Firewall client basics
The Firewall client is one of three supported ISA Server client types. The supported client types are:
- Webproxy Client
- Secure NAT Clent
- Firewall Client
The description and function of the Webproxy and Secure NAT client is out of the scope of this article. If you want to have more information about these client types, read the online help articles on ISAserver.org.
The Firewall client software is an optional client piece that can be installed on any supported Windows operating system to provide enhanced security and accessibility. The Firewall client software provides the following enhancements to Windows clients:
- Allows strong user/group-based authentication for all Winsock applications using the TCP and UDP protocols.
- Allows user and application information to be recorded in the ISA firewall’s log files.
- Provides enhanced support for network applications, including complex protocols that require secondary connections.
- Provides “proxy” DNS support for Firewall client machines.
- Allows you to publish servers requiring complex protocols without the aid of an application filter.
- The network routing infrastructure is transparent to the Firewall client.
First we need to download the actual Firewall client from the Microsoft ISA Server website. The actual Firewall client supports Microsoft Windows Vista and older operating systems like Windows XP and Windows Server 2000.
There are a number of versions of Firewall Client software:
- The latest version (v. 3442.654 at the time of writing) is available as a Web download.
- A version shipped with ISA Server 2006 (v.3441.633).
- A version shipped with ISA Server 2004.
- A version shipped with ISA Server 2000.
Software distribution share
As a next step we must create a software distribution share for the Firewall client installation files. Create a Windows file share with appropriate permissions, so that “Everyone” can access the file share. Copy the downloaded Firewall client to this share or leave it in the download directory and copy only the extracted files.
Figure 1: Create a software distribution share with appropriate permissions
As a next step, extract the ISA Server 2006 Firewall client package files to the Software distribution share. You can do this by opening the Firewall client exe file from the command prompt with the parameters /C and /T.
Figure 2: Extract the Firewall client installation files
After the files are extracted from the installation package, you will see a file called MS_FWC.MSI. This is the primary installation file which is used for the software distribution process. The package also contains the MSI installer for the Intel and AMD platform.
Figure 3: Extracted setup files
Create the Software distribution package
As a next step, create the required organizational units (OU) for the Software distribution process and move the client PC that should get the Firewall client to this organizational unit and create the Group Policy.
Create the default package location. This is the shared folder where you placed all Software distribution packages.
New packages should be assigned for the computer, so the Software package will be installed during start up of the computer, but before the logon process displays the logon screen.
Figure 4: General software distribution settings
The installation user interface options should be set to Minimum.
After the installation package location has been created, it is now time to create the software distribution package. Right click the Software installation setting and create the new package. Select the MS_FWC.MSI file and a short time after; the Microsoft Firewall Client 4.0 is assigned and ready for client installation.
Figure 5: Software installation dialog
At client side
At client side, wait a while before you restart the PC, so that changed or new Group Policy settings are applied or execute the GPUPDATE /FORCE command from the command prompt to force Group policy propagation.
After rebooting the client, you should now see the installation process of the Firewall client. If not, reboot the machine again and see what happens. If the software will not install, start the classic Group Policy Software distribution troubleshooting process.
Figure 6: Software installation dialog
There are more additional task like automatically configuring the Firewall client and automatically hiding the Firewall client symbol from clients, but this is out of the scope of this article and is covered in other articles.
Unattended installation using ms_fwc.msi
If you use a distribution method that requires a Microsoft Windows Installer (.msi) file, note the following:
- The Firewall Client software that shipped with ISA Server 2006 or ISA Server 2004 already includes an .msi file: ms_fwc.msi.
- To deploy the latest version of Firewall Client, extract ms_fwc.msi from the Web download by typing the following at the command prompt:
ISACLIENT-KB929556-ENU.EXE /c /t:c:\SoftwareDistributionShare
If you want to distribute the Firewall client directly from the MSI file through Logon script or something else, execute:
msiexec /i ms_fwc.msi SERVER_NAME_OR_IP=Name of ISA Server ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0 /qb /L*v c:\fwcinstl.log Parameters
Parameters are used in the commands as follows:
- Path = Location of the Firewall Client installation file. A value must be specified.
- SERVER_NAME_OR_IP=ISAServerName = Name or IP address of the ISA Server computer to which the client computer should connect.
- ENABLE_AUTO_DETECT = Specify a value of 1 to indicate that the Firewall client computer should automatically detect the ISA Server computer to which it should connect. A value of 0 indicates that automatic detection is not enabled on the client.
- REFRESH_WEB_PROXY = Specify a value of 1 to indicate that the Firewall client configuration should be updated with the Web proxy configuration settings specified in ISA Server Management. A value of 0 indicates that the client is not updated.
Unattended installation using Setup.exe
You can run an unattended installation using Setup.exe:
- To install the Firewall Client software that shipped with ISA Server 2006 or ISA Server 2004 using Setup.exe, type the following at the command prompt:
setup.exe /w /V"SERVER_NAME_OR_IP=Name of ISA Server ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0 /qb /L*v c:\fwc_inst.log"
- For the latest version of Firewall Client extract Setup.exe from the Web download, and then type the following at the command prompt:
setup.exe /Q /P "SERVER_NAME_OR_IP= isaserver ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0"
In this article I tried to show you how to automatically deploy the Microsoft ISA Server 2006 Firewall client. It is possible to deploy the Microsoft ISA Server 2006 Firewall client with software distribution programs like Microsoft SMS (Systems Management Server) or its successor SCCM (System Center Configuration Manager). In smaller or less complicated IT environments, it is also possible to deploy software by using Software distribution through Group Policies. Deploying the ISA Server 2006 Firewall client is simple, because the download package contains an MSI file which is used for the Software Distribution process. This article does not focus advanced Firewall Client configuration.