Creating Alternate Web Proxy Filter Routes for Web Proxy Clients on the ISA Firewall
A question came up recently regarding redundancy for ISA Firewall Web Proxy clients. There are several ways you can do this, including using NLB or client side CARP. However, if you’re using the standard edition of the ISA Firewall, both NLB and client side CARP aren’t available to you. However, there is still a failover option for Web Proxy clients of Standard Edition ISA Firewalls.
If you go into the Networks node in the left pane of the ISA Firewall console and then click the Networks tab in the middle pane, you can select an ISA Firewall Network for which you want Web Proxy clients to fail over to another ISA Firewall.
For example, double click the default Internal ISA Firewall Network and then click the Web Browser tab. At the bottom of the dialog box you’ll see the option If ISA Server is unavailable, use this backup route to connect to the Internet. The default setting is Direct Access, which means that the client will try to use it’s SecureNAT or Firewall client configuration to access the site if the Web Proxy Filter becomes unavailable. However, it’s unlikely that just the Web Proxy Filter will fail, and it more likely if the Web Proxy Filter fails, the entire machine has failed and it probably off or blue screened.
In this case, you can use the Alternative ISA Server option and then enter the name of the ISA Firewall that you want the Web Proxy clients to use if the Web Proxy clients can’t communicate with the primary ISA Firewall’s Web Proxy Filter. You can see the alternate address in the figure below.
It’s important to note that this only works if you configure the Web Proxy clients to use the autoconfiguration script. This can be done most easily by provisioning the Web Proxy clients to be configured by the Firewall client installation. You can choose either the autodiscovery option (Automatically detect settings) or the autoconfiguration script option, as seen in the figure below.
Note that you’ll need to setup WPAD entries if you want to use the Automatically detect settings options.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Tarek Majdalani Says:
August 9th, 2007 at 2:31 pm
Hi Tom,
I never tried this !
Question # 1 :
My Firewall client is auto detecting ISA-1, and the Alternative ISA Server option is pointing to ISA-2 , now IF ISA -1 were shutdown/failed, the users will continue to be able to surf the Internet using ISA-2 ?? ( assuming ISA-1 & ISA-2 have identical rules and settings )
Question # 2 :
Now ISA-1 came back online, how can i shift back my users to use ISA-1 ?
Question # 3 :
Can i have this option as well on ISA-2 ? so that when ISA-2 fails, users will automatically be shifted to ISA-1 ?
The Scenario is as follows:
ISA-1 have this option pointing to ISA-2
ISA-2 have this option pointing to ISA-1
now ISA-1 failed, users will start using ISA-2, what if ISA-2 failed ? will users be able to automatically go back to ISA-1 ( assuming it went back online before ISA-2 failed )
Thanks,
Tarek
Tom Shinder Says:
August 9th, 2007 at 4:12 pm
Hi Tarek,
The failover feature I discussed only works for Web Proxy clients.
However, you can get failover for Firewall clients by using Round Robin DNS.
HTH,
Tom
Web Proxy Blog » Blog Archive » Creating Alternate Web Proxy Filter Routes for Web Proxy Clients … Says:
August 9th, 2007 at 5:53 pm
[…] Original post by Thomas Shinder […]
Tarek Majdalani Says:
August 10th, 2007 at 2:31 am
Hi Tom,
Yes, lets say my clients are Web Proxy Clients.
What would happen in the above 3 Questions.
Thanks,
Tarek