Automatic Discovery for Firewall and Web Proxy Clients
Overview | |
Concepts and Procedures |
Overview
Microsoft Internet Security and Acceleration (ISA) Server 2004 supports automatic discovery to allow Firewall clients and Web Proxy clients to automatically locate an ISA Server computer to use for client requests.
ISA Server uses the Web Proxy Automatic Discovery (WPAD) protocol, which allows automatic discovery of Web Proxy servers. ISA Server uses WPAD to provide a mechanism for clients to locate a WPAD entry containing a URL that points to a server on which the Wpad.dat and Wspad.dat files are generated. The Wpad.dat file is a Java script. file containing a default URL template, constructed by Internet Explorer. The Wpad.dat file is used by Web Proxy clients for automatic discovery information. The ISA Server WinSock Proxy Autodetect (WSPAD) implementation uses the Wpad.dat file, and creates a Wspad.dat file to provide automatic discovery information to Firewall clients. For more information about the WPAD protocol, see the Web Proxy Auto-Discovery Protocol document.
Concepts and Procedures
This section includes:
• | Configuring automatic discovery |
• | Web Proxy clients |
• | Firewall clients |
• | Client support |
• | Configuring WPAD entries |
• | Configuring a WPAD server |
• | References |
Configuring Automatic Discovery
There are a number of configuration steps involved in setting up automatic discovery support for clients:
• | Configure Web Proxy clients and Firewall clients for automatic discovery. | ||||
• | Create WPAD entries containing a URL that points to a WPAD server on which the Wpad.dat and Wspad.dat files are located. You can create a WPAD entry in DNS, in DHCP, or in both. | ||||
• | Configure a WPAD server. The URL specified in the WPAD entry points to the WPAD server, which is the computer on which the WPAD and WSPAD files can be located. There are a number of possible configurations for the WPAD server:
| ||||
• | If the ISA Server computer will act as the WPAD server, configure ISA Server to listen for automatic discovery requests, by publishing automatic discovery information on a specified port. These configuration steps are outlined in detail in the sections that follow. |
Web Proxy Clients
For Web Proxy clients, Internet Explorer uses the WPAD protocol to locate a WPAD entry in DHCP or DNS that contains the location of the Wpad.dat script. file. When found, Internet Explorer connects to the ISA Server computer specified in the Wpad.dat file for Web requests. Web browser clients make a call to http://wpad:port/wpad.dat, where port is the port listening for automatic discovery requests. For DNS entries, you must listen on port 80. DHCP can listen on any port. (By default ISA Server listens on port 8080). You can type this URL (specify the appropriate port) into the Web browser to view the proxy settings for the specified client, and a list of domain names configured for direct access.
In Internet Explorer, you can enable automatic discovery, or you can specify manually a proxy server that Web Proxy clients should use. On Firewall Client computers, you can configure the Web Proxy settings for the Firewall client in the Firewall Client dialog box.
If automatic discovery fails, Web Proxy clients can fall back on a SecureNAT configuration if the client computer has a suitably configured default gateway. Automatic discovery is supported for Internet Explorer 5 and later.
Enable Web Proxy Automatic Discovery in Internet Explorer
On Web Proxy client computers running Internet Explorer 5 or later, do the following.
1. | On the Tools menu, click Internet Options. |
2. | Click the Connections tab. |
3. | Click LAN Settings. |
4. | Click to select the Automatically detect settings check box, and then click OK two times. |
Enable Web Proxy Automatic Discovery on Firewall Client for ISA Server 2004 Computers
To enable Web Proxy automatic discovery on a Firewall client, do the following.
1. | In the Web Browser tab of the Microsoft Firewall Client for ISA Server 2004 dialog box, select Enable Web browser automatic configuration. |
2. | To apply settings immediately, click Configure now. |
Firewall Clients
To implement automatic discovery for Firewall clients, ISA Server uses the WPAD protocol to locate a WPAD entry in DHCP or DNS. If a Firewall Client computer has automatic discovery enabled, the following occurs:
1. | When the client makes a Winsock request, the client connects to the DNS or DHCP server. |
2. | The WPAD entry URL returned to the client contains the address of a WPAD server (a server on which the Wpad.dat and Wspad.dat files are located). |
3. | The client computer requests the automatic configuration information held in Wspad.dat, with a call to http://wpad:port/wspad.dat on the WPAD server, where port is the port listening for automatic discovery requests. For DNS entries, you must listen on port 80. DHCP can listen on any port. (By default ISA Server listens on port 8080). You can manually type this URL into the Firewall Client browser to check that Firewall Client settings on the ISA Server computer are displayed as expected. |
4. | The ISA Server computer identified in the Wspad.dat file is then used to service Winsock connections for all applications on the client computer configured to use the Firewall Client. |
In addition to configuring Firewall clients for automatic detection, the automatic discovery process can be initiated manually on Firewall Client computers, by clicking Detect Now in the Firewall Client properties dialog box. If automatic detection fails, Firewall clients can fall back on a SecureNAT configuration if the client computer has a suitably configured default gateway.
Enable Automatic Discovery for Firewall Clients in ISA Server 2004
To enable automatic discovery for Firewall clients for ISA Server 2004, do the following.
1. | In the console tree of ISA Server Management, click Configuration, and then click Networks. |
2. | In the details pane, click the Networks tab. |
3. | On the Tasks tab, click Edit Selected Network. |
4. | On the Firewall Client tab, select Automatically detect settings, if the client computer should automatically attempt to find the ISA Server computer. |
Enable Automatic Discovery for Firewall Clients in ISA Server 2000
To enable automatic discovery for Firewall clients for ISA Server 2000, do the following.
1. | In ISA Server Management, click the ISA Server computer name, and then click Client Configuration. |
2. | In the details pane, right-click Firewall Client and then click Properties. |
3. | On the General tab, select Enable automatic discovery in Firewall Clients. |
Client Support
The following table summarizes automatic discovery support for Firewall and Web Proxy clients for various operating systems, such as Microsoft Windows Server„2003, Windows® XP, Windows 2000, Windows NT® Server 4.0, Windows Millennium Edition, Windows 98, and Windows 95.
Operating system | Internet Explorer 5 and later | Firewall Client 2000 | Firewall Client 2004 |
Windows Server 2003 | All users | All users (DNS) Admin users only (DHCP) | All users |
Windows XP | All users | All users (DNS) Admin users only (DHCP) | All users |
Windows 2000 | All users (DNS) Admin users only (DHCP) | All users (DNS) Admin users only (DHCP) | All users |
Windows NT 4.0 | All users | All users (DNS only) | All users (DNS only) |
Windows Me | All users | All users | All users |
Windows 98 (Second Edition) | All users | All users | All users |
Windows 98 | All users | All users | All users |
Windows 95 | All users | All users (DNS static only) | No Firewall Client support |
Note
In ISA Server 2000, the following DHCP limitation applies: Web Proxy clients on computers running Windows 2000 can only use automatic discovery for users who are members of the Administrators or Power Users group. In Windows XP, the Network Configuration Operators group also has permission to issue DHCP queries. For more information, see article 307502, "Automatically Detect Settings Does Not Work if You Configure DHCP Option 252," in the Microsoft Knowledge Base.
Configuring WPAD Entries
You can create WPAD entries in DHCP, DNS, or both. There are advantages and disadvantages to both approaches:
• | To use DNS, ISA Server must publish automatic discovery information (listen for automatic discovery requests) on port 80. Using DHCP, you can specify any port. Note that by default the ISA Server computer listens on port 8080 for automatic discovery requests. |
• | If clients are spread over multiple domains, you need to configure a DNS entry for each domain containing clients with automatic discovery enabled. |
• | Clients enabled for automatic discovery must be able to directly access or query the DHCP server for option 252. Remote access and VPN clients cannot access the DHCP server to directly obtain option 252. If automatic discovery is configured using DHCP only, remote access clients will not be able to use this feature. |
• | Generally, using DHCP servers with automatic detection works best for local area network (LAN) 来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/23034/viewspace-246610/,如需转载,请注明出处,否则将追究法律责任。
下一篇:
关于AD所用端口
请登录后发表评论
登录
全部评论
<%=items[i].createtime%>
<%=items[i].content%> <%if(items[i].items.items.length) { %>
<%for(var j=0;j
<%}%> <%}%>
<%=items[i].items.items[j].createtime%>
<%=items[i].items.items[j].username%> 回复 <%=items[i].items.items[j].tousername%>: <%=items[i].items.items[j].content%>
还有<%=items[i].items.total-5%>条评论
) data-count=1 data-flag=true>点击查看
<%}%>
|
转载于:http://blog.itpub.net/23034/viewspace-246610/