ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Wednesday, July 20, 2005

Getting the Firewall Client to Automatically Detect ISA

ISA in SBS - yes, it's secure

This is one of those things which is much simpler when ISA lives in it's own space. Following the instructions currently available for setting this up will result in ISA taking over your default website. In order for this to work on SBS, ISA WPAD (Web Proxy Authentication Detection) has to place nice with IIS and it doesn't want to. Having the Firewall Client automatically detect the ISA Server will save me and I assume you too about an hours worth of work after each SBS SP1 installation. If you would like to try out the Beta, then download from Jim Harrison's Read the SBS_WPAD Premium doc contained therein and it will walk you through the process. The final version will be posted officially on the Microsoft ISA downloads website.

I won't repeat what the instructions in the document here but in short the procedure is this:

1. create and configure a new website which contains the wpad.dat and wspad.dat file that the firewall client needs to configure itself. These files are also part of the .zip that you will download.
2. add a host entry to your DNS server so the website can be found
3. on the general tab of your firewall client make sure that automatically detect ISA is selected and on the Web Browser tab make sure that Enable Web Browser Automatic Configuration is selected. Both of these should be the default settings.

Once you have installed the files into a website that your client computers can access, the Firewall Client will configure itself. Hallelujah!! One more thorn removed!

Update 5/2006:

Thanx to Jonathon Howey for a bug report in the _2 version to the list and playing guinea pig for my troubleshooting.

Short story: WinHTTP proxy configuration (or auto-proxy behavior) can cause the script to make the wpad request as a CERN proxy request instead of a direct request.
Needless to say, this causes the mechanism to fail.

I've fixed this and stashed it as


At 8:50 AM, Anonymous Anonymous said...

The URL you have gives me a "Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter."

Removing the final "/" from the URL and using works fine.

At 9:24 AM, Blogger Amy - Harbor Computer Services said...

Correction made. Thanks for pointing it out to me!

At 11:30 AM, Anonymous Anonymous said...

It would be nice if you added a note to let peorple know that this only applies to ISA 2004. It is also not specified in the instructions, I only found out by checking the .dat file.

At 2:13 AM, Blogger Jim Harrison said...

I does work for both.
I wrote and tested it specifically this way.


Post a Comment

<< Home