Re: ISA 2006 Web Browser Configuration of Direct Access

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2007-01-04, Phillip Windell <> wrote:
"rignes" <rignes@xxxxxxxxx> wrote in message
news:slrnepqr2t.b6s.rignes@xxxxxxxxxxxxxxxxxxxxxxxxxx
Even though we have the newest firewall client installed on all of our
systems
we still see nearly 100 SecureNAT connections. Supposedly we should see
none
if the client is working correctly? If it's expected to see some
SecureNAT
connections what sorts of things are by passing the Firewall Client?

Any device of any kind at all that either uses ISA as its Default Gateway
(single subnet LAN), or if ISA is the last device in the LAN's routing path
(multi-segment LAN) will be treated as a SecureNAT Client. These can be any
machine without the Firewall Client or any kind of networkable hardware
device. If you have no anonymous rules, then there won't be any (successful)
SecureNAT Clients because they cannot authenticate and therefore can only
use anonymous rules.

I guess what I need to get my head around at this point is what exactly causes
a SecureNAT connection? I've found my own system has SecureNAT sessions open,
even though I know I have the client installed and it is configured correctly.
However, I run different things than most of our user base. I use Firefox
which isn't configured to use ISA as it's proxy because the firewall client
just "makes it work". Of course, the firewall client can't automatically (as
far as I know) configure Firefox for me. Does this sort of thing cause a
SecureNAT connection? I also run Winamp in the same fashion.

The short question then is:

What, even with a correctly configured Firewall Client, can cause SecureNAT
connections?

The above question is asked in the context of systems running Windows XP and
Windows 2000. I understand that network devices can cause SecureNAT
connections, I'm just trying to see why multiple systems with the Firewall
Client installed correct still show as SecureNAT in the Sessions Monitor.

I'll keep an eye out for Tom's 2006 book. I had his ISA 2000 book but never
read it as I changed jobs and didn't work with ISA anymore before I got around
to reading it.

Thanks,

Brian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFonBkohDvlOzv16wRArwTAJ0UptAdHIAA1ZKYRf9DLvVa1J+jZgCeJrl3
sJmrhyM2nN107OaXYLOFqsI=
=4PSw
-----END PGP SIGNATURE-----
.

Relevant Pages

  • Re: Firewall Client
    ... The Firewall Client is for using Winsock based non-proxy aware applications over ... Anonymous attempts will work with only the Host operating as a SecureNAT ... Client,...NAT is not capable of authenticating with the ISA. ...
    (microsoft.public.isa)
  • Re: Blocking MSN Messenger and Windows Live Messenger
    ... switching my users to something other than securenat? ... Resolve DNS names on their own (so ISA does not know the Domain or URL) ... Web Proxy Clients ... The Firewall Client software was formerly known as the Winsock Proxy ...
    (microsoft.public.isa)
  • Re: logging question (isa format)
    ... >> Access Rules for Web Proxy and Firewall Client do not use Client Address ... > SecureNAT client, in contrast, has no way to pass user credentials to the ...
    (microsoft.public.isa)
  • Re: outlook
    ... I read an article by Dr. Thomas Shinder about outlook and ISA, ... states the same - you don't need FW client for outlook. ... Service but uses the SecureNAT Service. ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
    (microsoft.public.isa)
  • Re: Simple Terminology Question: Name for Default Kind of Access in ISA2004?
    ... Proxy, and Firewall client. ... I gather SecureNAT is a leftover from ISA ...
    (microsoft.public.isa)