Each ISA Server machine in an array contains information about all the other array members and can make this information available to clients in a routing script. The General tab in Figure 6 shows the URL for such a script (in this case, http://ISA-LEON:8080/array.dll?Get.Routing.Script). ISA Server updates the script whenever you add a server to or remove one from the array. Note that the script returns information such as what array member to use for a specific URL request to ensure that the request goes to an ISA Server machine that contains that URL in its cache.
The script, which functions similarly to the wpad.dat file I described earlier, is the preferred method of setting up a browser for Web proxy access in an array environment. The script has the most recent information about all the array members and ensures that in the distributed cache environment that an array provides, a client browser request goes to the server on which the content is cached.
Firewall Client software installation will automatically set IE to use the automatic configuration script if you select the Set Web browsers to use automatic configuration script check box on the General tab. If you elect to use the automatic configuration script, before sending the user's URL request, IE reads the script, which contains the hash function that processes the user's URL and gets back the name of the ISA Server machine that contains the desired cached content.
Now that I've explained how configuring Firewall Client affects the Web proxy browser settings, I describe how to configure the actual firewall settings. The second subnode under Client Configuration in the ISA Management console lets you configure options for Firewall Client, a helper application that's implemented as a Layered Service Provider for Winsock. In the console's right pane, double-click Firewall Client to open the Firewall Client Properties dialog box. On the General tab, which Figure 7 shows, make sure that the Enable ISA Firewall automatic discovery in Firewall Client check box is selected. To further improve users' experience, you can configure Firewall Client to automatically detect which ISA Server machine it should use. You use the dialog box's Application Settings tab to configure which processes will use the firewall and which ones won't.
The ISA Server installation program automatically creates Firewall Client and maps it to the %programfiles%\microsoft isa server\clients directory. Then, you install Firewall Client on each client computer. Users on my intranet install Firewall Client directly from the \\isa-leon\mspclnt share. Alternatively, you can leverage Active Directory's (AD's) software installation feature to assign Firewall Client to specific users and computers, then automatically install the software the next time the user logs on. After the software is installed, it appears as an icon in the system tray. Double-clicking it opens the Firewall Client Options dialog box. (For more information about AD's software installation feature, see "Software Installation in Windows 2000," February 2000, http://www.winnetmag.com, InstantDoc ID 7886.)
Installing Firewall Client software on the client machine forces all client settings to take effect. These settings include the settings you configured in the Web Browser Properties dialog box. Any client-related changes you make after Firewall Client installation are automatically propagated to the client machines at a regular interval. Users can also click Update Now in the Firewall Client Options dialog box to download changes from ISA Server immediately.
After you install Firewall Client, it intercepts each Winsock call. Instead of letting a network request go through as usual, Firewall Client creates a special channel to the ISA Server machine and routes the request to ISA Server's Firewall service. The firewall performs a network request on the client's behalf and sends a response back to the client. The result is a seamless Internet connection for all network applications running on the client computer.
In this article, I ventured into an explanation of ISA Server's automatic Web proxy and firewall configuration options. My aim was to demonstrate that users need to perform little or no special configuration to have Internet access through ISA Server. I showed you how to enable Web browsers to access URLs through automatic WPAD. I also described how to let applications access the Internet with the help of ISA Server's Firewall Client. ISA Server offers one more option for seamless Internet access: SecureNAT. I covered SecureNAT in detail in "Authenticate Internet Access with ISA Server." Setting up the client machine to use SecureNAT is a snap: You use the TCP/IP settings on the client machine to point a default gateway of the client to the ISA Server machine. If you use DHCP to provide client configuration parameters, you can make the default gateway a DCHP scope option. In this case, the client will configure itself upon network start-up and thus will use ISA machine as its default gateway.