RE: ISA Firewall client question
- From: v-edtian@xxxxxxxxxxxxxxxxxxxx (Edward Tian)
- Date: Fri, 23 Sep 2005 05:36:55 GMT
Dear Orlando:
Thanks for posting here.
>From your description, I understand that your MAC PCs cannot use RDP and
some ERP applications to connect to the internet, they can browse the web
page without difficulty. The XP clients in the same network work perfectly.
Your SBS server is protected by the ISA Server 2000. If I have
misunderstood your concern, please do let me know.
Based on my experience, this is an expected behavior. Let me explain for
you:
For outgoing traffic, an application-layer inspection is provided by the
ISA Server, which is to say, the packets will be inspected by the ISA based
on the user credential. There are three types of clients in ISA environment:
1. Web Proxy client
Web-proxy clients do not require that any client software be installed.
You need only configure the ISA as the proxy server in Web browser setting.
For example, if you are using IE, you can set the proxy in Internet
Options | Connections | LAN Settings. Authentication information is passed
by the Web browser. The name resolution is resolved by the ISA.
Firewall and SecureNAT client computers can ALSO be Web-proxy clients at
the same time if their browsers are so configured. Web Proxy client only
supports the protocols HTTP, HTTPS and FTP.
We strongly recommend you configure the Firewall Client and the SecureNAT
client computers as the Web Proxy Client at the same time since this will
bring the better network browsing performance from the Web Proxy Service.
2. SecureNAT client
SecureNAT client is the machine that its default gateway is the internal IP
of the ISA server. SecureNAT client treats ISA as its gateway and all name
resolution is resolved by the client itself.
SecureNAT client doesn't support user authentication through ISA and it
does also not support Secondary Connection. If you have applied some ISA
rules on the user groups, SecureNAT client cannot pass it.
If we configure the proxy settings in IE, the clients will work as a Web
Proxy Client when opening IE to access Internet.
So, we usually configure the non-Windows OS, such as Unix, as the SecureNAT
client. For Windows clients, we do not recommend our customers do that.
3. Firewall client
We recommend our customer install Firewall client on the client machines if
their ISA has multiple NICs. Firewall client can automatically pass the
user-level authentication through the ISA in back-end; and it can also
support other protocols, such as SMTP, POP3, than HTTP, HTTPS and FTP. The
name resolution is resolved by ISA.
If we configure the proxy settings in IE, the clients will work as a Web
Proxy Client when opening IE to access Internet.
When a request is initiated from a client computer, The user credential
will be sent to the ISA Server by the Firewall client (non-HTTP/HTTPs/FTP
request) or the web proxy client (HTTP/HTTPs/FTP request). The ISA Server
will check the request with its predefined rules to determine whether the
packet is allowed to pass through. If the firewall client is not installed
on the client computer, the credential information cannot be sent to the
ISA. Instead, ISA will regard this request as an anonymous request,
afterwards the packets will surely be dropped by the ISA Server.
The reason why web browsing works fine is that web access is using the
HTTP/HTTPS protocol, if you configure the web proxy on your browser (e.g.
IE6.0), the user credential can be sent to the ISA Server without problem.
However, the RDP connection and the ERP application are using the 3389 and
other specific protocol, the traffic is blocked by the ISA Server due to
the fact that firewall client cannot be installed on the MAC.
Regarding the current situation, I would like to provide you the following
suggestion to solve the problem:
1. Create a ALLOW protocol rule based on the Client IP Address Set.
a. Go to the ISA management console, navigate to Policy Elements | Client
Address Sets. Create a new client address set as following:
Name: Mac
From: 192.168.1.1
To: 192.168.1.100 (You may change the IP address to the actual range)
b. Go to the ISA management console, navigate to Access Policy | Protocol
Rules. Create a new protocol rule as following:
Protocol rule name: Allow Mac access
Rule Action: Allow
Protocols: All IP traffic
Client Type: Specific computers
Client Sets: Mac (The one you created before)
2. Go to the ISA Server Management, right click the ISA Server Name, and
then select 'Properties'. In the Outgoing Web Requests tab, disable the
'Ask unauthenticated users for identifications' option.
Note: If we check the "Ask unauthenticated users for identifications"
option, all anonymous request will be denied by the ISA Server whether you
have a protocol rule applied to all request or not.
Please also double check if you have configured the MAC to be the SecureNAT
client.
Does it fix the problem?
Please feel free to let me know if you have any questions or concern.
Have a nice weekend! :)
Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: ISA Firewall client question
| thread-index: AcW/0nFRJtol+1mvTMO0oHOI9fX5Lg==
| X-WBNR-Posting-Host: 219.148.148.181
| From: "=?Utf-8?B?T3JsYW5kbw==?=" <orlando_lister@xxxxxxxxx>
| Subject: ISA Firewall client question
| Date: Thu, 22 Sep 2005 17:05:01 -0700
| Lines: 9
| Message-ID: <B4095524-19F6-4B6A-ADCC-2216A6A5C3E9@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155709
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| We have some XP clients and MACs in our office. The XP client is working
fine
| without problem, but the MACs can browse the internet but cannot use
remote
| desktop, ERP (need to communicate with the internet server) and other
| services. We have firewall client 2k installed on the XP clients, but we
| cannot install it on the MAC. How can I allow the applications on MAC to
| access internet?
|
| ----
| Orlando
|
.
- Prev by Date: RE: ISA authentication for OWA?
- Next by Date: RE: ClientApps/Office 2003
- Previous by thread: RE: ISA authentication for OWA?
- Next by thread: RE: ISA Firewall client question
- Index(es):
Relevant Pages
|
