Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Firewall Client problems and questions
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Firewall Client problems and questions - 6.Jul.2006 8:41:26 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Ok, so I was able to get the auto-detect issue corrected with the firewall client. However, I am having some issues as well as more questions.
1.) I am currently testing the FWC on four computers before i roll it out to the company. 3 of the 4 FWC will appear in the sessions filter when I start one up. ONe, for some reason is not. The only thing I can see is that the 3 that are working are running XP. The one that is not, is running 2000 pro. Also, when i look at the client icon by the clock, I don't see a 'up arrow' showing connection, BUT it is showing it is detecting the ISA Box.
2.) Since I am not using the FWC, on the 'Web Proxy -> Authentication ->, I currently have 'Require all users to authenticate' due to some web filtering software that we were testing. However, we are no longer testing the software (that is another thread entirely...bad bad experience). I just have 'integrated checked on the list, since we run AD the ISA is in AD.
3.) Firewall rules. What would be the best solution to use when specifying users? Should I just use groups that I have created within AD? Should I use 'all authenticated users'? What is ideal? What works best with the FWC, since that is the way we are going to be going?
4.) Any known issues with the FWC and Windows 2000?
5.) Do I need to run SP2 against the machines that have the FWC installed?
That should do it for now.
Thank you,
thecoffeeguy
|
|
|
|
RE: Firewall Client problems and questions - 10.Jul.2006 8:32:15 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Any ideas on this one?
ANy idea why some FWClients don't show up when I run a filter session, looking for FWC connections?
|
|
|
|
|
RE: Firewall Client problems and questions - 10.Jul.2006 9:10:21 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Ok. Hopefully have some additional information that will help.
On the machines that are not showing up in the Firewall Client Session filter, I have noticed on those machines, when I 'hover' over the FWC icon by the clock, it says "Detected ISA Server." ON the machiens that do show up, it says connected.
So what would cause some computers to detect, but not connect?
Thx
|
|
|
|
|
RE: Firewall Client problems and questions - 10.Jul.2006 9:19:53 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi thecoffeeguy,
check out:
HTH,
Stefaan
|
|
|
|
|
RE: Firewall Client problems and questions - 10.Jul.2006 9:35:44 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi thecoffeeguy,
which autodetect method have you implemented: DHCP and/or DNS?
What does the Firewall Client Tool reports?
HTH,
Stefaan
|
|
|
|
|
RE: Firewall Client problems and questions - 10.Jul.2006 11:06:01 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi thecoffeeguy,
are you saying that on *all* workstations the commands 'FwcTool TestAutoDetect /type:DHCP' and 'FwcTool TestAutoDetect /type:DNS' are working perfectly? So, may I assume you have used TCP port 80 for publishing the auto discovery information?
Assuming all the systems detect the ISA server well, how did you check they are not all connecting? Also, is there something common on all the systems that are not connecting?
HTH,
Stefaan
< Message edited by spouseele -- 10.Jul.2006 11:08:55 PM >
|
|
|
|
|
RE: Firewall Client problems and questions - 10.Jul.2006 11:20:18 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
ORIGINAL: spouseele
Hi thecoffeeguy,
are you saying that on *all* workstations the commands 'FwcTool TestAutoDetect /type:DHCP' and 'FwcTool TestAutoDetect /type:DNS' are working perfectly? So, may I assume you have used TCP port 80 for publishing the auto discovery information?
Assuming all the systems detect the ISA server well, how did you check they are not all connecting? Also, is there something common on all the systems that are not connecting?
HTH,
Stefaan
I only have the FWC on about 6 computers, mostly for testing. Two computers were working great. Always showing up. The other's were not. I could tell because I would start a filter for the FWC and then test the machine. They would not show up in the monitor.
On the few machines that i've run the FWC Tool on, yes, they all reported success.
Yes. Using port 80 for publish auto discovery.
To check, I would use the ISA monitor to watch for sessions. i would then walk over to the computer and look at the FWC in the tray. Just hovering over it with the mouse would say 'detected'. After browsing the internet, I would never see the green area pointing up and it would still say detected, but not connected (like on my PC for example, where it says 'connected')
Update: I was working on one of the computers and have some more information.
What I did was clear the IE settings of their LAN Connection settings. (unchecking automatically detect settings mostly).
Then, I would configure the FWC and detect ISA. Then, would go to web browser tab and hit 'configure'.
I would then open up IE and it would appear to work. Might take me a time or two to get it right, but that "seems" to have fixed it.
I'll post more after more testing.
|
|
|
|
|
RE: Firewall Client problems and questions - 10.Jul.2006 11:26:19 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi thecoffeeguy,
quote:
To check, I would use the ISA monitor to watch for sessions. i would then walk over to the computer and look at the FWC in the tray. Just hovering over it with the mouse would say 'detected'. After browsing the internet, I would never see the green area pointing up and it would still say detected, but not connected (like on my PC for example, where it says 'connected')
Aha... if IE or whatever browser is configured as Web Proxy client, that traffic will *not* be handled by the Firewall client. To understand why, check out http://blogs.isaserver.org/pouseele/2006/05/21/a-different-look-at-the-isa-clients/.
HTH,
Stefaan
|
|
|
|
|
RE: Firewall Client problems and questions - 10.Jul.2006 11:47:29 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
ORIGINAL: spouseele
Hi thecoffeeguy,
my favorite config for all the Windows based workstations is to configure them as Web Proxy *and* Firewall *and* SecureNAT client. To automate that process: - SecureNAT client: through DHCP.
- Firewall Client: autodetect through the DNS method (optional DHCP).
- Web Proxy client: let the Firewall client do that for you (see my article).
HTH,
Stefaan
That is almost what I am doing, right?
1.) SecureNAT: I do have DHCP setup with WPAD and my clients get IP via DHCP
2.) Firewall client: Have DNS and DHCP setup for WPAD. Soon to install FWC on all systems.
3.) On the FWC, just click web browser tab, configure. All done, right?
Lastly, when using the FWC, you want to make sure that in IE, there is nothing in the 'proxy server' section at the bottom, correct?
Thanks.
|
|
|
|
|
RE: Firewall Client problems and questions - 11.Jul.2006 12:30:57 AM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
ORIGINAL: spouseele
Hi thecoffeeguy,
almost there...
1. SecureNAT has nothing to do with WPAD! 
2. I use DNS only, especially if I have to support older systems than WinXP-SP2 and Win2003-SP1.
3. that's not needed because you can define on ISA that the FWC should configure IE with a configuration script. That means that if the FWC detects the ISA server then FWC will reconfigure automatically IE for the configuration script.
From my article...
quote:
When you enable in Internet Explorer the options Automatically detect settings, Use automatic configuration script and Proxy server, then the processing order is as follows: - DHCP Option 252 (Automatically detect settings)
- DNS WPAD Alias (Automatically detect settings)
- Configuration script (Use automatic configuration script)
- Manual configuration (Proxy server)
Note: the DHCP Option 252 is only supported for all users in Windows XP SP2 and Windows 2003 SP1 or later. The DNS WPAD Alias is supported for all users in Windows 2000 or later.
HTH,
Stefaan
Good stuff. Since I run both XP SP2 and Windows 2000 here, makes things more challenging.
Also, is it a good idea to put the FWC on servers as well? Is it needed?
Lastly, im assuming it is recommended to set in ISA under Firewall client:
-Automatically detect settings (well, ya. :) )
-Use automatic configuration script
----use default URL
I have those two checked right now, and NOT the 'Use a web proxy server' area.
Really appreciate the help Stefaan.
|
|
|
|
|
RE: Firewall Client problems and questions - 11.Jul.2006 12:24:36 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi thecoffeeguy,
quote:
Also, is it a good idea to put the FWC on servers as well? Is it needed?
No! The FWC is not designed for servers. So, servers should only be SecureNAT and Web Proxy clients.
quote:
Lastly, im assuming it is recommended to set in ISA under Firewall client:
-Automatically detect settings (well, ya. :) )
-Use automatic configuration script
----use default URL
I have those two checked right now, and NOT the 'Use a web proxy server' area.
In the Internal network properties, tab Firewall client I have:
- Enable Firewall client support for this network checked.
- Firewall client configuration: the FQDN of the ISA internal interface.
- Web browser configuration on the Firewall client computer: only Use automatic configuration script checked. I populate the Use custom URL box with http://FQDN:8080/array.dll?Get.Routing.Script but I believe you can check as well the Use default URL instead.
For the servers, leave IE at his default setting and that should be Automatically detect settings.
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
