Home > ISA 2006 Configuration, ISA 2006 Enterprise, ISA 2006 Standard > Automatic Detection Fails for ISA Firewall Clients

Automatic Detection Fails for ISA Firewall Clients

January 26, 2009

When configuring the Web Proxy listener on a Microsoft ISA firewall, one of the things you will find in addition to the authentication methods available is an option to ‘require all users to authenticate’.


Selecting this option produces the following warning message:


Now why would Microsoft give us this option, then complain when we attempt to use it? I have no idea. But it is important to read this message thoroughly and understand what it is saying and why.

As the message indicates, requiring all users to authenticate may block traffic to sites such as Windows Update. The reason for this is that the Windows Update client on our servers and workstations runs in the background, under the context of the service host (svchost.exe) and is unable to provide authentication information to the ISA firewall. This same scenario applies to any unattended processes or services you might have running that require access to the Internet.

One thing that the warning message does not mention is that requiring all users to authenticate to the Web Proxy listener also breaks the automatic detection mechanism for Firewall Clients. The reason for this is that the ISA Firewall Client lacks the ability to respond correctly to the ‘HTTP 401 Unauthorized’ response that the ISA firewall returns when the Firewall Client attempts to retrieve the ‘wspad.dat’ file.

As the aforementioned warning goes on to say, Microsoft recommends enforcing user authentication on firewall policy access rules and publishing rules instead of requiring all users to authenticate to the Web Proxy listener. In this case it would seem that just because you can, doesn’t mean you should. If you must for some reason enable this setting (and honestly, I can’t think of any reason you would need to) there are some workarounds to allow automatic detection by the Firewall Client under these circumstances. Refer to Microsoft knowledge base article 88563 for more information.

  1. Colin McAdam
    July 9, 2009 at 1:42 am

    I had to enable to the ‘require all users…’ checkbox to get SurfControl working properly

  2. July 9, 2009 at 8:34 am

    This is a common myth. You do not need to enable ‘require all users to authenticate’ for Websense/SurfControl to work correctly. You simply need to require authentication on your access rules and the user information will be provided by ISA to the Websense/SurfControl ISAPI filter. Instead of specifying ‘all users’ on your access rule, select either ‘all authenticated users’ or a specific set of users or groups and it will work without issue.

  1. February 2, 2009 at 8:47 am
Comments are closed.