Troubleshooting Firewall Clients in ISA Server 2004

Troubleshooting Firewall Clients in...

Collapse All

Microsoft Internet Security and Acceleration Server 2004

This troubleshooting guide provides background information and describes common issues encountered when Firewall Client for Microsoft Internet Security and Acceleration (ISA) Server is installed on clients sending requests through computers on which ISA Server 2004 or ISA Server 2006 is installed. It also details actions that you can take to resolve these issues.

A Firewall client is a computer with the Firewall Client software installed and enabled. Windows Sockets (Winsock) applications running on Firewall clients can send requests to remote destinations transparently through the Microsoft Firewall service of ISA Server. Setting up a Firewall client does not configure individual Winsock applications. Instead, a dynamic-link library (FwcWsp.dll) in the Firewall Client software becomes a Winsock layered service provider (LSP) that all Winsock applications use transparently. This way, the LSP can intercept Winsock function calls from client applications and then route a request to the original underlying base service provider if the destination is local or to the Firewall service on an ISA Server computer if the destination is remote.

When you install Firewall Client on a client computer, the following files are installed in the \Program Files\Microsoft Firewall Client 2004 folder:

FwcAgent.exe
FwcCreds.exe
FwcMgmt.exe
FwcRes.dll
FwcWsp.dll
ISAClient.htm

You can install Firewall Client software on client computers that run Microsoft Windows Server 2003, Windows 2000 Server, Windows NT Server 4.0, Windows XP, Windows Millennium Edition, Windows 98, or Windows 95 operating systems. For more information about installing Firewall Client software, see the ISA Server product documentation. You can download Firewall Client for ISA Server with Windows Vista support from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=82087).

Firewall clients are supported only if the Firewall service is running.

Settings Defined for Firewall Clients

In ISA Server, a network is a rule element, which can contain one or more ranges of Internet Protocol (IP) addresses and domains. Each network that is defined for an ISA Server computer must include an IP address bound to a network adapter on the ISA Server computer and should reflect the physical network topology as viewed from the ISA Server computer. If a network is configured to support Firewall clients, ISA Server will accept incoming requests from Firewall clients in that network on Transmission Control Protocol (TCP) port 1745. In addition, ISA Server will supply the set of IP address ranges included in the network to all Firewall clients residing in the network. These IP address ranges are stored in memory by the Firewall Client Agent service (FwcAgent) on the Firewall clients as a table of IP address ranges called the local address table (LAT). Each Firewall client recognizes all IP addresses included in the LAT and the IP addresses specified in its own routing table as being local.

A custom version of the LAT containing additional IP address ranges can also be created in a file named Locallat.txt, which may be stored locally on each Firewall client in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder. In this file, each IP address range is represented by a pair of IP addresses even if the range includes a single IP address. The Firewall clients will also recognize these additional IP address ranges as part of the local network.

Whenever a Winsock application running on a Firewall client attempts to send a request to a computer, the Firewall Client LSP determines whether the destination IP address can be regarded as a local destination. If the destination is local, the Firewall client sends the request directly to the destination computer. If the destination is not local, the request is sent to the Firewall service on an ISA Server computer. The Firewall service handles the request, forwarding it to the appropriate destination, as permitted. The Firewall Client software can transparently send user credentials to the ISA Server computer for authentication purposes.

The configuration settings supplied by an ISA Server computer to Firewall clients include settings that apply to specific client applications. Firewall Client application settings are defined by an application name, a key, and a value to which the key is set. The application name is the name of the applicable binary file without the file extension or a wildcard character, an asterisk (*). If the application name is set to an *, the setting applies to all applications. Application settings that apply to all applications are supported only for the DontRemoteOutboundTcpPorts and DontRemoteOutboundUdpPorts keys. When Firewall Client for ISA Server is installed, the Firewall client application settings are provided to the Firewall Client Agent service on Firewall clients together with the name or IP address of the ISA Server computer or array to use, the set of IP address ranges that are included in the local network (the local address table or LAT), the automatic discovery settings for Web browsers, and the name or IP address of the Web proxy that Web browsers are to use. These settings are updated each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the Settings tab in the Microsoft Firewall Client for ISA Server dialog box, and every six hours after the previous refresh. Note that whenever these settings are updated, the settings for Web browsers are applied to Internet Explorer.

Web browsers, such as Internet Explorer, running on Firewall clients that use the Microsoft Win32 Internet application programming interface (API), WinInet, can contact the ISA Server computer to obtain the set of administrator-defined IP address ranges that Web browsers configured to use the default automatic configuration script are to access directly, the set of domain names of destinations that Web browsers configured to use the default automatic configuration script are to access directly (the local domain table or LDT), and the backup route that should be used to access the Internet when the primary route is unavailable.

Additional local settings that apply to all users are stored in the Application.ini, Common.ini, and Management.ini files in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder. The Common.ini and Management.ini files in this folder are created automatically when Firewall Client is installed. Additional user-specific local settings are stored in the Application.ini, Common.ini, and Management.ini files in the \Documents and Settings\user_name\Local Settings\Application Data\Microsoft\Firewall Client 2004 folder for the applicable user. The settings for the specific user take precedence over the settings for all users, and the local settings take precedence over the settings supplied by the ISA Server computer. Note that the Mspclnt.ini file created for ISA Server 2000 Firewall clients is not created for later versions of Firewall Client for ISA Server.

Remoted Connections

When a Winsock application running on a Firewall client calls the Winsock socket and connect functions to create a socket and request a connection to a specific IP address and port on a server in the External network, the Firewall Client LSP intercepts the call and establishes a connection over the dedicated control channel to port 1745 on the ISA Server computer. This control channel is used for sending notifications to the Firewall service and passing information back to the Firewall client. The Firewall service calls the socket function twice, once to create a socket that will be used to establish a connection between the ISA Server computer and the external server for sending the connection request and once to create a socket that will listen for connection attempts in the network where the Firewall client resides (typically the Internal network). Then the Firewall service calls the Winsock bind and listen functions to instruct the latter socket to listen for connection attempts from the Firewall client. Next, the Firewall Client LSP attempts to establish a connection between the socket that was originally used by the Winsock application and the ISA Server computer. When this connection attempt arrives at the listening socket, the Winsock accept function is called to create a new socket that is used to establish a connection for sending and receiving data. The Firewall service then calls the connect function on the socket in the External network to establish a connection with the external server. These two connections form a transparent communication channel between the client computer and the external server.

If the Winsock application needs to send a request to the external server to return data to a specific IP address and port over an incoming secondary connection, it creates a new socket on the client computer and calls the Winsock getsockname function on this socket to query Winsock for its IP address and port. This call is intercepted by the Firewall Client LSP, which communicates with the ISA Server computer over the control channel and returns the IP address and port of a new socket that is created on the External network adapter of the ISA Server computer. The Winsock application calls the bind function to associate the local socket with the remote IP address and port returned in the call to the getsockname function or with the remote IP address returned in the call to getsockname and port 0. When port 0 is used in the call to the bind function, a random port number is assigned during the call. Ordinarily, an attempt to bind a remote IP address to a local socket would fail. However, the Firewall Client LSP intercepts the call, allows this remoted binding to succeed, and sends a notification over the control channel to the Firewall service, which calls the Winsock bind function to associate an IP address on the External network adapter of the ISA Server computer and a random port number with the socket on the ISA Server computer. The Winsock application calls the listen function to instruct the socket on the client computer to listen for incoming secondary conditions, and a notification is sent over the control channel to the Firewall service, which calls the Winsock listen function to instruct the socket on the ISA Server computer to listen for incoming secondary connections from the external server. The Winsock application calls the getsockname function on the local socket again to obtain the randomly assigned port. This call is also intercepted by the Firewall Client LSP, which returns the IP address and the randomly assigned port of the socket on the ISA Server computer. The Winsock application uses this IP address and port in the request that it sends to the external server to return specific data over a secondary connection.

The external server transparently returns the specific data requested to the Firewall client by creating a socket and using it to establish a connection to the IP address and port of the remoted listening socket on the ISA Server computer, which forwards the data to the IP address and port of the local listening socket on the client computer.

Note:
Firewall Client does not request binding to a remoted socket for Winsock applications that use other APIs, such as an IP Helper function, instead of the Winsock getsockname function, to obtain the IP address and port of a socket. These applications will fail to establish an incoming secondary connection for data transfer.

Automatic Discovery for Firewall Clients

When you configure Firewall Client, you can specify a particular ISA Server computer to which Firewall clients will connect. You can also select the automatic discovery feature of ISA Server so that a Firewall client will automatically discover the ISA Server computer that it should use.

If automatic discovery is selected, the following steps are performed:

When the Firewall Client Agent service makes a Winsock request, the client connects to its Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS) server.
The DHCP or DNS server should have a Web Proxy Automatic Discovery (WPAD) entry that points to a WPAD server, on which Wpad.dat and Wspad.dat files must exist.
The DHCP server returns the IP address of the WPAD server and the port that listens for automatic discovery requests back to the Firewall client. The DNS server returns the IP address of the WPAD server and port 80. The Firewall client uses the information returned to send a Winsock Proxy Autodetect (WSPAD) request to the WPAD server for the Wspad.dat file.
The Firewall client redirects the request to the ISA Server computer and port specified by the Wspad.dat file.

A Firewall client can also be a Web Proxy client. A Web Proxy client is a client computer that sends requests to port 80 on an ISA Server computer or to the port on which ISA Server listens for outgoing Web requests from the network in which the client computer resides. By default, ISA Server listens for outgoing Web requests from clients in the Internal network on port 8080. Web Proxy clients typically run a Web browser application that complies with Hypertext Transfer Protocol (HTTP) 1.1 and is configured to send Web requests to the ISA Server Web proxy.

When Firewall Client software is installed, you can select automatic configuration of the Web browser settings on Firewall clients. Subsequently, you can then reconfigure the Web browser clients by configuring the following Web browser properties on the ISA Server computer:

ISA Server computer and port to which the clients should connect
Automatic discovery settings
Computers that Web browsers on the Firewall clients should access directly
Backup route (Web proxy) to use if the ISA Server computer is unavailable

The new settings are picked up by a Firewall client each time that Firewall Client is restarted, each time that Configure Now is clicked on the Web Browser tab in the Microsoft Firewall Client for ISA Server 2004 dialog box, and every six hours after the previous refresh.

The automatic discovery feature allows you to configure Web browsers so that they automatically find the ISA Server computer. In this way, roaming clients can connect to the ISA Server computer, as appropriate and when necessary. Note that automatic discovery is supported only for Microsoft Internet Explorer 5 and later.

If automatic discovery is enabled for Web browsers, a Firewall client that is acting as a Web Proxy client can find the ISA Server computer in the following manner:

When the client makes a Web request, the client connects to a DHCP or DNS server.
The DHCP or DNS server must have a WPAD entry, which points to a WPAD server that indicates the proxy server (in this case, the ISA Server computer).
The client request for configuration settings is fulfilled by the ISA Server computer, as identified by the WPAD entry in the DHCP or DNS server.

For detailed information about creating WPAD entries on DHCP or DNS servers, see Automatic Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site.

Firewall Client Tool

You can use the Firewall Client Tool to perform numerous tasks that can assist you in troubleshooting Firewall clients. You can download the Firewall Client Tool for ISA Server 2004 from the Microsoft Download Center http://go.microsoft.com/fwlink/?linkid=56111. For later versions of Firewall Client for ISA Server, the tool is installed together with the Firewall Client software. In addition to the administration tasks that can be performed in the Microsoft Firewall Client for ISA Server 2004 dialog box, you can perform the following tasks from a command prompt or in a script on any Firewall client:

Verify whether a specified ISA Server computer is available and communication can be established over the control channel on port 1745.
Test the automatic detection mechanism and verify whether a WPAD entry is available in the DNS or DHCP server.
Display the current configuration settings provided to the Firewall Client LSP in the context of a particular application, for the current user, or for all users. These settings include the LAT, the LDT, the ISA Server computer detected, and an indication of whether Firewall Client is enabled for the application.
Display and refresh the server settings for the ISA Server computer specified in the Firewall Client dialog box. These settings include the application settings that are defined by the ISA Server computer.
Display the Firewall Client settings on the local computer for all users, or for the current user.
Display the Web browser configuration settings on the Firewall client for the current user, or for all users.

Common Issues

The following sections describe problems, causes, and solutions for common issues.

Administrators Need to Enforce the Installation of Firewall Client

Problem: Organizations may have hundreds or thousands of computers on which Firewall Client must be installed. Going to each client computer on a corporate network to install Firewall Client is a time-consuming process. Administrators need a way to automate and enforce the installation of Firewall Client on user computers.

Cause: The installation of Firewall Client must be launched on each client computer.

Solution: If the user computers are members of an Active Directory directory service domain, use Group Policy to enforce the installation of Firewall Client. Because Firewall Client should not be installed on all computers in a domain (for example, Firewall Client should not be installed on domain controllers, published servers, and ISA Server computers), you should create a separate organizational unit for the computers on which Firewall Client is to be installed, move these computers from the Computers container to the new organizational unit, and then configure a Group Policy object to install Firewall Client on the computers belonging to this organizational unit.

To create the organizational unit, perform the following steps on a domain controller:

Open Active Directory Users and Computers.
Right-click the domain object for your domain, point to Add, and then click Organizational Unit.
In the Name text box, enter a name for the new organizational unit, and then click OK.
In the console tree, click the Computers container.
In the details pane, right-click the name of a computer on which Firewall Client is to be installed and click Move.
In the Move dialog box, click the name of the new organizational unit and click OK.
Repeat steps 5 and 6 for all the computers on which Firewall Client is to be installed.
In the console tree, right-click the name of the new organizational unit and click Properties.
Click the Group Policy tab, click New, select New Group Policy Object, and then click Edit.
In the console tree of the Group Policy Object Editor, expand Computer Configuration, expand Software Settings, and then click Software Installation.
Right-click Software Installation, point to New, and then click Package.
In the File name text box, type the path to the Microsoft installer package for Firewall Client (MS_FWC.MSI), including the NetBIOS name of the ISA Server computer where the installation files are located and the name of the shared folder (mspclnt), and then click Open.
In Deploy Software, select Assigned, and then click OK.

After you complete these steps, Firewall Client will be installed automatically on each computer in the new organizational unit when it is restarted.

Users Can Disable Firewall Client

Problem: Users can use the Firewall Client icon in the notification area (formerly called the system tray) to configure or disable Firewall Client. The setting TrayIconVisualState=1 hides the Firewall Client icon when the Firewall client is connected to an ISA Server computer. However, the icon reappears when the connection between the Firewall client and the ISA Server computer is lost. In addition, this setting cannot be communicated to Firewall clients by an ISA Server computer. This setting is modified by selecting or clearing the Hide icon in notification area when connected to ISA Server check box in the Microsoft Firewall Client for ISA Server 2004 dialog box on each client computer.

Cause: The TrayIconVisualState setting is local to each client computer and configurable per user in the TrayIcon section in the Management.ini file in the \Documents and Settings\user_name\Local Settings\Application Data\Microsoft\Firewall Client 2004 folder. Note also that this setting hides the icon only when the ISA Server computer is reachable.

Solution: Create a software restriction policy for the executable file that is launched from the Firewall Client icon (Fwcmgmt.exe) and then set the enforcement properties to apply this restriction policy to all users except local administrators. Note that this solution also removes the Firewall Client icon from the notification area.

Firewall Clients Cause Flooding After Worm Attacks

Problem: Firewall clients contribute to the worm-induced flooding of an ISA Server computer with connection requests following a worm attack. This flooding can cause a denial of service (DoS).

Cause: When infected by a worm, a Firewall client starts generating many connection requests for specific ports that are intercepted by the Firewall Client LSP and sent to the Firewall service over the Firewall Client control channel (port 1745). The processing of these connection requests can consume a large amount of resources. Connection limits will not mitigate this issue because no new connections are actually being established.

Solution: Create new Firewall client application settings in which the application name is set to a wildcard character, an asterisk (*), select the keys DontRemoteOutboundTcpPorts and DontRemoteOutboundUdpPorts for these settings, and set their values to the ports to which the connection requests generated by the worm are being sent. The settings with the DontRemoteOutboundTcpPorts and DontRemoteOutboundUdpPorts keys instruct Firewall clients to connect to the specified ports locally and not through an ISA Server computer. Because the settings are named with the wildcard character *, they will apply to any application name that the worm supplies. The use of the * is necessary for worms that generate random application names.

To add these settings, perform the following steps:

In ISA Server Management, expand the Configuration node, and then click General.
In the details pane, click Define Firewall Client Settings.
On the Application Settings tab, click New.
In Application, type *.
In Key, select DontRemoteOutboundTcpPorts.
In Value, set the value to the range of ports to which the connection requests generated by the worm are being sent. Then click OK.
Repeat steps 3 and 4.
In Key, select DontRemoteOutboundUdpPorts.
In Value, set the value to the range of ports to which the connection requests generated by the worm are being sent. Then click OK.

New settings are picked up by Firewall clients each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the General tab in the Microsoft Firewall Client for ISA Server 2004 dialog box, and every six hours after the previous refresh.

Services Are Disabled for Firewall Clients

Problem: Services running on Firewall clients cannot communicate with remote computers through an ISA Server computer. Winsock function calls from services running on Firewall clients are not forwarded to an ISA Server computer by the Firewall Client LSP.

Cause: By default, the Firewall Client LSP intercepts and forwards Winsock function calls from services running on computers with Firewall Client for ISA Server 2004 installed and enabled only for services for which there is an application setting with the Disable or DisableEx key set to 0. If settings with both the Disable key and the DisableEx key are defined for the same service, the setting with the DisableEx key, which was introduced in ISA Server 2004, overrides the setting with the Disable key. Any executable file that runs under the Local System, Local Service, or Network Service account on computers running Windows Server 2003 or Windows XP, or under the LocalSystem or NetworkService account on computers running Windows 2000 Server, is treated as a service.

Note that in Firewall Client for ISA Server 2000, only services for which there is an application setting with the Disable key set to 1 are disabled. For example, by default, svchost is enabled for ISA Server 2004 Firewall clients, which use the application setting with DisableEx=0, and it is disabled for ISA Server 2000 Firewall clients, which use the application setting with Disable=1.

Solution: Globally enable Firewall Client for ISA Server 2004 to intercept Winsock function calls from a specific service on Firewall clients by adding an application setting for the service with the key DisableEx set to 0 in ISA Server Management on the ISA Server computer, or create user-specific local settings on Firewall clients.

To add an application setting with the DisableEx key for a service application, perform the following steps:

In ISA Server Management, expand the Configuration node, and then click General.
In the details pane, click Define Firewall Client Settings.
On the Application Settings tab, click New.
In Application, type the name of the executable file of the service without its file extension.
In Key, select DisableEx.
In Value, set the value to 0. Then click OK.

The new setting is picked up by Firewall clients each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the General tab in the Microsoft Firewall Client for ISA Server 2004 dialog box, and every six hours after the previous refresh.

To create a local setting, add the following lines to the Application.ini file in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder on a Firewall client:

[service_name]

DisableEx=0

Here service_name is the name of the executable file of the service without its file extension.

Outlook Is Disabled for Firewall Clients

Problem: When trying to configure Microsoft Office Outlook 2003 on a Firewall client for access to external POP3 (for incoming mail) and SMTP (outgoing mail) servers, you may not be able to communicate with the external mail servers through an ISA Server computer using RPC over HTTP.

Cause: The default Firewall Client settings that are created during the installation of ISA Server 2004 include an application setting that disables the interception and redirection of Winsock function calls from Outlook (for example, for remoted binding) by Firewall Client in both Standard Edition and Enterprise Edition. The default setting for Outlook is intended to ensure that remoted incoming secondary connections are not established when a remote procedure call (RPC) is used to communicate with Microsoft Exchange Server. However, this setting also prevents Outlook from connecting to external POP3 and SMTP servers.

Solution: Enable Firewall Client to intercept Winsock function calls from Outlook on Firewall clients by manually removing the Firewall Client setting for Outlook with the key Disable in ISA Server Management on the ISA Server computer, and then create new settings for Outlook that prevent the establishment of remoted incoming secondary connections (by configuring Firewall Client to bind all TCP and UDP port ranges locally for Outlook).

To remove the Outlook setting with the key Disable, perform the following steps:

In ISA Server Management, expand the Configuration node, and then click General.
In the details pane, click Define Firewall Client Settings.
On the Application Settings tab, select the outlook setting with the key Disable in the Settings list, and then click Delete.

To ensure that Firewall Client does not interfere with local mail server traffic and to prevent the establishment of remoted secondary connections for Outlook, add settings for Outlook with the keys LocalBindTcpPorts and LocalBindUdpPorts, and set their values to 0-65535. These entries will bind all TCP and UDP ports locally and ensure that remoted secondary connections cannot be established. To add these settings, perform the following steps:

In ISA Server Management, expand the Configuration node, and then click General.
In the details pane, click Define Firewall Client Settings.
On the Application Settings tab, click New.
In Application, type outlook.
In Key, select LocalBindTcpPorts.
In Value, set the value to 0-65535. Then click OK.
Repeat steps 3 and 4.
In Key, select LocalBindUdpPorts.
In Value, set the value to 0-65535. Then click OK.

Images Embedded in Exchange Messages Are Not Downloaded to Firewall Clients

Problem: Images embedded in Exchange e-mail messages are not downloaded when the messages are viewed in HTML format on Firewall clients with no Web proxy defined.

Cause: The default Firewall Client settings that are created during the installation of ISA Server 2004 include an application setting that disables the interception and redirection of Winsock function calls from Outlook (for example, for remoted binding) by Firewall Client in both Standard Edition and Enterprise Edition. The default settings are intended to ensure that remoted incoming secondary connections are not established when RPC is used to communicate with Exchange Server. However, this setting also prevents Outlook from downloading embedded images when messages are viewed in HTML format on Firewall clients with no Web proxy defined.

Solution: Enable Firewall Client to intercept Winsock function calls from Outlook on Firewall clients by modifying the existing Firewall Client setting for Outlook with the key Disable in ISA Server Management on the ISA Server computer.

To modify the existing Outlook setting with the key Disable, perform the following steps:

In ISA Server Management, expand the Configuration node, and then click General.
In the details pane, click Define Firewall Client Settings.
On the Application Settings tab, in the Settings list, select the outlook setting with the key Disable, and click Edit.
In Value, change the value of the Disable key to 0, and click OK.

Automatic Discovery Fails for Firewall Clients when All Users Are Required to Authenticate

Problem: Whenever ISA Server requires authentication for WSPAD automatic discovery requests (HTTP GET requests for http://address:port/wspad.dat), Firewall clients cannot react appropriately to the 401 Unauthorized response that ISA Server generates, and clients fail to retrieve the information in the Wspad.dat file.

This does not adversely affect Web browser requests for http://address:port/wpad.dat because Web browsers can generate an authentication dialog box in which the user can supply credentials.

Unfortunately, this prevents a valid Firewall client from obtaining configuration data from a Wspad.dat file stored on an ISA Server computer. This is an important fallback mechanism when the current Firewall Client data set references a nonexistent ISA Server computer (as happens when users travel between locations protected by ISA Server).

Cause: When the Require all users to authenticate check box is selected in the Web proxy authentication properties of a protected network, such as the Internal network, all HTTP GET requests, including WSPAD requests, from Firewall clients in the protected network will require authentication, regardless of their actual port assignment. However, Firewall Client does not support HTTP authentication, regardless of the authentication method selected (such as Basic authentication or Integrated Windows authentication). Therefore, when a Firewall client tries to retrieve the Wspad.dat file during automatic discovery, the ISA Server computer will not forward the request to the WPAD server.

Solution: For ISA Server 2004 Standard Edition, install the latest service pack, add the SkipAuthenticationForRoutingInformation registry value to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentContolSet\Services\W3Proxy\Parameters registry key, and set it to 1 or to a higher number. For detailed instructions about performing these tasks, see the Microsoft Knowledge Base article 885683, “You receive error messages if the Internet Security and Acceleration Server 2004 Firewall Client program is configured for auto-discovery or if you try to configure this program for auto-discovery.”

For ISA Server 2004 Enterprise Edition, copy the following Microsoft Visual Basic Scripting Edition (VBScript) code for setting the SkipAuthenticationForRoutingInformation property of the FPCWebProxy object to True in the local array to the Clipboard, paste it into a text editor such as Notepad, save it in a file with the .vbs extension, and run the script on an ISA Server computer (array member) as an ISA Server administrator with read/write permissions for accessing the array configuration on a Configuration Storage server by entering cscript file_name.vbs CCS UserName Domain Password at a command prompt.

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE

' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE

' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS

' HEREBY PERMITTED.

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Main(WScript.Arguments)

Sub Main(args)

If (args.Count = 4) Then

SkipAuthenticationForRoutingRequests args(0), args(1), args(2), args(3)

Else

Usage()

End If

End Sub

Sub SkipAuthenticationForRoutingRequests(css, userName, domain, password)

' Declare the objects needed.

Dim root ' The FPCLib.FPC root object

Dim isaArray ' An FPCArray object

Dim webProxy ' An FPCWebProxy object

' Create the root object.

Set root = CreateObject("FPC.Root")

' Connect to the Configuration Storage server.

root.ConnectToConfigurationStorageServer css, userName, domain, password

' Get references to the array object

' and the Web proxy object.

Set isaArray = root.GetContainingArray()

Set webProxy = isaArray.ArrayPolicy.WebProxy

' Configure the Web proxy to skip the authentication process for

' requests for routing information.

webProxy.SkipAuthenticationForRoutingInformation = True

' Save the new setting with the fResetRequiredServices parameter set

' to True so that the Firewall service will be restarted and the change

' will take effect.

WScript.Echo "Saving the configuration..."

webProxy.Save True

WScript.Echo "Done!"

End Sub

Sub Usage()

WScript.Echo "Usage:" & VbCrLf _

& " " & WScript.ScriptName & " CCS UserName Domain Password " & VbCrLf _

& "" & VbCrLf _

& " CCS - Configuration Storage Server for the array" & VbCrLf _

& " UserName - User name of an ISA Server administrator" & VbCrLf _

& " Domain - Domain of the user specified in UserName" & VbCrLf _

& " Password - Password of the user specified in UserName"

WScript.Quit

End Sub

Firewall Client Overwrites User-Defined Internet Explorer LAN Settings

Problem: The Internet Explorer local area network (LAN) settings that are configured manually by users or automatically by Group Policy are overwritten when Firewall Client is installed on the computer. The Internet Explorer LAN settings that are overwritten include the list of exceptions of IP addresses of Web servers that are to be contacted directly and not through the proxy server. When the list of exceptions in the LAN settings is erased, it is not replaced by the list defined in the Directly access these servers or domains text box on the Web Browser tab on the properties page for the protected network (typically the Internal network) in ISA Server Management. Nevertheless, Firewall clients can contact the destinations defined in ISA Server Management directly, bypassing the ISA Server computer.

Cause: When the Automatically detect settings, Use automatic configuration script, and Use a Web proxy server check boxes are selected on the Firewall Client tab on the properties page for the protected network in ISA Server Management, Firewall clients will automatically detect the ISA Server computer and run the automatic configuration script, which overwrites the LAN settings in Internet Explorer. The automatic configuration script is executed on a Firewall client each time that Firewall Client is restarted, each time that Configure Now is clicked on the Web Browser tab in the Microsoft Firewall Client for ISA Server 2004 dialog box, and every six hours after the previous refresh.

Solution: Add the list of IP addresses or domain names of the Web servers that are to be contacted directly by Firewall clients to the Firewall Client configuration on the ISA Server computer. Note that these IP addresses will not appear in the list of exceptions in the LAN settings in Internet Explorer.

To add IP addresses or domain names of servers to the list of IP addresses and domain names of servers that are to be contacted directly by Firewall clients, perform the following steps:

In ISA Server Management, expand the Configuration node, and then click Networks.
In the details pane, on the Networks tab, right-click the name of the network where the Firewall clients reside (typically the Internal network), and then click Properties.
On the Web Browser tab, click Add, type an IP address range or domain name, and then click OK.
Repeat step 3 until the IP addresses and domain names of all the servers that are to be contacted directly by Firewall clients are included in the list.

Firewall Clients Located in One Domain Cannot Detect ISA Server Located in a Different Domain

Problem: A Firewall Client computer located in one domain (Domain A), cannot locate the ISA Server computer in a different domain (Domain B).

Cause: The DNS server used by Firewall Clients in Domain A for name resolution is unable to resolve the NetBios name of the ISA Server computer in Domain B.

Solution: By default ISA Server configures Firewall Client settings on the default Internal network with the NetBios name of the ISA Server computer. This value is included in Firewall Client configuration settings that are periodically propagated to Firewall Client computers in the network. To ensure that name resolution works, create a DNS entry in Domain A to correctly resolve the NetBios name of the ISA Server computer. Alternatively, you can specify the fully-qualified domain name (FQDN) instead of the NetBios name in the Firewall Client properties, and then create a DNS entry to resolve the FQDN. To check the name used in the Firewall Client configuration settings, do the following:

In ISA Server Management, click to expand the Configuration node, and then click Networks.
In the details pane, on the Networks tab, right-click the Internal network, and then click Properties.
On the Firewall Client tab, note the name specified in ISA Server name or IP address.
Create an entry in the Firewall Client domain to resolve this name.

Additional Information

Additional ISA Server 2004 documentation is available at the ISA Server 2004 TechCenter at Microsoft TechNet (http://go.microsoft.com/fwlink/?LinkID=82086).

Additional ISA Server 2006 documentation is available at the ISA Server 2006 TechCenter at Microsoft TechNet (http://go.microsoft.com/fwlink/?LinkID=82086).