Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Discussion about article on the 2004 ISA firewall's Firewall client
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Discussion about article on the 2004 ISA firewall's Fir... - 29.Nov.2004 6:39:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
This thread is for discussing the article on the 2004 ISA firewall's Firewall client application at http://isaserver.org/articles/2004firewallclient.html.
Thanks!
Tom
[ November 29, 2004, 08:56 PM: Message edited by: tshinder ]
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 29.Nov.2004 8:02:00 PM
|
|
|
dball@mapsnet.org
Posts: 10
Joined: 29.Nov.2004
From: Marquette, MI
Status: offline
|
I have one question that I haven't been able to find a good answer for, and this seems like the perfect place to ask it...
It is possible to restrict Internet access to ONLY internal computers that have the Firewall Client installed? And if it is possible, is it a wise thing to do?
As a little background, we have a problem here where people occasionally bring in their home computers, and plug them into our network. There are varying reasons why they choose to do this, but in any case we don't want unknown computers on our network.
Sadly, we can't stop these unknown computers from plugging into the network (too many active ports and wireless access points), but we would like to make it as difficult as possible to make it usable once they do. I'm working on restricting the DHCP server to giving out leases only to our computers, and then setting up the ISA server to only allow the IP ranges we have reserved. The next step would be to restrict it to only certain computers being allowed to pass through the ISA server, which, I'm thinking, the Firewall Client might be the way to go.
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 29.Nov.2004 8:58:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dan,
You bet! Just make sure that there are no Access Rules that allow anonymous connections. Any rule that allows outbound access for "All Users" is anonymous.
The only machines that should not have the Firewall client installed are servers. You should use Computer Objects or Computer Sets Objects to control outbound access for servers.
When users come into the network and don't have the Firewall client installed, they won't be able to authenticate and their connections are blocked.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 30.Nov.2004 10:45:00 AM
|
|
|
turbomcp
Posts: 36
Joined: 13.Nov.2002
Status: offline
|
hello
me again
so whats your saying is that the firewall client can only use ntlm authentication(have to logon to domain or use local users on isa)
so theres no way to use basic authentication(make the user be prompted for username and password regardless of his domain authentication)
in firewall client scenario
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 30.Nov.2004 6:25:00 PM
|
|
|
dball@mapsnet.org
Posts: 10
Joined: 29.Nov.2004
From: Marquette, MI
Status: offline
|
quote:
Originally posted by tshinder:
When users come into the network and don't have the Firewall client installed, they won't be able to authenticate and their connections are blocked.
How does this compare to ISA 2000? (That is what I currently have running, planning to upgrade in a couple of weeks.) I currently have 2000 with "Ask unauthenticated users for identification" enabled, and no access rules containing "All Users". When a computer that is not part of the domain tried to get through the ISA server it simply prompts them for a username/password/domain. In general, other than a couple of programs working a tiny bit better, in 2000 I found almost no benefits of using the Firewall Client.
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 30.Nov.2004 8:32:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dan,
Not true! You're just using the Web Proxy if you're getting prompted for auth. The Web Proxy is just a very very small piece of the ISA firewall. You want to authenticated *all* TCP and UDP protocols, not just HTTP/HTTPS/tunneled FTP.
The Web Proxy can't do that. The Firewall client significantly increases not only the performance, but also the level of security and accessiblity (because the SecureNAT client can't support secondary connections).
Put the Firewall client to full use, and you'll never go back to the basic Web Proxy/SecureNAT config again.
Also, please REMOVE the checkmark from the "ask unauthenticated users to auth" setting, and then remove your anonymous access rules.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 1.Dec.2004 8:47:00 PM
|
|
|
dball@mapsnet.org
Posts: 10
Joined: 29.Nov.2004
From: Marquette, MI
Status: offline
|
quote:
Originally posted by tshinder:
Hi Dan,
Not true! You're just using the Web Proxy if you're getting prompted for auth. The Web Proxy is just a very very small piece of the ISA firewall. You want to authenticated *all* TCP and UDP protocols, not just HTTP/HTTPS/tunneled FTP.
The Web Proxy can't do that. The Firewall client significantly increases not only the performance, but also the level of security and accessiblity (because the SecureNAT client can't support secondary connections).
Put the Firewall client to full use, and you'll never go back to the basic Web Proxy/SecureNAT config again.
Also, please REMOVE the checkmark from the "ask unauthenticated users to auth" setting, and then remove your anonymous access rules.
HTH,
Tom
There must be something wrong with our ISA 2000 setup then. It isn't acting at all like it's supposed to according to the articles I've read.
Anyways, I'm not going to touch it for now. I'm going to be rebuilding the server with ISA 2004 in a couple of weeks, and will start over from scratch.
So, based off of your Web Proxy comments, do we really need proxy settings pointing to that serverat all? If the firewall client is installed, it should re-direct every web call through the ISA server anyways, is this correct?
Sorry for so many questions, the ISA 2004 class I was scheduled to take this week was cancelled, and now I'm scrambling to figure all this out by myself over the next couple of weeks...
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 1.Dec.2004 8:58:00 PM
|
|
|
dball@mapsnet.org
Posts: 10
Joined: 29.Nov.2004
From: Marquette, MI
Status: offline
|
quote:
Originally posted by Tinto:
Note that we have the best part of our internal PC with Windows XP and we will soon reinstall all of them using a "master image" so it would not be hard work.
Not sure if this will help you, but if you're using Active Directory you can force install of the Firewall Client quite easily by using the Managed Software capability of Group Policies.
It works quite nice in that you don't have to even touch a computer, and if anyone uninstalls the program it will re-install itself automatically.
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 2.Dec.2004 4:11:00 AM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Tinto:
hi Tom,
I have read your article and I was asking myself "why the external expert who has done first installation of our isa has suggested us not to use firewall client on our PCs?"
Note that we have the best part of our internal PC with Windows XP and we will soon reinstall all of them using a "master image" so it would not be hard work.
Sure we have some of my beloved Mac, Linux, Sun and so on machines that we will continue using without installing FWclient on them ![[Wink]](/image/smiles/wink.gif)
but I was thinking it would be useful using it for the "mass" of windows users.
I really cannot imagine why not.
However, I've installed FWclient on my pc (XP pro) where runs IIS with a simple website where a php script polls some web server on the internet to chek their avaliability. This application (that's simply php-cgi.exe) has stopped working after the FWClient was installed.
What's the problem with that?
Thanks for commenting
Hi Tinto,
Yes, your 'expert' was completely wrong when recommending that you not install the Firewall client. I suspect that the recommendation came from his lack of understanding of how the Firewall client worked, and the immense security benefits you get from using the firewall client.
HOWEVER, I always tell people to *not* install the firewall client on servers. There are a number of reasons for this, but its a good general policy. So, if you're going to host an IIS site on a workstation, don't use the firewall client on that workstation. But for all standard Windows clients that don't host Web or other services (file sharing is fine, it works with the Firewall client installed), then you should always install the firewall client.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 2.Dec.2004 4:14:00 AM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Dan Ball:
quote:
Originally posted by tshinder:
Hi Dan,
Not true! You're just using the Web Proxy if you're getting prompted for auth. The Web Proxy is just a very very small piece of the ISA firewall. You want to authenticated *all* TCP and UDP protocols, not just HTTP/HTTPS/tunneled FTP.
The Web Proxy can't do that. The Firewall client significantly increases not only the performance, but also the level of security and accessiblity (because the SecureNAT client can't support secondary connections).
Put the Firewall client to full use, and you'll never go back to the basic Web Proxy/SecureNAT config again.
Also, please REMOVE the checkmark from the "ask unauthenticated users to auth" setting, and then remove your anonymous access rules.
HTH,
Tom
There must be something wrong with our ISA 2000 setup then. It isn't acting at all like it's supposed to according to the articles I've read.
Anyways, I'm not going to touch it for now. I'm going to be rebuilding the server with ISA 2004 in a couple of weeks, and will start over from scratch.
So, based off of your Web Proxy comments, do we really need proxy settings pointing to that serverat all? If the firewall client is installed, it should re-direct every web call through the ISA server anyways, is this correct?
Sorry for so many questions, the ISA 2004 class I was scheduled to take this week was cancelled, and now I'm scrambling to figure all this out by myself over the next couple of weeks...
Hi Dan,
No problem with the questions! I wonder how they would offer an ISA 2004 class yet, since there is no MOC available for 2004 at this time. ![[Big Grin]](/image/smiles/biggrin.gif)
There is still value in configuring the clients as Web Proxy clients. While the Firewall client connections will be forwarded to the Web Proxy component when the Web Proxy filter is bound to the HTTP protocol (which it is by default), you benefit from using the autoconfiguration script to set sites that you should use Direct Access for. Direct Access is very useful and I've covered it in the book, and since its such a vitally important topic, I'll end up doing a series on the subject on this site.
HTH,
Tom
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 2.Dec.2004 12:11:00 PM
|
|
|
preeves
Posts: 22
Joined: 2.Dec.2004
Status: offline
|
Hi Tom,
I was looking at using GFI download security, but the manual states that if the firewall client is installed and the users have an ftp client then uploads and downloads will not be checked.
This is obviously a problem, as you quite clearly recommend that the firewall client IS installed.
Your thoughts are welcome !
Regards
Paul
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 2.Dec.2004 2:56:00 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Paul,
That's a good question. The issue isn't so much with using the Firewall client, but how FTP is used in the organization. If you use downloadsecurity, it only works for HTTP-tunneled FTP downloads that go through the ISA firewall's Web Proxy component. However, if you limit FTP access through the Web Proxy component, you are limited to download only. No uploads are possible via the Web Proxy.
So, what to do? You can still install the Firewall client, but then you'll need control over the desktops to prevent them from using FTP client applications that don't go through the Web Proxy. I know that's easier said than done, but that's the only solution I can think of.
It is possible to create a filter to block FTP downloads for SecureNAT/Firewall clients. Not sure why developers haven't hooked into this yet. The Web Proxy piece is going become less important as the ISA firewall makes further impact on the firewall market as a whole and packet filter firewalls take their place in Internet history and are no longer used for real protection.
HTH<
Tom
|
|
|
|
|
RE: Discussion about article on the 2004 ISA firewall's... - 6.Jan.2005 5:00:00 PM
|
|
|
dball@mapsnet.org
Posts: 10
Joined: 29.Nov.2004
From: Marquette, MI
Status: offline
|
I haven't gotten everything setup quite right yet, and there is a lot more to be done before I force the Firewall Client onto all computers.
However, I was noticing yesterday that there seems to be a strange problem with the client that makes me wary about putting it on all computers: One of our Wireless Access Points on our internal network got reset to factory defaults. This is normally not a big problem, as all I do is connect to it's built-in web server and configure it for the right settings again.
However, I was unable to connect to it because SurfControl (installed on the ISA 2004 server) was denying me access. I tried a couple of rule changes, but was still unable to get to the WAP. So, instead of messing with SurfControl more to get that working right, I decided to connect directly to the WAP without passing through the ISA server (It was on the LAN, so there was no reason "why" I should have to pass through the ISA server to get to it.).
I tried disabling the Proxy settings, didn't help. Tried entering the IP for the WAN in the Internet Properties to bypass the proxy, didn't help. Disabled the Firewall Client, didn't help. Finally had to uninstall the Firewall Client completely to get it work.
So, this makes me wonder, if we install the Firewall Client on 1200+ computers, will that force every single network packet to pass through our ISA server? I don't know if it is up to handling the entire network's traffic load, especially when it should be unnecessary.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
