Chapter 13 PLANNING AND DEPLOYING CLIENTS 393 á Do you want to improve efficiency of the ISA Server computer for caching? Web proxy clients will directly use the Web proxy service. SecureNAT clients and Firewall clients use the firewall service and their HTTP requests are forwarded to the Web proxy service. á Do you have client operating systems and types other than Windows? Other clients such as Macintosh, Unix, and Linux can utilize SecureNAT and Web proxy client types. á Would you like to cache FTP requests? Use Web proxy clients. FTP requests made through the Web proxy application can be cached. Evaluating Network Infrastructure Changes Installing ISA Server(s) to provide Internet access control and/or Web caching capability can result in numerous network infrastruc- ture changes. The cost and complexity of deploying and maintaining these changes is dependent on the type of clients to be used as well as the nature of your infrastructure. SecureNAT client’s potential entails few infrastructure changes. This does not mean the cost will be low, rather that the modifications are simple. If SecureNAT clients need to be pointed directly to the internal interface of the ISA Server that information can be provided in DHCP or manual configured for those clients with static IP addresses. If multiple SecureNAT clients must be directly visited, then you must budget your time and cost accordingly. In a larger environment, however, SecureNAT clients may already be pointed to network routers for internal routing. These routers must be con- figured to route Internet requests to the ISA Server. Your time and cost is dependent on the number of routers that must be configured and the complexity of this configuration change. If Web proxy or Firewall clients need to be configured for automatic discovery then you may need to configure DHCP and/or DNS servers to provide information on where to locate the ISA Server. The protocol used in the Win Proxy Automatic Discover (WPAD) protocol. 18 mcse CH13 6/5/01 12:12 PM Page 393 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 394 Part IV DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER The process of deploying ISA Server can be reduced in complexity, cost, and time by carefully evaluating client requirements. The twin issues of maintenance and access troubleshooting can be more easily enabled if a thorough knowledge and understanding of clients is available to planners and implementers. It’s not just the configura- tion and installation steps that are important. This chapter provided insight into the knowledge base and planning decisions that are required while deferring the step-by-step implementation instruc- tions in the next chapter. CHAPTER SUMMARY KEY TERMS • Network Address Translation (NAT) • SecureNAT • Winsock applications • mspclnt.ini • msplat.txt • Chained authentication • Win Proxy Automatic Discover protocol (WPAD) 18 mcse CH13 6/5/01 12:12 PM Page 394 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 13 PLANNING AND DEPLOYING CLIENTS 395 A PPLY YOUR K NOWLEDGE TABLE 13.3 SAMPLE A NSWER TABLE Requirement Client Type Authentication Web proxy, Firewall Web protocols Web proxy, Firewall, SecureNAT Application filters Firewall, SecureNAT Caching of HTTP requests Web proxy, Firewall, SecureNAT Caching of FTP requests Web proxy Requires the least configuration SecureNAT Fine-tuned Winsock application usage Firewall Review Questions 1. Are 16-bit Winsock applications supported? With which clients? 2. Which client should be selected if access control will be configured by IP address, schedule, proto- col, and destination requested? Which will be the simplest to configure? 3. Which clients use the Web proxy service? Which ones use it most efficiently? 4. Discuss two items that can increase the complex- ity and cost of deploying the various ISA Server clients. Exam Questions 1. In a migration from Proxy Server 2.0 to ISA Server, an inventory of client status must be made. Of the clients listed here, which will not need changes to access the Internet through ISA Server? A. Winsock Proxy clients. B. Web proxy clients set for autodiscovery. Exercises 13.1 Planning Client Deployment Before clients can be deployed, you must determine which clients should be deployed. A good understand- ing can save many hours and make maintenance and access troubleshooting much less demanding. Estimated Time: 10 minutes 1. Use the Table 13.2 to list the client requirements, as you understand them, of your network. 2. In the second column of the table, list the client type that is required to fulfill this need. 3. Compare your results with the sample table that follows this exercise. TABLE 13.2 CLIENT R EQUIREMENTS Requirement Client Type 18 mcse CH13 6/5/01 12:12 PM Page 395 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 396 Part IV DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER A PPLY YOUR K NOWLEDGE C. Clients whose default gateway is set for the ISA Server’s internal network interface. D. Web proxy clients coded with the internal network interface of the Proxy 2.0 server (soon to be the ISA Server.) and port 80. 2. Which of the following ISA Server clients can be used to provide Internet access for Macintosh and Unix clients? A. Firewall client B. Web proxy client C. SecureNAT client D. Winsock Proxy Client 3. Various protocols and types of Web objects can be cached. Which of the following items can be cached? A. HTTP and FTP requests from Firewall clients. B. HTTP and FTP requests from Web proxy clients. C. HTTP and FTP requests from SecureNAT clients. D. HTTP requests from SecureNAT clients. 4. You are debating using the Firewall client or the SecureNAT client. Two advantages of one over the other are A. The Firewall client can inform the Firewall service of the ports it needs to use. SecureNAT clients need for ports must be statically configured. B. The Firewall client will always pass user cre- dentials, thus user group membership can be successfully used for access control. C. The SecureNAT client can inform the Firewall service of the ports it needs to use. Firewall clients need for ports must be stati- cally configured. D. The SecureNAT client will always pass user credentials, thus user group membership can be successfully used for access control. 5. Which clients can be used in which modes? A. SecureNAT clients are not supported in Caching mode. B. Web proxy clients are not supported in Firewall mode. C. Firewall clients are not supported in Integrated mode. D. SecureNAT clients are not supported in Firewall mode. Answers to Review Questions 1. 16-bit Winsock applications are only supported for Windows NT 4.0 clients and Windows 2000 clients. See the section, “Firewall Client.” 2. All clients can be used in this scenario, however, the SecureNAT is be the simplest to configure. See the section, “Using Multiple Clients on a Single Computer.” 3. All clients use the Web proxy service. SecureNAT and Firewall client Web requests are forwarded to the Web proxy service. The Web proxy client uses the Web proxy service in the most efficient man- ner. See the section, “SecureNAT Client.” 4. Two items that can increase the complexity of a deployment are authentication and autodiscovery. Authentication might be required to fulfill access 18 mcse CH13 6/5/01 12:12 PM Page 396 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 13 PLANNING AND DEPLOYING CLIENTS 397 A PPLY YOUR K NOWLEDGE rules written to depend on group membership. This requires a more complex deployment. If Web proxy clients are used, then authentication must be required of all clients—this prevents participation by non-Windows clients. Autodiscovery can save configuration time, but can be difficult to get right. Changes to DNS and DHCP configuration may need to be made. See the section, “Considering Cost and Complexity.” Answers to Exam Questions 1. A, B, C. D is incorrect. Proxy 2.0 uses port 80 to listen for Web requests. ISA Server uses port 8080. See the section, “Migrating Proxy 2.0 Clients.” 2. B, C. A and D are incorrect; the firewall and Winsock Proxy clients must be installed and there is no version for non-Windows operating systems. See, “Introducing ISA Server Client Types.” 3. B, D. A is incorrect; only HTTP requests from Firewall and SecureNAT clients are cached. See, “Using Multiple Clients on the Same Computer.” 4. A, B. C and D are incorrect. See, “Using Multiple Clients on the Same Computer.” 5. A, B. Firewall clients are supported in integrated mode and SecureNAT clients are supported in Firewall mode. See, “Introducing ISA Server Client Types.” 1. ISA Server “Installation and Deployment Guide” available at http://www.microsoft.com/ isaserver/techinfo/ISAdeploy.htm . 2. Carlisle Adams, Steve Lloyd, Understanding the Public-Key Infrastructure, 1999, New Riders Publishing. ISBN: 157870166X. 3. Roberta Bragg, Windows 2000 Security. Chapters 4 and 17, 2000, New Riders Publishing. ISBN: 0735709912. 4. “Windows 2000 Certificate Services,” a white paper at http://www.microsoft.com/ WINDOWS2000/library/operations/security/ Suggested Readings and Resources 18 mcse CH13 6/5/01 12:12 PM Page 397 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 18 mcse CH13 6/5/01 12:12 PM Page 398 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. O BJECTIVES 14 CHAPTER Installing and Configuring Client Options This chapter covers the following Microsoft-specified objectives for the Deploying, Configuring, and Troubleshooting the Client Computer section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure and troubleshoot the client com- puter for secure network address translation (SecureNAT). What simple technique is used to implement the SecureNAT client? What do you have to do to cre- ate SecureNAT clients? Simple as it may seem, peo- ple have trouble with this one. Install the firewall Client software. Considerations include the cost and complexity of deployment. . Troubleshoot autodetection Using the firewall client brings many benefits to the user or ISA Server services. Installation is uncom- plicated, but issues do arise. The client information must first be configured correctly on the server, or communications will not occur. While the easiest path may appear to be to configure auto detection, there are several steps involved. How will you trou- bleshoot client issues? By knowing what’s supposed to happen. Configure the client computer’s Web browser to use ISA Server as an HTTP proxy. Web proxy clients are simply client computers whose browser has been configured to point to the ISA Server. Instead of accessing the Internet directly, they send their requests to ISA Server. 19 mcse CH14 6/5/01 12:13 PM Page 399 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. O UTLINE S TUDY STRATEGIES Introduction 401 Configuring ISA Server and the Network to Support Clients 401 Modifying Routing 401 Adding DHCP and/or DNS Settings 402 Configuring ISA Server Properties 403 Configuring ISA Server Client Settings 404 Installing and Configuring Clients 407 Configuring the SecureNAT Client 407 Configuring Web Proxy Clients 408 Installing and Configuring Firewall Clients 409 Using Multiple Clients on Single Computers 411 Troubleshooting Client Trouble Spots 411 Troubleshooting Client Installation 412 Troubleshooting Autodetection 412 Troubleshooting Authentication 413 Chapter Summary 414 Apply Your Knowledge 415 Exercises 415 Answers to Exercises 415 Review Questions 415 Exam Questions 416 Answers to Review Questions 417 Answers to Exam Questions 417 . Consider the impact of having to configure and/or install hundreds of ISA Server clients. How would you do it? . Separate out for yourself, which clients are nec- essary where, and when you would use multiple clients. . Consider the multiple ISA Server client comput- ers. What impact does adding the firewall client to the Web proxy have? 19 mcse CH14 6/5/01 12:13 PM Page 400 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 14 INSTALLING AND CONFIGURING CLIENT OPTIONS 401 INTRODUCTION Now that you know which clients you will use where and have planned your client rollout, you need to take the steps to do so in the most efficient way. The following sections will support your efforts: á Configuring ISA Server and the Network to Support Clients á Installing and Configuring Clients á Troubleshooting Client Trouble Spots CONFIGURING ISA SERVER AND THE NETWORK TO SUPPORT CLIENTS To support ISA Server clients, it might be necessary to á Modify Routing á Add DHCP and/or DNS Settings á Configure ISA Server Properties á Configure ISA Server Client Settings Modifying Routing Modifications to routing will depend on the status of the current network routing configuration. The end results should be to route Internet requests through the ISA Server. This can be accomplished in a couple of ways. In a small network where all clients are on the same network as the ISA Server, it is only necessary to modify the default gateway of the ISA Server clients to be the address of the internal network interface card of the ISA Server. This can be done by adjusting DHCP settings or by manually setting the gateway on client systems. 19 mcse CH14 6/5/01 12:13 PM Page 401 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 402 Part IV DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER In a larger environment consisting of multiple subnetworks, a client’s default gateway will be the router interface on its subnet- work. The routers then will need to be modified, if necessary to for- ward Internet requests to the ISA Server. Adding DHCP and/or DNS Settings If the ISA Server clients will be configured to use automatic discov- ery to find the ISA Server, and all clients are not in the same subnet- work as the ISA Server the DHCP and/or DNS Server will need to be modified to allow the ISA Server clients to find the ISA Server. This is done by adding a Web Proxy Autodiscovery Protocol (WPAD) entry to these servers. DHCP can provide autodiscovery information for Windows 2000, Windows ME, and Windows 98 client computers. DNS can provide autodiscovery information for, Windows NT 4.0, Windows 2000, Windows ME, and Windows 98. For instructions see Step by Step 14.1 (DHCP) and Step by Step 14.2 (DNS). STEP BY STEP 14.1 WPAD Entries in DHCP 1. Click Start, Programs, Administrative Tools, DHCP. 2. Right-click the DHCP server and select Set Predefined Options. 3. Click Add. 4. In the name box, type WPAD. 5. Type 252 for code. 6. In data type, select String. Click OK. 7. Enter http://computername:autodiscoveryport#/Wpad.dat (see Figure 14.1). Click OK. 8. Right-click Server Options and select Configure Options. 9. On the General Page, scroll down until you find 252 WPAD and check the box. Click OK. FIGURE 14.1 Configuring DHCP for automatic discovery. 19 mcse CH14 6/5/01 12:13 PM Page 402 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... If ISA Server Properties are properly configured and clients are configured for automatic discovery, clients in the same subnet as the ISA Server can receive a response to their broadcast request for the address of the proxy server To configure ISA Server to respond, you must publish automatic discovery STEP BY STEP 14.3 Publishing Automatic Discovery 1 Right-click Internet Security and Acceleration Server, ... access are routed to the internal network interface of the ISA Server How this is done depends on whether the client is on the same logical network as the ISA Server, or on some other internal network subnetwork To configure the SecureNAT client: á If the client is on the same logical network as the ISA Server internal network, use the ISA Server internal interface IP address as the client’s default... are set to autodetect the ISA Server and cannot, the problems may simply be a misconfiguration on the server side Items to check are the following: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 19 mcse CH14 6/5/01 12:13 PM Page 413 Chapter 14 INSTALLING AND CONFIGURING CLIENT OPTIONS á Check ISA Server property pages On the Auto Discovery page, the server should be configured... can broadcast and receive direct answers from the ISA Server You will need to configure DNS or DHCP in this situation á Check the port listed for autodiscovery on the ISA Server Does it match client expectations? á Check port information in DHCP Does it match the server port? á Check port information DNS Whoops No port info in DNS The port used at the ISA Server must remain at port 80 Troubleshooting Authentication... watermark 19 mcse CH14 416 6/5/01 12:13 PM Par t IV Page 416 DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER A P P LY Y O U R K N O W L E D G E Internet Internet router ISA Server ISA Server Win ME W2K A Win 98 C NT DHCP B FIGURE 14.13 FIGURE 14.14 Question 3 D Question 1 4 It is critical that users in the Marketing department be able to access the Internet even if the ISA Server is down... is that either routerbased networks forward Internet traffic to the ISA Server; or that clients in routerless networks assign their default gateway to the ISA Server internal network interface If these absolutes are not configured, configure them and test again á Web proxy clients need to know the IP address and listening port of the ISA Server Check to be sure that either this is hard coded in or “automatic”... Their configuration is done at installation from information on the ISA Server You can display information on whether they automatically detect the ISA Server by opening the firewall Client Monitor Tool’s icon in the systems tray á For Web proxy client and firewall clients, be sure the hard coded information is correct Remember that the ISA Server listens, by default to port 8080 á For Web proxy clients... can also be used to request a download of the file, and to change the ISA Server used for downloads The file created can be edited directly, but this should only be done on the ISA Server The client copy of the file should never be edited, as it will be periodically overwritten Property pages in the Client Configuration node of the ISA Server management console offer the more common areas that may need... should be entered á Check DHCP configuration If DHCP is being used to provide information on the ISA Server location, then the WPAD option should be configured á Check DNS configuration If DNS is being used to provide information on the ISA Server location then there will be a WPAD alias configured for the ISA Server á If neither DHCP or DNS configuration is present and routers are used in this network, then... must modify the client’s browser settings so that the browser can locate the ISA Server There are multiple ways to do this First, you could directly modify the client’s Web browser settings by opening the browser’s Property pages and entering the name or IP address of the ISA Server and the port (by default 8080) used by the ISA Server to listen for Web request To do so follow Step by Step 14.4 STEP BY . “Introducing ISA Server Client Types.” 1. ISA Server “Installation and Deployment Guide” available at http://www.microsoft.com/ isaserver/techinfo/ISAdeploy.htm . 2 same subnet- work as the ISA Server the DHCP and/or DNS Server will need to be modified to allow the ISA Server clients to find the ISA Server. This is done