I'm having a little trouble grasping the utility of this thing. OK sure, if you want to allow your users to access the web with a whole variety of applications, it might be worthwhile. But what about when your interest is in keeping things as tight as possible - which is the way it should be anyway.
The first thing I've noticed is that regardless of the proxy settings you put in Internet Explorer, Internet Explorer can nevertheless access the internet. Fortunately, the Firewall client is short-sighted enough to not consider the fact that anyone would ever want to use anything other than Internet Explorer, so this can be killed either by creating a program entry for iexplore in the FWC settings & setting to disable=1 (to not use the FWC settings). Or alternatively just remove all Proxy config settings from the ISA FWC configuration; though I haven't tried that and am not sure what else it might break.
This would be a workaround; however looking at what the FWC is actually bringing to the table makes me wonder whether it's worth going through that bother. On my LAN Firefox is the ONLY application that should have access to the external interface from client machines. Now, I'm told I can use the FWC configured for Direct Access for my internal [OWA] web server that the users need to access; this is supposed to use the Firewall client to pass authentication to the ISA server, so that I can then authenticate using Integrated Authentication to the Website itself.
That all sounds lovely.. except that it doesn't work. If I set user access rules on the HTTP/S access rule from the internal network to the DMZ where the webserver is, I get an authentication box. Doesn't sound like transparent passing of credentials to me! If I turn off the authentication on the access rule it works fine, but then I've lost both usr control AND the ability to redirect / to /exchange - which is worse than before! I've configured the app with disable=0 in the firewall client configuration.
On the other hand, why would you even want to do this? The very purpose of putting the ISA there was to PROTECT the internal network by allowing the ISA to inspect the traffic; if it's just going to need bypasses for everything I want to access, how is that helping at all??
So where's the advantage? Or what is it that I haven't set up properly?
here any non IE always gets prompted, IE is fine however, which leads me to think that fwc only hands the credentials off to IE.
one thing that did surprise me about the fwc... its there to enable complex web apps to work without much configuration, as Jim said some time ago, its an enabler not a disabler, however maybe im missing a point here but ISA2004 has a default deny on everything unless explicitly allowed, except in the fwc where its the other way round.
so in policing the FWC connections its always a reactive-after-the-fact app filter that has to be created to explicitly block an app rather than default deny and then explicitly allowing.
You can add config options for Firefox and Netscape to allow the FWC to transparently auth those apps. However since both those apps CAN auth to the Web Proxy filter, and I don't want any other apps to access the web, my conclusion is that I actually don't want the FWC isntalled at all, since as you say, it's an enabler, not a disabler. If I install it I have to go through and disable every app that Microsoft has stuck in by default that I don't want accessing the Internet. Not to mention the fact that it lets IE out to the net without having the Proxy settings set correctly - and you have to perform another fix-it step to correct that as well! And that step is also flaky - if you set the HTTP redirector to drop all HTTP requests, you then can't get the transparent auth from Netscape and Firefox. Typical...