Re: Proxy capabilities and securenat/firewall client
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Tue, 17 Jul 2007 10:03:57 -0500
"steve" <steve@xxxxxxxxxxxxxxxxxx> wrote in message
news:aK%mi.125878$mZ7.40049@xxxxxxxxxxxxxxxxxxxxxxxxx
Are there any disadvantages of using the firewall client?
Not really.
For example, will it happily sit alongside standard firewall software
(e.g. f-secure) that may be on a client machine?
Probably be fine.
I'll look into WPAD (it looks quite straightforward), however I'd like to
know what the problem is with using GPO to push the HTTP/HTTPS proxy
settings to IE? I thought this would be the easiest thing to do, given all
my machines are on the domain.
GPOs don't always apply properly
GPOs may get the settings stuck in such a way that it is difficult to get
rid of them if the situation changes. For example, I had the Windows
Firewall get stuck "on" and disrupting LAN functionality with the settings
greyed out and I couldn't turn it off without hacking the registry.
GPOs won't adjust the proxy settings with machines that are sometimes on the
LAN and sometimes not on the LAN (like laptops). You may end up with a
laptop that has its proxy settings stuck "on" while off the LAN which
prevent it from accessing the Internet in the location it happens to be in
at the time.
But WPAD autodetection handles that just fine.
Connecting to internal web sites via a browser may not work correctly
without WPAD, part of ISA functionality and decision making is built around
using WPAD. This is particularly true of internal resources being properly
identified as internal when a FQDN is used to access them or if an IP# is
being used in the URL in the browser.
The remote workers have the watchguard VPN client installed, which (when
connected) is treated by windows as a standard NIC connection. At this
point the users can ping the ISA internal interface, so if their IE proxy
= ISA internal address then won't that work? How will the firewall client
work in this remote scenario?
Don't know.
Sounds ugly.
You should stop using the WG for VPN, get rid of the WG VPN Client,...and
use ISA for the VPN which does not require any proprietary "VPN software" to
be loaded on the Clients,.. and ISA has 10 times more functionality and
flexability. ISA can be extremely detailed in controlling VPN User access
to LAN resources (if you want to get "detailed"), but WG doesn't have a
prayer. With WG, once the user is on the LAN remotely, the whole LAN is
available,...not true with ISA where you can go as far as restricting a
single user account, to a single machine using a single protocol,...if you
want to get that detailed with it.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
.
- References:
- Proxy capabilities and securenat/firewall client
- From: steve
- Re: Proxy capabilities and securenat/firewall client
- From: Phillip Windell
- Re: Proxy capabilities and securenat/firewall client
- From: steve
- Proxy capabilities and securenat/firewall client
- Prev by Date: Re: Proxy capabilities and securenat/firewall client
- Next by Date: constrained delegation claims SPNs not registered
- Previous by thread: Re: Proxy capabilities and securenat/firewall client
- Next by thread: Windows Vista and the ISA 2006 Management Plug-in
- Index(es):
Relevant Pages
|
Loading
