After the necessary server configuration is complete, the actual client software can be installed. There are several different installation options, as follows:
Each of these installation options has its particular pros and cons, as described in this section.
If older versions of the ISA Client are installed, they should be upgraded to match the version that corresponds to the server version itself. Conversely, the ISA Client version for ISA Server 2004 cannot connect to down-level Proxy Server 1.x/2.x servers; the type of traffic required is considered to be a security risk.
The prerequisites to installing the Firewall client are as follows:
Manually Installing the ISA Firewall Client
The most straightforward way to install the Firewall client is to simply run through the Setup.exe GUI. To install the client this way, do the following:
Using Unattended Setup Scripts to Deploy the ISA Firewall Client
The ISA Client setup.exe can be automated as part of installation via a batch process, a login script, or a software distribution program. Through a particular set of command-line options, the entire process can be made completely non-interactive and automated. For example, the following command sequence installs the firewall client:
For example, Figure 11.8 illustrates this, run from the command line of a client.
Figure 11.8. Installing the Firewall client from the command prompt.
In the figure, server25 is the name of the ISA Server, ENABLE_AUTO_DETECT=1 turns on the automatic detection of the ISA Server, and REFRESH_WEB_PROXY=1 turns on automatic configuration of the Web Proxy info.
Deploying the Firewall Client via Active Directory Group Policies
The most efficient and automated approach to ensuring that the Firewall client is deployed and updated on a regular basis is to use Active Directory Group Policy Objects (GPOs), which allow for software installation and customization of various Registry and system settings automatically. Group policies can be applied to all workstations in a domain, or to a subset of systems. To create this type of GPO in an Active Directory domain, do the following:
For this type of group policy, where Firewall client software will be deployed, it is not recommended to deploy the GPO to all systems on a network, but rather to a limited subset, such as all workstations. Be sure to test the GPO on a sample OU first as well.
With the GPO in place, all computer accounts in the OU to which it applies will have the ISA Firewall Client software automatically installed. With the auto-setup options previously described, the configuration can also be automated, making it seamless to the end user.