Re: Is Firewall Client necessary?

From: Ray (reply_in_at_newsgroup.only)
Date: 07/15/04 

Date: Thu, 15 Jul 2004 12:48:13 -0400

Hi Tom,

How come "real" firewalls don't require client installations? :-)

Actually a good explanation of this would be nice to read as an article on
your web site.

Ray

"Thomas W Shinder [MVP]" <tshinder@hotmail.com> wrote in message
news:OBaM0FdaEHA.2408@tk2msftngp13.phx.gbl...
> Hi Phillip,
>
> Right on, right on! I'd like to see Mervin get a refund from the
> "consultant" who said the Firewall client isn't required to enhance the
> security of the ISA firewall.
>
> --
> Tom
> www.isaserver.org/shinder
> Get the book!
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
> "Phillip Windell" <@.> wrote in message
> news:OGZqnFcaEHA.1248@TK2MSFTNGP11.phx.gbl...
> :
> : "Mervin Williams" <mwilliams@innovasolutions.net> wrote in message
> : news:OF6H2wbaEHA.3508@TK2MSFTNGP09.phx.gbl...
> : > Since then, we've been having several problems daily, from internet
> access
> : > not being available to clients to services (such as Real Player) not
> being
> : > accessible.
> :
> : Perfectly normal. You must configure this to work. It isn't going to
work
> : all by itself out of the box. ISA *only* allows what you specify, it
does
> : *not* allow everything then deny what you specify.
> :
> : > A "second opinion" administrator seems to think that the
> : > problems stem from Microsoft Firewall Client. He says that the
Firewall
> : > Client is not needed to use the security features of ISA.
> :
> : Then he is mistaken. A rough guess is that about 75% to 85% if ISA's
> : "internal-to-external" security is handled by the firewall Service which
> : requires the Firewall Client.
> :
> : > We allowed the 2nd admin to remove Firewall Client from the client
> : machines,
> : > but we are now having problems when we VPN to the network.
> :
> : No simple answer. They are many kinds of VPN "models" that are all
handled
> : differently. However the Firewall Service (associated with the Firewall
> : Client) only process TCP and UDP. It does not "do" VPN which is GRE. So
> : there is no relationship between VPN and the Firewall Service.
> :
> : > (1) Is Microsoft Firewall Client needed in order to operate securely
> using
> : > ISA?
> : > (2) What is the purpose for Firewall Client?
> :
> : ISA has three *independent* Serivces:
> :
> : Web Proxy Service: Clients use it via the browser's "proxy settings".
It
> : only supplies HTTP, HTTPS, "Read-only" FTP, and Gopher. Authentication
is
> : based on User Accounts.
> :
> : Firewall Service: Client use it via having the Firewall Client
installed.
> : It supplies all protocols based on TCP and UDP. It does not process
other
> : Layer4 protocols such as ICMP and GRE (VPN). Authentication is based on
> User
> : Accounts.
> :
> : SecureNAT Service: Clients use it via the Layer3 Routing Scheme of the
> LAN
> : (often ISA is their Default Gateway). It can supply pretty much the same
> : thing as any other NAT based device which is what any of the popular
> : hardware based "firewalls" are. Authentication is *only* based on Source
> IP#
> : & Desitnation IP#.
> :
> : > (3) If Firewall Client is not needed, how do we configure VPN access
so
> : that
> : > we can access all system resources and even use Roaming Profiles?
> :
> : Only the SecureNAT Service allows clients behind ISA to initiate their
own
> : outbound VPN connections. But this may not be relevant to you. There
are
> a
> : lot of different models and methods of VPN and they are all done
> : differently.
> :
> : --
> :
> : Phillip Windell [MCP, MVP, CCNA]
> : www.wandtv.com
> :
> :
>
>

Relevant Pages

  • Re: Access rule/Authentication problem in ISA 2004
    ... When you say vpn do you mean from external to internal or are you making vpn ... Firewall client can not authenticate PING. ... I also read in the ISA Help ... for me cause it does not authenticate based on user accounts. ...
    (microsoft.public.isa)
  • Re: Is this ISA server setup right or wrong?
    ... > pix 501 and a vpn between the sites. ... > to implement an ISA server behind the pix firewall at the ... The remote VPN subnets (private IP ...
    (microsoft.public.isa)
  • Re: Umstellung von Edgefirewall zu Backfirewall mit WLAN
    ... Die lasse ich auch nur mit VPN rein. ... Beim Speedport gibt s die Einstellmöglichkeit für VPN Passthrough, ... (doppelte Firewall, doppelte Sicherheit?) ... Den VPN Zugang wuerde ich auch am ISA machen lassen und nicht am Speedport. ...
    (microsoft.public.de.german.isaserver)
  • Re: PPTP Server publishing in ISA 2004 doesnt work?
    ... But the ISA 2004 firewall allows you very fine, ... what resources the user can access once the VPN connection is established. ... Tom and Deb Shinder's Configuring ISA Server 2004 ...
    (microsoft.public.isa)
  • Re: Is Firewall Client necessary?
    ... > security of the ISA firewall. ... >: requires the Firewall Client. ... there is no relationship between VPN and the Firewall Service. ... >: based on User Accounts. ...
    (microsoft.public.isaserver)