Re: Is Firewall Client necessary?
From: Thomas W Shinder [MVP] (tshinder_at_hotmail.com)
Date: 07/14/04
- Next message: Bob Genestet: "Re: SNAT"
- Previous message: ChrisM: "How many syn floods and sessions in 2004?"
- In reply to: Phillip Windell: "Re: Is Firewall Client necessary?"
- Next in thread: Ray: "Re: Is Firewall Client necessary?"
- Reply: Ray: "Re: Is Firewall Client necessary?"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 14 Jul 2004 13:36:22 -0500
Hi Phillip,
Right on, right on! I'd like to see Mervin get a refund from the
"consultant" who said the Firewall client isn't required to enhance the
security of the ISA firewall.
-- Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls "Phillip Windell" <@.> wrote in message news:OGZqnFcaEHA.1248@TK2MSFTNGP11.phx.gbl... : : "Mervin Williams" <mwilliams@innovasolutions.net> wrote in message : news:OF6H2wbaEHA.3508@TK2MSFTNGP09.phx.gbl... : > Since then, we've been having several problems daily, from internet access : > not being available to clients to services (such as Real Player) not being : > accessible. : : Perfectly normal. You must configure this to work. It isn't going to work : all by itself out of the box. ISA *only* allows what you specify, it does : *not* allow everything then deny what you specify. : : > A "second opinion" administrator seems to think that the : > problems stem from Microsoft Firewall Client. He says that the Firewall : > Client is not needed to use the security features of ISA. : : Then he is mistaken. A rough guess is that about 75% to 85% if ISA's : "internal-to-external" security is handled by the firewall Service which : requires the Firewall Client. : : > We allowed the 2nd admin to remove Firewall Client from the client : machines, : > but we are now having problems when we VPN to the network. : : No simple answer. They are many kinds of VPN "models" that are all handled : differently. However the Firewall Service (associated with the Firewall : Client) only process TCP and UDP. It does not "do" VPN which is GRE. So : there is no relationship between VPN and the Firewall Service. : : > (1) Is Microsoft Firewall Client needed in order to operate securely using : > ISA? : > (2) What is the purpose for Firewall Client? : : ISA has three *independent* Serivces: : : Web Proxy Service: Clients use it via the browser's "proxy settings". It : only supplies HTTP, HTTPS, "Read-only" FTP, and Gopher. Authentication is : based on User Accounts. : : Firewall Service: Client use it via having the Firewall Client installed. : It supplies all protocols based on TCP and UDP. It does not process other : Layer4 protocols such as ICMP and GRE (VPN). Authentication is based on User : Accounts. : : SecureNAT Service: Clients use it via the Layer3 Routing Scheme of the LAN : (often ISA is their Default Gateway). It can supply pretty much the same : thing as any other NAT based device which is what any of the popular : hardware based "firewalls" are. Authentication is *only* based on Source IP# : & Desitnation IP#. : : > (3) If Firewall Client is not needed, how do we configure VPN access so : that : > we can access all system resources and even use Roaming Profiles? : : Only the SecureNAT Service allows clients behind ISA to initiate their own : outbound VPN connections. But this may not be relevant to you. There are a : lot of different models and methods of VPN and they are all done : differently. : : -- : : Phillip Windell [MCP, MVP, CCNA] : www.wandtv.com : :
- Next message: Bob Genestet: "Re: SNAT"
- Previous message: ChrisM: "How many syn floods and sessions in 2004?"
- In reply to: Phillip Windell: "Re: Is Firewall Client necessary?"
- Next in thread: Ray: "Re: Is Firewall Client necessary?"
- Reply: Ray: "Re: Is Firewall Client necessary?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
