When you configure Captivate to authenticate SecureNAT users, the connections are blocked, or the captive portal screen is never shown.

This is usually caused by an incorrect configuration of the HTTP protocol. Go into the HTTP protocol properties, and make sure:

  • The "Web Proxy Filter" item is selected
  • The "Captivate" item is not selected

More information

The Captivate application filter blocks non-HTTP protocols until your users complete a captive portal process. If you hook this app filter to the HTTP protocol, you will end up in a situation where HTTP is blocked. This means the users' connections will be blocked before they can ever see the captive portal web page.

Also, if the WPF is not hooked by the HTTP protocol, then the Captivate web filter will never run. This means that the captive portal process will never be shown.

IMPORTANT: You must always have the Web Proxy Filter hooked to the HTTP protocol, otherwise all of ISA's HTTP inspection capability is completely turned off. Never unhook the filter when troubleshooting a problem. If you solve the problem that way, it means you are making ISA completely useless as an application inspection security device for HTTP.