It is somewhat of a misnomer to describe ISA clients as "clients" in the traditional software sense. In reality, a single ISA Client can appear to be all three types of ISA clients to the server itself. In a sense, each client is really defined more by how it uses the ISA Server rather than what is on the client machine itself. To understand this concept, it is important to understand what constitutes each one of the types of clients and how ISA views client traffic.
Defining the ISA Firewall Client
ISA Server 2004 comes with a full-blown ISA Client software component that can be installed on all workstations. The full ISA Software Client provides for the following capabilities:
As with any piece of software, the Firewall client requires occasional updates on all the systems. For example, ISA Server 2004 Standard version Service Pack 1 introduced a new version of the Firewall client. For security and functionality reasons, it is therefore important to keep the software up to date, using software such as Systems Management Server (SMS) 2003 or other software management software.
Defining the SecureNAT Client
The second defined client type in ISA Server 2004 is the SecureNAT client, which is essentially any IP client that can be physically routed to the ISA Server in one manner or another. This includes any type of client with a TCP/IP stack that is forced to send its traffic through the ISA Server.
For example, a simple network with a single internal subnet that has the ISA Server's internal IP address listed as the default gateway for that subnet would see all client requests from that network as SecureNAT client traffic, as shown in Figure 11.1.
Figure 11.1. Understanding SecureNAT clients in a simple network configuration.
The SecureNAT client scenario could also apply to more complicated networks with multiple subnets and routers, provided that the routes defined in the network topology route traffic through the ISA Server, as shown in Figure 11.2.
Figure 11.2. Understanding SecureNAT clients in a complex network configuration.
SecureNAT clients are the easiest to work with: They do not require any special configuration or client software. On the flip side, it is not possible to authenticate SecureNAT clients automatically or to determine individual user accounts that may be sending traffic through the ISA Server. SecureNAT clients can be controlled only through the creation of rules that limit traffic by IP address or subnet information.
SecureNAT client support requires an ISA Server to have more than one network interface because the traffic must flow through the server from one network to the next. This disallows a unihomed (single NIC) ISA Server from handling SecureNAT or Firewall clients. A unihomed server can handle Web Proxy clients only (for forward- or reverse-proxy support).
Defining the Web Proxy Client
A Web Proxy client is a client connection that comes from a CERN-compatible browser client such as Internet Explorer or FireFox. Web Proxy clients interact directly with the proxy server capabilities of ISA Server 2004, and relay their requests off the ISA Server, which operates as a content caching solution to the clients. This enables commonly downloaded content to be stored on the ISA Proxy server and served up to clients more quickly. For more information on this concept, see Chapter 8, "Deploying ISA Server 2004 as a Content Caching Server."
It is very common to have Web Proxy clients also displayed as SecureNAT or Firewall clients in the ISA Server monitoring tools. This is because, fundamentally, the description of a Web Proxy client simply refers to the web browserbased application traffic that comes from a SecureNAT or Firewall client.
Outlining the VPN Client
Technically speaking, ISA Server recognizes a fourth type of client: Virtual Private Network (VPN) clients. A VPN client is a client system that remotely establishes an encrypted tunnel to an ISA Server. For more information on VPN clients and for deployment scenarios involving them, see Chapter 9, "Enabling Client Remote Access with ISA Server 2004 Virtual Private Networks (VPNs)."