RE: Force use of ISA Firewall Client

Hi Brian,

Thanks for posting in our newsgroup.

You see three types of ISA 2004 firewall clients in ISA console, this is
expected behavior. If user svisit websites, the system will use Web Proxy
client first. If you use Winsock applications that use the TCP and UDP
protocols, this need Firewall client. The Secure NAT can be created by
internal or External connection, it works when the default geteway of NIC
is pointed to ISA.

If you don't need to do less configuration, SecureNAT client is a good
choice. SecureNAT clients require only a default gateway address that can
route Internet-bound requests through the ISA 2004 firewall. All simple
protocols are supported by SecureNAT.

The Web ProxyProxy client supports all platforms, but does so by way of a
Web application. On windows client you need to configure on IE. All Web
browsers that can be ured to use a proxy server can function as Web
ProxyProxy clients. The Web ProxyProxy client supports HTTP, HTTPS (SSL),
and HTTP tunneled FTP (Web proxied FTP).

The Firewall client supports all Winsock applications that use the TCP and
UDP protocols, but you must install firewall client on every workstation.

If you want to see user name (instead of IP addresses) in the reports,
please do the following steps:

Step 1: Configuring Firewall Logs to Record User Information

1. In this ISA firewall console, expand the server name and click the
Monitoring node.
2. On the Monitoring node, click the Logging tab in the details pane.
3. Click the Tasks tab in the Task Pane. Click the Configure Firewall
Logging link.
4. In the Firewall Logging Properties dialog box, click the Fields tab.
5. On the Fields tab, scroll down the list of fields in the Include the
selected fields in the log dialog box. Confirm that there is a checkmark in
the Client Username checkbox. There are many of useful fields that you can
log, so take some time to check out the other options on the Fields tab of
the Firewall Logging Properties dialog box.
6. Click Apply and then click OK.

Step 2: Configuring Webproxy Logs to Record User Information

1. In the ISA firewall console, expand the server name and then click the
Monitoring node.
2. On the Monitoring node, click the Logging tab in the details pane.
3. Click the Tasks tab in the Task Pane. Click the Configure Web Proxy
Logging link.
4. In the Web Proxy Logging Properties dialog box, click the Fields tab.
5. On the Fields tab, confirm that there are checkmarks in the Client
Username and URL checkboxes.
6. Click Apply and then click OK.

Step 3: Configure the Webproxy to require authnication:

1. In the ISA firewall console, expand the server name and then expand the
Configuration node. Click the Networks node.
2. Click Internal under Networks tab.
3. In the Internal Properties dialog box, click the Web Proxy tab.
4. Click Authentication button, check the Require all users to
authenticate box.
5. Click OK.

If you force users to use Firewall client, you can do the following steps,
but that's not commended.

Secure NAT: Change the gateway on the NIC not point to ISA server.

WebProxy:

1. In the ISA firewall console, expand the server name and then expand the
Configuration node. Click the Networks node.
2. Click Internal under Networks tab.
3. In the Internal Properties dialog box, click the Web Proxy tab.
4. Uncheck Enable Web Proxy Clients.

Hope this helps.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Thread-Topic: Force use of ISA Firewall Client
<thread-index: Acgb8Td+cz6slfIaRFKjj1/R9icLrg==
<X-WBNR-Posting-Host: 207.46.19.197
<From: =?Utf-8?B?QnJpYW4=?= <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx>
<Subject: Force use of ISA Firewall Client
<Date: Wed, 31 Oct 2007 12:07:01 -0700
<Lines: 23
<Message-ID: <A6E11BE7-D3EA-4C78-8E65-6B4223D471F8@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< charset="Utf-8"
<Content-Transfer-Encoding: 7bit
<X-Newsreader: Microsoft CDO for Windows 2000
<Content-Class: urn:content-classes:message
<Importance: normal
<Priority: normal
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
<Newsgroups: microsoft.public.windows.server.sbs
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:72969
<NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<I am running SBS2k3 SP1 (not R2)/w ISA2004
<
<I have installed the ISA Firewall Client on all workstations, and it seems
<to be working.. BUT...in ISA Server Management under Sessions I see:
<Web Proxy, Firewall Client, and SecureNAT connetions from LAN IP addresses
<(I was expecting to only see Firewall Client).
<
<I am also seeing Web Proxy and SecureNAT connections from EXTERNAL IP
<addreses. (the SecureNAT are probably incoming email connections?).
<
<Can sombody please tell me what type of connections I should expect to see
<from the LAN and from the Internet; and what they would be used for?
<
<Also, why do I see LAN IP adresses not UserNames in the ISA Array Reports
<under TOP USERS?
<
<I have read all the ISA / Firewall Client articles I can find on the web
and
<I am still not clear on this.
<
<Thanks!!
<Brian
<
<
<

.

Loading