ISA in SBS - yes, it's secure
This is one of those things which is much simpler when ISA lives in it's own space. Following the instructions currently available for setting this up will result in ISA taking over your default website. In order for this to work on SBS, ISA WPAD (Web Proxy Authentication Detection) has to place nice with IIS and it doesn't want to. Having the Firewall Client automatically detect the ISA Server will save me and I assume you too about an hours worth of work after each SBS SP1 installation. If you would like to try out the Beta, then download sbs_wpad_2.zip from Jim Harrison's ISATools.org. Read the SBS_WPAD Premium doc contained therein and it will walk you through the process. The final version will be posted officially on the Microsoft ISA downloads website.
I won't repeat what the instructions in the document here but in short the procedure is this:
1. create and configure a new website which contains the wpad.dat and wspad.dat file that the firewall client needs to configure itself. These files are also part of the .zip that you will download.
2. add a host entry to your DNS server so the website can be found
3. on the general tab of your firewall client make sure that automatically detect ISA is selected and on the Web Browser tab make sure that Enable Web Browser Automatic Configuration is selected. Both of these should be the default settings.
Once you have installed the files into a website that your client computers can access, the Firewall Client will configure itself. Hallelujah!! One more thorn removed!
Update 5/2006: http://isatools.org/sbs_wpad_3.zip
Thanx to Jonathon Howey for a bug report in the _2 version to the isaserver.org list and playing guinea pig for my troubleshooting.
Short story: WinHTTP proxy configuration (or auto-proxy behavior) can cause the script to make the wpad request as a CERN proxy request instead of a direct request.
Needless to say, this causes the mechanism to fail.
I've fixed this and stashed it as http://isatools.org/sbs_wpad_3.zip.