RE: Force use of ISA Firewall Client

Robert,

Please read my in line reply below..


"Robert Li [MSFT]" wrote:

Hi Brian,

Thanks for your reply.

You are right, the Firewall client automatically sends user credentials
(user name and password) to the ISA 2004 firewall. The user must be logged
on with a user account that is either in the Windows Active Directory or NT
domain, or the user account must be mirrored on the ISA 2004 firewall.

All internal / LAN users ARE using AD accounts. So forcing them to use the
Firewall Client will result in usernames being included in the ISA logs,
right?
SO.. How can all users be Forced to ONLY use the Firewall Client?

If you configure the Webproxy to require authentication, you don't need to
visit companweb. The Web Proxy client is able to send user credentials to
the ISA 2004 firewall computer when required.

The users NEED to see the companyweb everyday! That is the point of the
companyweb. ALSO, we intend to start using the companyweb to store Office
Files that they will access all day long.

Based on my research, the Firewall client has no known issue such as crash.
But if you visit Websites or FTP, the web proxy has improved performance.
In contrast to the Firewall client, which always sends user credentials to
the ISA 2004 firewall, the Web Proxy client only sends credentials when
asked to provide them. This improves performance, as authentication is only
performed when required.

Sorry.. typo I was asking if the ISA **CACHE** works with the Firewall
Client.
I am more concerned with ISA logs INCLUDING Usernames than with the improved
performance provided by NOT loging User names.



Is there a way to FORCE use of the Firewall Client??!?

OR is there a better way to ALWAYS log User names in the ISA logs AND not
require the users to logon to companyweb when using the LAN?


Thanks Again!
Brian

Hope this helps.

If you need further assistance, please don't hesitate to let m know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Thread-Topic: Force use of ISA Firewall Client
<thread-index: AcgeTCdEPXaZUgo8Twu65mwwTisDFw==
<X-WBNR-Posting-Host: 207.46.192.207
<From: =?Utf-8?B?QnJpYW4=?= <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx>
<References: <A6E11BE7-D3EA-4C78-8E65-6B4223D471F8@xxxxxxxxxxxxx>
<ESRNkjTHIHA.7444@xxxxxxxxxxxxxxxxxxxxxx>
<Subject: RE: Force use of ISA Firewall Client
<Date: Sat, 3 Nov 2007 12:03:00 -0700
<Lines: 188
<Message-ID: <DE34AC03-7064-4C51-99F1-794824140AC1@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< charset="Utf-8"
<Content-Transfer-Encoding: 7bit
<X-Newsreader: Microsoft CDO for Windows 2000
<Content-Class: urn:content-classes:message
<Importance: normal
<Priority: normal
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
<Newsgroups: microsoft.public.windows.server.sbs
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:73550
<NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Thanks Robert!
<
<My server was setup as outlined in your step 1 and 2.
<
<Your Step 3 makes all my users have to logon to see the internal
<'companyweb' site.
<This is not acceptable.
<
<It is my understanding that the Client Firewall will take care of
<authentication automatically.
<
<Is any functionality lost if I force use of the Client Firewall? (i.e.
will
<the ISA cash still respond to client requests?)
<
<Thanks again!
<Brian
<
<"Robert Li [MSFT]" wrote:
<
<> Hi Brian,
<>
<> Thanks for posting in our newsgroup.
<>
<> You see three types of ISA 2004 firewall clients in ISA console, this is
<> expected behavior. If user svisit websites, the system will use Web
Proxy
<> client first. If you use Winsock applications that use the TCP and UDP
<> protocols, this need Firewall client. The Secure NAT can be created by
<> internal or External connection, it works when the default geteway of
NIC
<> is pointed to ISA.
<>
<> If you don't need to do less configuration, SecureNAT client is a good
<> choice. SecureNAT clients require only a default gateway address that
can
<> route Internet-bound requests through the ISA 2004 firewall. All simple
<> protocols are supported by SecureNAT.
<>
<> The Web ProxyProxy client supports all platforms, but does so by way of
a
<> Web application. On windows client you need to configure on IE. All Web
<> browsers that can be ured to use a proxy server can function as Web
<> ProxyProxy clients. The Web ProxyProxy client supports HTTP, HTTPS
(SSL),
<> and HTTP tunneled FTP (Web proxied FTP).
<>
<> The Firewall client supports all Winsock applications that use the TCP
and
<> UDP protocols, but you must install firewall client on every workstation.
<>
<> If you want to see user name (instead of IP addresses) in the reports,
<> please do the following steps:
<>
<> Step 1: Configuring Firewall Logs to Record User Information
<>
<> 1. In this ISA firewall console, expand the server name and click the
<> Monitoring node.
<> 2. On the Monitoring node, click the Logging tab in the details pane.
<> 3. Click the Tasks tab in the Task Pane. Click the Configure Firewall
<> Logging link.
<> 4. In the Firewall Logging Properties dialog box, click the Fields tab.
<> 5. On the Fields tab, scroll down the list of fields in the Include the
<> selected fields in the log dialog box. Confirm that there is a checkmark
in
<> the Client Username checkbox. There are many of useful fields that you
can
<> log, so take some time to check out the other options on the Fields tab
of
<> the Firewall Logging Properties dialog box.
<> 6. Click Apply and then click OK.
<>
<> Step 2: Configuring Webproxy Logs to Record User Information
<>
<> 1. In the ISA firewall console, expand the server name and then click
the
<> Monitoring node.
<> 2. On the Monitoring node, click the Logging tab in the details pane.
<> 3. Click the Tasks tab in the Task Pane. Click the Configure Web Proxy
<> Logging link.
<> 4. In the Web Proxy Logging Properties dialog box, click the Fields tab.
<> 5. On the Fields tab, confirm that there are checkmarks in the Client
<> Username and URL checkboxes.
<> 6. Click Apply and then click OK.
<>
<> Step 3: Configure the Webproxy to require authnication:
<>
<> 1. In the ISA firewall console, expand the server name and then expand
the
<> Configuration node. Click the Networks node.
<> 2. Click Internal under Networks tab.
<> 3. In the Internal Properties dialog box, click the Web Proxy tab.
<> 4. Click Authentication button, check the Require all users to
<> authenticate box.
<> 5. Click OK.
<>
<> If you force users to use Firewall client, you can do the following
steps,
<> but that's not commended.
<>
<> Secure NAT: Change the gateway on the NIC not point to ISA server.
<>
<> WebProxy:
<>
<> 1. In the ISA firewall console, expand the server name and then expand
the
<> Configuration node. Click the Networks node.
<> 2. Click Internal under Networks tab.
<> 3. In the Internal Properties dialog box, click the Web Proxy tab.
<> 4. Uncheck Enable Web Proxy Clients.
<>
<> Hope this helps.
<>
<> If you need further assistance, please don't hesitate to let me know.
<>
<> Best regards,
<>
<> Robert Li(MSFT)
<>
<> Microsoft CSS Online Newsgroup Support
<>
<> Get Secure! - www.microsoft.com/security
<>
<> =====================================================
<>
<> This newsgroup only focuses on SBS technical issues. If you have issues
<> regarding other Microsoft products, you'd better post in the
corresponding
<> newsgroups so that they can be resolved in an efficient and timely
manner.
<> You can locate the newsgroup here:
<> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<>
<> When opening a new thread via the web interface, we recommend you check
the
<> "Notify me of replies" box to receive e-mail notifications when there
are
<> any updates in your thread. When responding to posts via your
newsreader,
<> please "Reply to Group" so that others may learn and benefit from your
<> issue.
<>
<> Microsoft engineers can only focus on one issue per thread. Although we
<> provide other information for your reference, we recommend you post
<> different incidents in different threads to keep the thread clean. In
doing
<> so, it will ensure your issues are resolved in a timely manner.
<>
<> For urgent issues, you may want to contact Microsoft CSS directly.
Please
<> check http://support.microsoft.com for regional support phone numbers.
<>
<> Any input or comments in this thread are highly appreciated.
<>
<> =====================================================
<>
<> This posting is provided "AS IS" with no warranties, and confers no
rights.
<>
<> --------------------
<> <Thread-Topic: Force use of ISA Firewall Client
<> <thread-index: Acgb8Td+cz6slfIaRFKjj1/R9icLrg==
<> <X-WBNR-Posting-Host: 207.46.19.197
<> <From: =?Utf-8?B?QnJpYW4=?= <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx>
<> <Subject: Force use of ISA Firewall Client
<> <Date: Wed, 31 Oct 2007 12:07:01 -0700
<> <Lines: 23
<> <Message-ID: <A6E11BE7-D3EA-4C78-8E65-6B4223D471F8@xxxxxxxxxxxxx>
<> <MIME-Version: 1.0
<> <Content-Type: text/plain;
<> < charset="Utf-8"
<> <Content-Transfer-Encoding: 7bit
<> <X-Newsreader: Microsoft CDO for Windows 2000
<> <Content-Class: urn:content-classes:message
<> <Importance: normal
<> <Priority: normal
<> <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
<> <Newsgroups: microsoft.public.windows.server.sbs
<> <Path: TK2MSFTNGHUB02.phx.gbl
<> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:72969
<> <NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
<> <X-Tomcat-NG: microsoft.public.windows.server.sbs
<> <
<> <I am running SBS2k3 SP1 (not R2)/w ISA2004
<> <
<> <I have installed the ISA Firewall Client on all workstations, and it
seems
<> <to be working.. BUT...in ISA Server Management under Sessions I see:
<> <Web Proxy, Firewall Client, and SecureNAT connetions from LAN IP
addresses
<> <(I was expecting to only see Firewall Client).
<> <
<> <I am also seeing Web Proxy and SecureNAT connections from EXTERNAL IP
<> <addreses. (the SecureNAT are probably incoming email connections?).
<> <
<> <Can sombody please tell me what type of connections I should expect to
see
<> <from the LAN and from the Internet; and what they would be used for?
<> <
<> <Also, why do I see LAN IP adresses not UserNames in the ISA Array
Reports
<> <under TOP USERS?
<> <
<> <I have read all the ISA / Firewall Client articles I can find on the
web
<> and
<> <I am still not clear on this.
<> <
<> <Thanks!!
<> <Brian
<> <
<> <
<> <
<>
.