ISA Server 2004 FAQ: Clients and Authentication

  • Article

This frequently asked questions (FAQ) document provides answers to questions commonly asked about Firewall, Web Proxy, and SecureNAT clients.

Q

For auto detection, Internet Explorer refreshes WPAD every 6 hours. Where does it refresh from?

A

It will check the last known source listed in the Firewall clients Common.ini file. (On Windows XP computers in \Documents and Settings\All Users\Local Settings\Application Data\Microsoft\Firewall Client 2004 in the section:

[Servers Ip Addresses]

Name=proxyname

If the computer is just starting, if the information listed is older than 6 hours, or if the listed server does not respond, it will search for a WPAD option 252 entry in DHCP. If none is available, it will attempt to contact DNS at https://wpad.<dns search suffix>/wpad.dat.

Q

How can I run Firewall Client Setup from the command prompt?

A

Path\Setup /v"SERVER_NAME_OR_IP=ISA_Server_Name] [ENABLE_AUTO_DETECT={1|0]

[REFRESH_WEB_PROXY={1|0}] /qn"

where:

  • Path is the path to the shared ISA Server 2004 client installation files. These files are usually located in a folder on the ISA Server computer with the share name ISA\MSPclnt.
  • ISA_Server_Name is the name of the ISA Server computer to which the Firewall client should connect.
  • ENABLE_AUTO_DETECT=1 specifies that the Firewall client should automatically detect which ISA Server computer to connect to.
  • REFRESH_WEB_PROXY=1 indicates that the Firewall Client configuration should be updated with the Web proxy configuration specified on the ISA Server computer.

Q

Can I install ISA Server 2004 Firewall Client on my computer running ISA Server Management console for ISA Server 2000?

A

ISA Server 2004 Firewall Client should not be installed on the same computer as ISA Server Management (ISA Server 2000). If you want to install the Firewall Client, uninstall ISA Server Management console (ISA Server 2000) first.

Q

Why can’t my Firewall clients connect to a Proxy 2.0 server?

A

In earlier versions of ISA Server, the Firewall Client control channel listened on TCP and UDP port 1745. For improved security in ISA Server 2004, UDP channel support is disabled by default. As a result, the ISA Server 2004 Firewall Client cannot connect to a Proxy 2.0 server, or to an ISA Server 2000 and or ISA Server 2004 computer that requires a UDP-only control channel. UDP control channel support can be enabled by defining a registry value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Firewall Client 2004\EnableUdpControlChannel = 1.

Q

How can I deny SecureNAT clients access to a specific site?

A

Remember that SecureNAT clients cannot authenticate. You can set up a deny rule for a specific site that applies to all, and then create an allow rule as an exception to that deny rule for authenticated users.

Q

Where is the Credtool.exe tool?

A

The Credtool.exe tool that was available in ISA Server 2000 has been replaced by FwcCreds.exe, and is now an integral part of the ISA Server product.

Q

Why can’t I locate the WSPAD.dat file on my ISA Server computer?

A

The WSPAD.dat file is runtime generated, and cannot be found on the ISA Server computer. However, it can be hosted elsewhere, for example on a server running Internet Information Services (IIS). Ensure that DNS or DHCP entries point at the computer running IIS, and then update or edit the WPAD and WSPAD files on the computer running IIS.