How To Configure ISA 2000 Server to Allow HBOs to Bypass Authentication

Knowledge Base Article ID: 126 ( Try another search )

Overview

This article addresses the question of how best to configure your ISA 2000 Standard server for use with an HBO. This is especially the case with ISA servers that normally require authentication to access the internet over HTTP and HTTPS. If your ISA server does not require authentication, but is an in-line device (or otherwise not optional), then it is already compatible with the HBO. Simply submit a valid DNS or IP address as well as the port number on which the ISA and our technicians will configure your HBO to use the proxy server. If your ISA server does require authentication some minor alterations to your ISA server will be required.

Supporting Proxy Authentication

As of this writing the HBO's do not support authenticating proxy servers of any sort, including the ISA server. This is a feature we are currently working towards supporting but in the meantime if you have a proxy server that requires clients to submit a username and password to access the internet then you will need to allow the HBO through the proxy server without authentication, or allow it to bypass the proxy server altogether. Below are step by step instructions for doing this on ISA server.

Step-By-Step

These instructions were written specifically for the ISA 2000 server, however they may work with other versions of ISA as well. If you have a different version of the ISA server that you'd like to contribute instructions for please send an email to techsupport@headsprout.com to let us know.

1. In ISA under Policy Elements then inside Client Address Set create one for the HBO device. One thing to note here is that HBO's are deployed either with static TCP/IP information already configured, or with DHCP enabled. If your HBO is configured for DHCP, then it is advisable to either assign it static TCP/IP information, or to reserve its current dynamic address in DHCP so that its IP address never changes.

2. In Access Policy under Protocol Rule create one for the HBO device that allows IP Traffic and apply to the Client Address Set.

3. Under Site and Content Rule create a Destination set for the HBO. If you like you may limit the scope of the destination set for the HBO in a variety of ways. For example, you can limit it to specific IP addresses of the Headsprout servers it interacts with, or even to the network blocks that the Headsprout servers share. Otherwise, feel free to open up the destination set to all web addresses.

Relevant IP Addresses

dbi-hbo.headsprout.com 207.195.231.24
dbi-hbo1.headsprout.com 207.195.231.25
dbi-hbo2.headsprout.com 207.195.231.26
swf.headsprout.com 207.195.230.68
swf1.headsprout.com 207.195.231.23

These are all servers that the HBO deployed in your school or district might access at any given time. Most of the traffic will be to the dbi-hbo cluster's virtual IP (207.195.231.24) but all of these servers are a part of the support infrastructure for deployed HBOs. Please consider creating a destination set that incorporates our network blocks:

207.195.230.0/27
207.195.230.64/27
207.195.230.128/27
207.195.231.16/28

If you add the above blocks you can be certain that if we were to add servers or change our infrastructure slightly, the HBO would still be able to access everything it needs to access.

For updates to these instructions, please refer to the PDF located here: Bypassing ISA Authentication

Keywords: ISA HBO proxy authentication

Date last modified: 08/23/2010