لطفا منتظر باشید ...
Lesson 3 Configuring Automatic Discovery of ISA Server
ISA Server's automatic discovery feature allows you to configure clients so that they automatically discover an appropriate ISA Server computer.
After this lesson, you will be able to
Configure automatic discovery for ISA Server clients
Troubleshoot automatic discovery on client computers
Estimated lesson time: 30 minutes
Automatic Discovery
It is a simple task to configure the ISA Server computer that connects firewall clients and Web Proxy clients. However, subsequent modifications can be time-consuming, particularly for roaming clients, who may require constant adjustments. When you configure automatic discovery, Web Proxy and firewall clients automatically discover the appropriate ISA Server computers. In this way, roaming clients can connect to an ISA Server computer as appropriate and when necessary.
Configuring automatic discovery requires that you publish automatic discovery on the ISA Server computer; enable automatic discovery on the client computer(s); configure any DHCP servers on your network with a special Web Proxy Autodiscovery Protocol entry; and ensure that your network DNS server has listed both a host (A) record of the ISA Server computer and an alias (CNAME) record named WPAD pointing to the ISA Server computer. For automatic discovery to work on your network, your client computers must have access to an internal DNS server, a DHCP server, or both.
Read through the following procedures, but do not complete them if you plan to perform the practice exercise at the end of the lesson.
Follow these steps to publish automatic discovery:
In the console tree of ISA Management, right-click the applicable array, and select Properties.
On the Auto Discovery tab of the array_name Properties dialog box, select the Publish Automatic Discovery Information check box.
In Use This Port For Automatic Discovery Requests text box, type the appropriate port number (80 by default).
Figure 3.5 Publishing automatic discovery in array properties
Follow these steps to set automatic discovery for firewall clients:
On the client computer, open Control Panel.
Double-click Firewall Client, and select the Automatically Detect ISA Server check box.
When automatic discovery is configured and enabled, the following steps are performed to allow Web Proxy and firewall clients to automatically detect ISA Server:
When the client makes a Winsock request, the client connects to the DNS or DHCP server.The DNS server or the DHCP server should have a Web Proxy Autodiscovery Protocol (WPAD) entry, which points to a WPAD server that indicates the ISA Server computer.
The requests of the client are fulfilled by the ISA Server computer, as identified by the WSPAD entry in the DNS server or DHCP server.
Configuring WPAD and WSPAD on the DNS or DHCP Server
Through automatic discovery, the firewall client or the Web Proxy client requests an object from the ISA Server that is configured to fulfill requests. If the ISA Server does not respond and if automatic discovery is enabled for the client, it starts the automatic discovery process.
ISA Server uses the WPAD entry to determine the appropriate Winsock Proxy Autodetect (WSPAD) entry. You do not have to configure the WSPAD entry explicitly on the DNS server.
Automatic discovery can be configured using DNS for clients running Windows 2000, Windows NT 4.0, Windows 98, and Windows Me.
Follow these steps to configure DNS Server for automatic discovery of ISA Server:
Click Start, point to Programs, point to Administrative Tools, and then click DNS.
In the console tree, right-click the applicable forward lookup zone and click New Host.
In the Name text box, type the name of the ISA Server computer or array.
Under the IP Address text box, type the internal IP address of the ISA Server computer.
Click Add Host.If you receive an error message indicating that the host record cannot be created because the record already exists, you may safely click OK to dismiss the message.
In the DNS console tree, right-click the applicable forward lookup zone and click New Alias.
In the Alias Name text box, type WPAD.
Click the Browse button and navigate to Host (A) record of the ISA Server computer.
Click OK.
Automatic discovery can be configured using DHCP for clients running Windows 2000, Windows 98, and Windows Me.
Follow these steps to configure DHCP Server for automatic discovery of ISA Server:
Click Start, point to Programs, point to Administrative Tools, and then click DHCP.
In the console tree, right-click the applicable DHCP server, and then click Set Predefined Options.The Predefined Options and Values dialog box appears.
Click Add.
In Name field, type WPAD.
In the Data Type drop-down list box, select String.
In the Code field, type 252.
Click OK.The Predefined Options and Values dialog box appears with the 252 WPAD entry specified in the Option Name drop-down list box.
In the String text box, type http://String/Wpa d.dat, where String is specified as follows:
WPAD, if DNS is configured to resolve WPAD requests
the ISA Server computer name or array name, if DNS is not configured to resolve WPAD requests
Click OK.
In the DHCP console, right-click Scope options or Server options, and then click Configure Options.
Scroll down in the Available Options box and select Option 252 WPAD.
Click OK.
Automatic Discovery for Firewall Clients
When you configure Firewall Client in Control Panel on your client computer, you indicate a particular ISA Server computer to which the client should connect. You can also configure the automatic discovery feature so that the firewall client automatically discovers which ISA Server computer it should use. The firewall client can also be centrally configured for automatic discovery from the Client Configuration node of ISA Management.
Verifying Automatic Discovery for Firewall Clients
When you enable automatic discovery in Firewall Client, you should verify afterwards that the automatic discovery feature is functioning. When automatic discovery cannot successfully discover or resolve the ISA Server computer, the firewall client is treated as a SecureNAT client, and the client sessions stop passing user account and client computer name information to ISA Server. To determine whether an internal computer is connecting to ISA Server as a SecureNAT or firewall client, initiate a non-Web Internet session (such as a mail, news, or nslookup session) from the client, and then check session monitoring in ISA Management to see whether user account and client computer names have been passed along with the session. If so, the client is operating as a firewall client, and automatic discovery is working. If not, the client is behaving as a SecureNAT client, and automatic discovery is not working.
Automatic Discovery for Web Proxy Clients
ISA Server provides similar support for Web Proxy clients. You can configure the automatic discovery feature in Internet Explorer LAN Settings so that roaming Web Proxy clients will always connect to the appropriate ISA Server computer when they log on to the Internet. You do not need to have the Firewall Client software installed and enabled for automatic discovery to work with Web Proxy clients.
Automatic discovery is supported for Internet Explorer 5.0 and later.
Follow these steps to configure Microsoft Internet Explorer 5 for automatic discovery of ISA Server:
Open Microsoft Internet Explorer.
On the Tools menu, click Internet Options.
On the Connections tab, click LAN Settings.
Select the Automatically Detect Settings check box.
Verify that the Use A Proxy Server check box is cleared.
Troubleshooting Automatic Discovery
If automatic discovery is not functioning, you should ask the following questions in order to troubleshoot the problem.
Do your client and ISA Server have access to a local DNS Server, DHCP server, or both?
Is the network connection established among the client computer, the DNS server computer, the DHCP server computer, and the ISA Server computer?
Have you published automatic discovery on the ISA Server computer?
For firewall automatic discovery, have you installed and enabled the Firewall Client software on the client in question? Have you enabled firewall discovery in the Firewall Client Options dialog box?
For Web Proxy automatic discovery, are you using Internet Explorer version 5.0 or later? Have you configured Internet Explorer to automatically detect settings in the Local Area Network (LAN) Settings dialog box?
If you are using automatic discovery with a DHCP server, have you ensured that the WPAD entry is correctly configured on the DHCP server? Are you using only Windows 2000, Windows 98, or Windows Me clients? (Automatic discovery through DHCP is not supported for Windows NT and Windows 95 clients.)
If you are using automatic discovery with a DNS server, does the DNS server computer have a host (A) record defining the ISA Server computer? Have you added an alias (CNAME) record named WPAD pointing to the ISA Server computer? Have you configured the clients' TCP/IP properties to include this internal DNS server as an alternate DNS server?
Practice: Configuring Automatic Discovery
In the following exercise, you configure ISA Server to publish automatic discovery information.
Log on to Server1 as Administrator.
Open the ISA Management console.
Expand the console tree, right-click the MyArray node, and click Properties.The MyArray Properties dialog box appears.
Click the Auto Discovery tab.
Select the Publish Automatic Discovery Information check box.
Verify that port 80 is set for automatic discovery requests, and click OK. An ISA Server Warning dialog box appears.
Click the Save The Changes And Restart The Service(s) radio button.
Click OK.
Exercise 2: Creating a WPAD Alias (CNAME) Record in DNS
In order for automatic discovery to work with DNS, you need to create an alias record in DNS named WPAD that points to the ISA Server computer. Perform the following steps on Server1.
Click Start, point to Programs, point to Administrative Tools, and then click DNS.
In the DNS console tree, right-click the applicable forward lookup zone and click New Alias. This is the domain01 local foward lookup zone if you followed the setup instructions in "About This Book."
In the Alias Name text box, type WPAD.
In the Fully Qualified Name for Target Host text box, type server1.domain01.local.
Click OK.
Exercise 3: Enabling Automatic Discovery on a Firewall Client
Perform this exercise on the Server2 computer. You must have already installed and enabled the firewall client on Server2 to complete this exercise.
Log on to Domain01 from Server2 as Administrator.
Open Control Panel.
Double-click Firewall Client. The Firewall Client Options dialog box appears.
Select the Automatically Detect ISA Server check box.
Click Update Now.A message box appears indicating that the refresh operation was completed successfully.
Click OK to dismiss the message box.
Click OK to close the Firewall Client Options dialog box.
Exercise 4: Testing Automatic Discovery
After you configure automatic discovery, you should verify that the feature is functioning. Automatic discovery for firewall clients requires that the Firewall Client software be enabled on the client computer. However, when automatic discovery is enabled, firewall clients will only behave as firewall clients if automatic discovery is functioning properly. Otherwise, they become SecureNAT clients.
You can thus determine whether automatic discovery is functioning by checking the client session information in ISA Management. If user and computer names are provided with the session, you know that the feature is working. If the session only provides the IP address of the client session, you know the feature has not been properly configured, and the client computer has not been able to discover ISA Server automatically.
While you are logged on to Server2 as Administrator, open a command prompt and type nslookup www.microsoft.com.You should see output indicating that your computer has successfully connected to an external DNS server.
On Server1, expand the console tree in ISA Management and click Sessions.
On the View menu, verify that Advanced is checked.
Right-click the details pane and click Refresh.You should see Server2's Internet session listed among the active sessions. Notice that the user name is listed as Administrator, and the client computer is listed as Server2. Because authentication information is being passed to ISA Server, you know that the client is a firewall client, and automatic discovery is functioning properly.
Lesson Summary
When you configure automatic discovery, all Web Proxy and firewall clients automatically discover an appropriate ISA Server computer. Automatic discovery works with firewall clients to allow them to discover automatically which ISA Server computer they should use. The feature also works with the Web Proxy service so that roaming clients will always connect to an appropriate ISA Server computer when they connect to the Internet. To enable automatic discovery, your network must be configured either for DNS, DHCP, or both. Configuring automatic discovery requires that you publish automatic discovery on the ISA Server computer; enable automatic discovery on the client computer(s); configure any DHCP servers on your network with a special Web Proxy Autodiscovery Protocol entry; and ensure that your network DNS server has both a host (A) record of the ISA Server computer and an alias (CNAME) record named WPAD pointing to the ISA Server computer.
