|Summary. This tutorial was made to enable you to understand why a firewall client is used and also to understand it’s limitations and advantages over other ISA clients. Please NOTE: this tutorial is not here to describe how to configure the firewall client in detail.
- Firewall clients are windows computers with the ISA firewall clients installed on them. It can be installed on all windows platforms except windows 3.x as this operating system is 16bit. This client does not function on non windows or non Microsoft platforms.
- ISA Firewall clients allow for user or group based access control and logging to be achieved. This mean that when a user access a resource if he belong to the user list or group of users that you have specified in your rules then he will be allowed to access the resource. You can also log what the user has access by his username. This is useful for reporting.
- Firewall clients can pass user credentials to the ISA Server for protocols that require authentication. Secure NAT clients do not do this.
- The firewall client software is capable of auto configuring the web proxy client or (browser).
- It also updates the windows firewall client computers LAT and clients DNS records.
- The Firewall client runs Winsock applications that use the Firewall service of ISA Server.
- The firewall client can be disabled in the control panel, and can also be disabled by right clicking it and selecting disable or by double clicking it and un-checking the enable check box. Remember to close all applications that are using the Winsock or firewall capability before disabling this software.
- When the Firewall client or Winsock application makes a request to access a resource on the internet, the client checks its copy of the local address table (LAT) and also the locallat.txt file to see if the specified computer is on the local network. If the computer is not in the LAT, then the request is sent to the ISA Server Firewall service. All of the API calls made by the Winsock application are sent to the firewall client and then forwarded to the firewall service. The Firewall service handles the request, forwarding it to the appropriate destination, as permitted.
- The firewall client receives a copy of the LAT every 6 hours copied via the control channel *and all of the old LAT info is overwritten. A custom LAT are stored in locallat.txt and firewall client LAT is stored in msplat.txt both of these files are checked before a request to the Firewall service is sent.
- Special configuration changes are stored in the wspcfg.ini file. A good example of the use of this file is when a server located on the internal network is published. I would recommend using a Secure NAT client if no Winsock firewall access is required.
- ISA client computers cannot function both a Secure NAT and Firewall client, you must make a choice between the two.
- ISA Firewall client supports only TCP and UDP protocols. Use Secure NAT to sent requests over other protocols.
- Firewall client uses the control channel to answer any DNS requests it may have. The DNS sever used will be the one that is configured on the external interface of the ISA server. Remember that internal network DNS will not work if you have not configured an internal DNS server on you local ISA firewall client machine. Use WINS to fix this limitation.
- The Local domain table or LDT is used by the firewall client to determine if the domain is local or public.
- ISA Firewall clients are not supported when ISA sever is installed in cache mode.
*(The Control channel is a means for the ISA firewall client and the firewall service to communicate information. Authentication, LAT information and name resolution queries are examples of what is sent within the control channel link up. Note: no data is sent along this channel. TCP and UDP Port 1745 is used for port negotiation and DNS queries.)
It is important to understand how the firewall client works in order to select the appropriate ISA client for your organization. Firewall clients also allow you to control Winsock applications more closely. Normally users will try to use IRC and other Winsock applications and if they are configured as normal web proxy users it can prove to be a challenge for them. The information I have highlighted above will help you in deciding if the firewall client is the client you are looking for and hopefully will save you time.