Working with the Firewall Client

The Firewall client requires that a software package be installed on the clients. However, if you're using Active Directory, you can easily install the software using Group Policy Software Distribution. Minor client education and support are required.

Only Windows 32-bit operating systems are supported (Windows 98 with Internet Explorer 5 installed, Windows Me, Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003), which means that Macintosh, Linux, or legacy Windows computers can't use this client.

Another common problem that clients have is that they are unable to connect because the client's connection to the ISA server is lost. You will receive a "The Page Cannot Be Displayed" error in Internet Explorer, and a "The Proxy Server You Have Configured Could Not Be Found" error message in Mozilla Firefox. You can test connectivity by using the Ping command-line utility.

See Windows Help for more information about the Ping command.

Yet another problem is that the port number that is being used by the ISA server is incorrect, which may result in "The Page Cannot Be Displayed" errors on Internet Explorer or "The Operation Timed Out When Attempting To Contact Web-site" errors on Mozilla Firefox. Verify that the port number in the proxy settings is correct.

The Firewall client allows the use of all Winsock protocols, and you can manage it from the ISA server. You can configure the client from the server, and it refreshes on restart and once every subsequent six-hour period.

To work with the Firewall client, you must follow these steps:

• Make the Firewall client share available.

• Install the Firewall client.

• Configure the Firewall client.

Make the Firewall Client Share Available

You can install the Firewall client on the ISA server or on another server. To reduce the attack surface of your ISA server, we recommend installing the Firewall client share (Mspclnt) on another server, and removing the File and Print Sharing options from your ISA server's internal interfaces.

To install the Firewall client share on a computer that does not already have ISA Server 2004 installed, follow these steps:

1. Run the ISA Server 2004 setup. On the Welcome page, click Next to begin the installation.

2. On the License Agreement page, read the EULA, select the I Accept The Terms Of The License Agreement check box, and then click Next.

3. On the Customer Information page, type your information into the appropriate fields, then click Next.

4. On the Setup Type page, select the Custom option, then click Next.

5. In the Custom Settings dialog box, ensure that only the Firewall Client Installation Share is available by selecting the Firewall Client Installation Share, and then selecting This Feature Will Be Installed On Local Hard Drive. Select the Firewall Services, ISA Server Management, and Message Screener options, and select This Feature Will Not Be Available. Click Next.

   Note

   Be sure that if you are installing the Firewall Client Installation Share on the ISA server, you do not make the other required services unavailable.

6. Click Install. The share is then created and enabled.

Install the Firewall Client

After making the Firewall client available on your network, the next step is to install the client on computers. An administrator on the machine must install the application, or elevated privileges for the Microsoft Installer (MSI) must be enabled.

For more information about the AlwaysInstallElevated registry setting, see http://support.microsoft.com/kb/259459 in the Microsoft Knowledge Base.

There are several ways to accomplish the installation: manually, silently by using Group Policy, or through a software distribution tool, such as Microsoft Systems Management Server (SMS). We discuss these methods in the next section.

Installing the Firewall Client Manually

To install the Firewall client, connect to the Universal Naming Convention (UNC) path to the Firewall Client Installation Share (e.g., \\YourISAServer\mspclnt) and then run Setup, following the instructions on the screen.

Silent/Unattended Install

To perform an unattended installation of the Firewall client, you can use a command-line installation as shown here:

 Path\Setup.exe /v "[SERVER_NAME_OR_IP=ISA_Server_Name] [ENABLE_AUTO_DETECT={1|0}] [REFRESH_WEB_PROXY={1|0}]/qn " 

The command line begins with the path to the setup file, which in our example will be \\ISA2004\MSPclnt, and then provides some commands that tell the client whether to enable autodetection of the client, and whether the Firewall client will contain the Web proxy configuration information.

 C:\>\\ISA2004\MSPclnt\Setup.exe /v "SERVER_NAME_OR_IP=ISA2004 ENABLE_AUTO_DETECT=1 REFRESH_WEB_PROXY=1 /qn " 

The /qn option tells the Windows Installer service (msiexec) to run the installation in "quiet" mode with "no" interface. If you would like users to be able to see progress, use a /qb command, which shows basic dialog boxes as the installation takes place.

Group Policy-Based Install

You can install the Firewall client using Group Policy, as you can with all other MSI- based installations. Follow these steps to create a Group Policy-based installation.

1. Using your Active Directory Users And Computers console, or the Group Policy Management console (see Windows Server Help for more information about these items), create or open the GPO you will use to manage clients.

2. In the Group Policy Object Editor snap-in, navigate to either Computer Configuration or User Configuration, then expand the Software Settings node.

   Note

   If you choose the Computer Configuration, the application does not install until the computer reboots. If you choose User Configuration, the software installs at the next logon.

3. Right-click the Software Installation node, click New, then click Package.

4. In the File Name box, type the path to the MSI installation package on the Firewall Client Installation Share (for example, \\ISA2004\Mspclnt\MS_FWC.MSI). Click Open.

5. The Deploy Software dialog box opens; click opensclickAssigned, then click OK.

   Note

   The Published and Advanced options are only available when you create a Software Package in the User Configuration of Group Policy. We advise against publishing this package, as it requires users to install the software from the Add/Remove Programs dialog box. The Assigned option requires no action on the part of the customer.

6. Close the Group Policy Object Editor and the Active Directory Users And Computers console, or the Group Policy Management console.

SMS-Based Install

If you have SMS available, you can deploy the Firewall client using the SMS software distribution functionality.

Follow these steps to distribute the Firewall client using SMS:

1. Create a package using the Firewall Client Installation Share. Configure programs that change the way in which the application installs as needed.

2. Create a collection that targets the machines on which the Firewall client will be installed.

3. Create an advertisement that schedules when the Firewall client will be installed.

Applying Service Packs

You can find the most current service packs from the ISA Server Web site at http://www.microsoft.com/isaserver/downloads. When a service pack is installed, it often requires that the Firewall client be updated as well (as in the case of ISA Server Standard Edition Service Pack 1). To reinstall the Firewall client, run the Firewall client setup with a "family SUV" script extension, as shown here:

 \\YourISAServerName\mspclnt\setup.exe /FamSUV / v"SERVER_NAME_OR_IP=ISA2004-SE" 

This command line completely reinstalls the client, overwriting all files and registry entries.

Checking Firewall Client Version Settings To determine your Firewall client version settings, open the Firewall client by double-clicking the notification area icon, or the Control Panel icon, then clicking Help. The version number is displayed in the HTML document that is displayed.

Configure the Firewall Client

The Firewall client can be configured from two locations, which have different capabilities:

• On the ISA server

• On the client

Firewall Client Support on the ISA Server

In ISA Server you can configure firewall client settings in the Network Properties dialog box, where you also configure Web proxy settings. You must enable Firewall client support to allow ISA to support these clients.

Enabling Firewall Client Support To enable and configure Firewall client support on the ISA server, follow these steps:

1. Open the ISA Server Management console, expand the Configuration node, and then click the Networks node.

2. In the details pane, click the Networks tab, and select the network for which you're enabling Firewall clients. In the task pane, click the Tasks tab, then click Edit Selected Network (or you can simply right-click the network in the details view, then select Properties).

3. Click the Firewall Client tab, then select the Enable Firewall Client Support For This Network check box as shown in Figure 4-5.

4. In the Firewall Client Configuration area, type the fully qualified domain name (FQDN) into the ISA Server Name Or IP Address field.

   Caution

   By default, the friendly (NetBIOS) name of the ISA Server is in this box. Using the FQDN helps overcome some name resolution issues.

5. In the Web Browser Configuration On The Firewall Client Computer area, you can configure the settings that the Firewall clients will use. See the earlier section on configuring Web proxy for information about what these settings do.

6. Click OK to close the NetworkName Properties dialog box.

Figure 4-5: Firewall client support must be enabled on the ISA server in the Networks interface.

Defining Firewall Client Settings In the ISA Server Management console, you can define the Firewall client settings by following these steps:

Enabling Support for Legacy Firewall Clients

1. Open the ISA Server Management console, expand the Configuration node, and then click the General node.

2. In the details pane, click Define Firewall Client Settings. You will see the Firewall Client Settings dialog box, as shown in Figure 4-6.

3. On the Connection tab, you can select the Allow Non-Encrypted Firewall Client Connections check box to allow backward compatibility with ISA Server 2000 and Proxy Server 2.0 clients. Click OK.

Figure 4-6: You can manage Connection settings for Firewall clients from the ISA Server Management console.

Configuring Application Settings To configure the application settings, follow these instructions:

1. Open the ISA Server Management console, expand the Configuration node, and then click the General node.

2. In the details pane, click Define Firewall Client Settings, then click the Application Settings tab, which opens the dialog box shown in Figure 4-7. To create a new application setting, click New.

3. In the Application field, type the name of the application.

4. From the Key drop-down list, select the key you wish.

5. In the Value field, type or choose the appropriate value for the key, then click OK.

Figure 4-7: You can manage how ISA Server processes application traffic using the Application Settings tab.

Configuring Direct Access to Certain Web Sites Because all Web traffic directed to ISA Server is automatically routed to the Web proxy filter, at times you might need to bypass the Web proxy filter and act as a SecureNAT or Firewall client. Follow these steps to configure direct access to certain Web sites:

1. Open the ISA Server Management console, expand the Configuration node, and then click the Networks node.

2. In the details pane, click the Networks tab, and select the network for which you're enabling Web proxy clients. In the task pane, click the Tasks tab, then click Edit Selected Network (or you can simply right-click the network in the details view, then select Properties).

3. Click the Web Browser tab, then click Add.

4. Enter the IP address range or domain or computer name you wish to access directly, then click OK.

5. Click OK to close the NetworkName Properties dialog box.

Excluding Domains from Firewall Client Connections If you have an internal domain to which you wish clients to connect directly without going through ISA Server, you can configure those clients in the Domains tab as described here:

1. Open the ISA Server Management console, expand the Configuration node, and then click the Networks node.

2. In the details pane, click the Networks tab, and select the network. In the task pane, click the Tasks tab, then click Edit Selected Network (or you can simply right-click the network in the details view, then select Properties).

3. Click the Domains tab, then click Add.

4. Enter a domain name (the domain name can be preceded by an asterisk to include all computers in that DNS domain) or the FQDN of a single computer, then click OK.

5. Click OK to close the NetworkName Properties dialog box.

Configuring the Firewall Client on the Local Computer

There are many ways to configure the local firewall client. We discuss how to use the firewall client graphical user interface (GUI) and how to manually configure the four configuration files (LocalLAT.txt, Common.ini, Management.ini, and Application.ini).

These files (with the exception of the LocalLAT.txt file, which is only in the All Users profile) are found in two places on local computers:

• Settings that apply to all users %Systemdrive%\Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004\

• Settings that apply to the logged-on user %Systemdrive%\Documents and Settings\%Username%\Local Settings\Application Data\Microsoft\Firewall Client 2004\

The logged-on user settings override the settings located in the All Users profile. For a flowchart showing the way in which ISA Server processes configuration settings for the firewall client, see Figure 4-8.

Figure 4-8: The ISA Server Firewall client processes configuration settings for the client applying the most unique settings first, then moving to the more general. Settings most specific to the user have higher priority.

Firewall GUI Settings When the firewall client is installed on the local computer, an icon appears in the notification area, as shown in Figure 4-9. To manage the Firewall client, double-click this icon or go to Control Panel and double-click the Firewall client icon. In some cases these settings modify the local configuration files, but in most cases the settings are taken from ISA Server maintained in memory.

Figure 4-9: The Firewall client icon—which you can double-click to bring up configuration options—appears in the notification area and in Control Panel.

The GUI is fairly basic, with two tabs—General and Web Browser—as shown in Figure 4-10.

Figure 4-10: You can configure the Firewall client from this dialog box.

The General tab allows you to enable and disable the Firewall client (for when you're traveling and need to connect directly to another network). On this tab you can choose Automatically Detect ISA Server (which uses Web Proxy AutoDiscovery Protocol [WPAD] entries) or Manually Select ISA Server. The Web Browser tab allows you to choose Enable Web Browser Automatic Configuration, which sets the Web proxy settings as they are configured on the ISA server. To set the browser information in Internet Explorer, click Configure Now.

The LocalLAT.txt file Alhough it is not installed by default, the Firewall client can use a file called LocalLAT.txt—created at %systemdrive%\Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004—to determine what IP addresses are part of its internal network. To configure the file, enter IP address ranges as shown here:

 192.168.0.0      192.168.0.255 

If you wish to specify a single IP address, type the IP address twice, as shown here:

 10.15.233.14      10.15.233.14 

In this way you can supplement for a single client the default methods it uses (its routing table and ISA Server settings) to determine its local network.

The Common.ini Configuration File This file contains the settings that are configured on the General tab of the Firewall Client Settings dialog box. Most specifically, it determines the name of the ISA server, whether the client is disabled, and whether autodetection is enabled. An example of the entries in the Common.ini list is shown here:

 [Common] ServerName=ISA2004-SE Disable=0 Autodetection=1 

The Management.ini Configuration File The Management.ini file contains the settings determining whether the Firewall client shows up in the navigation area or whether the Web proxy settings are determined by the Firewall client. An example of the entries in this list is shown here:

 [TrayIcon] TrayIconVisualState=0 [WebBrowser] EnableWebProxyAutoConfig=1 

The Application.ini Configuration File The Application.ini file is probably the most widely modified configuration file. You can alter configuration options on the firewall itself for all clients (as described in the "Configuring Application Settings" section earlier), you can also modify the Application.ini file on local clients to provide unique methods of dealing with specific types of files and traffic. For more information about how to configure the Application.ini file, see the Advanced Firewall Client Configuration File Settings topic in the ISA Help file.

Using Infrastructure Servers to Automate Client Settings

Maintaining the settings for clients can be automated through the use of your DHCP and DNS servers. As you have already seen, you can enable automatic discovery in the Web proxy or the firewall client. The Web proxy uses the WPAD; the Firewall client uses the Winsock Proxy AutoDetect Protocol (WSPAD). You must configure DHCP or DNS with WPAD entries to support these requests.

Configuring DNS

To configure DNS with a WPAD entry, follow these steps:

1. On the DNS server, click Start, Administrative Tools, DNS.

2. Expand the DNS server name, and then expand Forward Lookup Zones. .Right-click the zone name, then select New Alias.

3. In the New Resource Record dialog box, type WPAD in the Alias box.

4. In the Fully Qualified Domain Name For Target Host field, type the FQDN name for your ISA server or array (for example, ISA2004.contoso.com).

5. Click OK, and then close the DNS console.

DHCP Services

To configure DHCP with a WPAD entry, follow these steps:

1. On the DHCP server, click Start, Administrative Tools, DHCP.

2. Expand the DHCP server node, right-click the DHCP server name, then select Set Predefined Options.

3. In the Predefined Options And Values dialog box, click Add. The Option Type dialog box opens.

4. In the Name box, type WPAD.

5. From the Data Type drop-down list, select String.

6. In the Code text box, type 252.

7. In the Description text box, type WPAD for ISA Automatic Discovery, then click OK.

8. In the Value area of the Predefined Options And Values dialog box, type http://YourISAServerName:80/wpad.dat.

Troubleshooting

Cannot Connect to the Firewall Client Installation Share

Be certain that you are installing the software with an account that has permissions to the share, and also be sure that you have enabled the Allow Access To Firewall Client Share To Trusted Computers system policy, if the Firewall Client Installation Share is installed on an ISA server.

Client Dependencies on Infrastructure

Most issues that have to do with the firewall client relate to name resolution. If your firewall client can't find or connect to the ISA server, there's no way the ISA server can provide services.

Be certain that you are using a DNS server that can resolve both internal and external addresses. Preferably, you should use a split DNS structure, where you have an internal DNS server to resolve internal names, which then forwards traffic to an external DNS server for external name resolution.

For additional references about ISA Server clients, refer to the "Additional Resources" appendix at the end of the book.