ISA server as a transparent proxy

[FN-GM]

Hi

I am not to hot on this subject but is it possible to make ISA a transparent proxy? If so how is it done please?

I have googled abit cannot find much, what i have found has gone over my head.

cheers

Z

[EduTech]

Hi Mate,

I found this - http://www.eggheadcafe.com/aspnet_an...st26977701.asp

Have a look i think thats what u are looking for, there are also a few links at the bottom that explains things in a little more detail.

Regards

James

[FN-GM]

Ok if that can’t be done what can I do so you don’t have to make any configuration on client machines? IE not having to put the proxy address in internet explorer etc.

Thanks

[Edu-IT]

Ok if that can’t be done what can I do so you don’t have to make any configuration on client machines? IE not having to put the proxy address in internet explorer etc.

Thanks

Just out of interest what is wrong with having to do that?

[EduTech]

Thats a point really Edu-IT, I supose if it is only on a few machines then it could be no problem putting in the proxy. but if its on a wide range of client machines then supose it could be a bit of a hassel.

Regards

James

[Edu-IT]

Thats a point really Edu-IT, I supose if it is only on a few machines then it could be no problem putting in the proxy. but if its on a wide range of client machines then supose it could be a bit of a hassel.

Regards

James

You can use policies to apply proxy settings.

[EduTech]

You can use policies to apply proxy settings.

I was just about to edit my post saying that lol, but i got an email saying what you put before i pressed Submit hehe, :P

regards

James

[plock]

Policies work well and generally in most cases are adequate.

Other than that setting up a WPAD file on your network will point any client connected to the proxy server you would like. Google WPAD your find information on setting this up.

This site might be a starting point:

http://www.isaserver.org/tutorials/C...l-Clients.html

[FN-GM]

Well we are a domain in a multiple forest, so users can logon our machines from another domain. But on some of these other domains there IP range is filtered by the LEA. They will not have any proxy server address typed in. so they could possibly get unfiltered internet. WPAD we cannot use either because guest laptops might not have automatically find the proxy server check box ticked. Also we cannot put policies on there computers. We can’t set the firewall so it will only accept traffic that has been through out proxy because other users from other domains will have there proxy server onsite and will want there users to go through there proxy. We do set our users to go through the proxy server in GPO.

I will attach a diagram soon.

[plock]

My understanding is if the client browser doesn't have any Proxy Server defined then regardless of 'Automatically detect...' being ticked it'll use the WPAD?

[SYNACK]

Without a proxy server in the configuration it will first hit the default gateway on the highest priority active network adapter and see if it can get the pages directly otherwise if it is set to automatically detect it will look for a proxy.

You can setup ISA as a transparent firewall that should run your traffic through filtering but I have not set it up transparently with a proxy. To enable it as a transparent firewall just add a rule that allows HTTP/HTTPs access from the internal network to the external network. You must have it as the default gateway of either the workstations that are trying to connect to it or as the default gateway in your top level router so that any traffic that cannot be serviced locally is sent to the ISA server for routing.

[Ric_]

By default, any client that uses ISA as its gateway will act as a 'Secure-NAT' client so any URLs that you block will not be accessible from those clients. However, this will not forward to an upstream proxy.

[FN-GM]

Thanks for the comments guys

My understanding is if the client browser doesn't have any Proxy Server defined then regardless of 'Automatically detect...' being ticked it'll use the WPAD?

I was told it does need to be checked, can anyone confirm if it does or doesn't please?

By default, any client that uses ISA as its gateway will act as a 'Secure-NAT' client so any URLs that you block will not be accessible from those clients. However, this will not forward to an upstream proxy.

So does that mean if i set the clients to use the proxy as the default gateway traffic will pass through it?

Thanks

Z

[plock]

Without a proxy server in the configuration it will first hit the default gateway on the highest priority active network adapter and see if it can get the pages directly otherwise if it is set to automatically detect it will look for a proxy.

According to this then for the WPAD to take effect 'Automatically detect...' would need to be ticked.

If it isn't then it's using the default gateway rather than the WPAD which I had thought was the case.

[Ric_]

So does that mean if i set the clients to use the proxy as the default gateway traffic will pass through it?

Yes... unless of course ISA isn't set up in firewall mode.