests, assuming that caching has been enabled on the server. This type of proxy is referred to as a transparent proxy, in that it does not require any client configuration and requires clients to have only a normal TCP/IP stack.The downside to transparent proxy is that the traffic is not optimized, and the server has to work twice as hard to process the requests because the client cannot optimize the requests based on the presence of a proxy server. In addition, certain HTTP-based applications may not work properly through a transparent proxy, so it is important to test application compatibility in advance of deploying this type of scenario.NOTETransparent proxy is effective when it's necessary to enable proxy capability on heterogeneous clients that utilize multiple operating systems and different types of browsers. It intercepts the HTTP commands as they pass through the system. This does not require any additional customization on the part of the client.
Manually Configuring Client Proxy Settings
If a forward proxy, rather than a transparent proxy, is to be set up for clients to use, they must be directed to use that client through a modification to their Internet Explorer settings. This modification can be done through different techniques. The most straightforward (albeit most user-intensive) technique is to simply manually enter the forward proxy information directly into Internet Explorer. To do this, perform the following tasks:NOTEDifferent versions of Internet Explorer and other browsers utilize slightly different methods for changing these settings. Although the options are different, the settings are typically similar. Check the Help file for the browser to identify how to change proxy server settings.
|1.||Open Internet Explorer and click Tools, Internet Options.|
|2.||Go to the Connections tab.|
|3.||Click on the LAN Settings button.|
|4.||To configure manual proxy server settings, enter the necessary information into the LAN Settings dialog box, shown in Figure 8.10. The check box to Use a Proxy Server should be checked, and the IP address or host address and port of the ISA server should be entered.|
Figure 8.10. Manually configuring client proxy settings in Internet Explorer.
|5.||Review the proxy server settings and click OK and OK to save the settings.|
Creating an Active Directory Group Policy Object (GPO) to Streamline the Deployment of Client Cache Settings
In an Active Directory domain that is inhabited by clients that use Internet Explorer, the setting for configuring a forward proxy server can be automatically applied to client workstations through the use of a Group Policy Object (GPO). GPOs allow for bulk enforcement of settings on systems in a domain, and can be very useful in the automation of proxy server settings. To create a GPO, perform the following tasks:NOTEThe step-by-step process outlined here utilizes a tool known as the Group Policy Management Console (GPMC), which greatly simplifies the way that Active Directory GPOs are applied. It is highly recommended to install this tool for the application and modification of GPO settings. It can be downloaded from Microsoft at the following URL:http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ management/gp/default.mspx
|1.||Log in as a domain admin on an internal domain controller (not the ISA server).|
|2.||Open the Group Policy Management Console (see the note about installing this earlier in this chapter) by clicking on Start, Run, then typing gpmc.msc into the field and clicking OK.|
|3.||Navigate to the Organization Unit where the user objects to which the proxy settings are applied and maintained. This may also be a top-level OU.|
|4.||Right-click the OU and select Create and Link a GPO Here, as shown in Figure 8.11.|
Figure 8.11. Creating an Active Directory GPO for client proxy server configuration.
[View full size image]
|5.||Enter a descriptive name for the GPO and click OK.|
|6.||Right-click the newly created GPO and click Edit.|
|7.||Drill down under User Configuration, Windows Settings, Internet Explorer Maintenance, Connection.|
|8.||Double-click on the Proxy Settings object in the right pane.|
|9.||Check the box labeled Enable Proxy Settings.|
|10.||Enter the IP address or DNS name of the proxy server, as well as which port should be used (8080 is the default). Enter any exceptions as well.|
|11.||When finished making changes, click OK and close the Group Policy Object Editor and GPMC.|
CAUTIONGroup Policy settings can be very powerful, and they should be tested on a small subset of users initially. After the desired functionality has been verified, the GPO can then be linked to a more global OU and applied to all users.
Configuring Proxy Client Autodiscovery with DHCP
If all clients are not domain members, or if an alternate approach to automatically configuring clients with proxy server settings is needed, clients can be configured for auto discovery of proxy settings. Autodiscovery can be set up to use one of two methods: discovery via the Dynamic Host Configuration Protocol (DHCP) or via the Domain Name System (DNS). Depending on how an environment is set up, one or both of the options can be set up to ensure that the client proxy settings are properly configured.TIPIf both DHCP and DNS autodiscovery are enabled, the client attempts to use DHCP first, and, that failing, then uses DNS.For autodiscovery to work, the Internet Explorer systems first need to be configured to automatically detect proxy settings. They do so when the Automatically Detect Settings check box is checked in the dialog box shown in the previous diagram 8.10. Because this is the default setting, it should make this easier to configure.Autodiscovery uses a file that is automatically generated on the ISA server, known as the Web Proxy Autodiscovery (WPAD) file. Clients that are pointed to this file are automatically configured to use a proxy server.Assuming that a DHCP server has already been set up in the internal network, use the following steps to set up client autodiscovery through DHCP:
|1.||From the internal server that is running DHCP (not the ISA Server), open the DHCP console (Start, All Programs, Administrative Tools, DHCP).|
|2.||Right-click on the name of the server in the left pane and select Set Predefined Options.|
|3.||Click the Add button.|
|4.||Enter in Wpad for the name of the option, enter data type of String, a code of 252, and a description, as shown in Figure 8.12.|
Figure 8.12. Configuring a WPAD entry in DHCP for client autodiscovery of proxy server settings.
|6.||In the String field, enter in a value of http://10.10.10.1:8080/wpad.dat (where 10.10.10.1 is the IP address of the ISA server; a DNS hostname can be used as well if it is configured).|
|8.||Close the DHCP console.|
With this setting enabled, every client that receives a DHCP lease and is configured for autodiscovery is eligible to point to the ISA server as a proxy.NOTEThe biggest downside to DHCP Autodiscovery is that clients must have local administrator rights on their machines to have the proxy server setting changed via this technique. If local users do not have those rights, then DNS autodiscovery should be used instead of, or in combination with, DHCP autodiscovery.
Configuring Proxy Client Autodiscovery with DNS
The Domain Name Service (DNS) is also a likely place for autodiscovery information to be published. Using a WPAD entry in each forward lookup zone where clients need proxy server settings configured is an ideal way to automate the deployment of the settings.Assuming DNS and a Forward Lookup Zone is set up in an environment, autodiscovery can be enabled through the following technique:
|1.||Log in with admin rights to the DNS server.|
|2.||Open the DNS Console (Start, All Programs, Administrative Tools, DNS).|
A host record that corresponds with ISA is required, so it is necessary to set one up in advance if it hasn't already been configured. To create one, right-click on the forward lookup zone and select New Host (A), enter a name for the host (such as proxy. companyabc.com) and the internal IP Address of the ISA server, and click Add Host. This hostname is used in later steps.To create the CNAME record for the ISA server, do the following:
|1.||While in the DNS Console, right-click the forward lookup zone where the setting is to be applied and click New Alias (CNAME).|
|2.||For the alias name, enter Wpad, and enter the Fully Qualified Domain Name that corresponds to the Host record that was just created (for example, proxy.companyabc.com), similar to what is shown in Figure 8.13.|
Figure 8.13. Configuring a WPAD entry in DNS for client autodiscovery of proxy server settings.
|3.||Click OK to save the CNAME record.|
This technique enables all Internet Explorer clients that are configured to use the forward lookup zone in DNS to automatically configure their proxy server information, which can be highly useful in automating the deployment of the proxy client.