• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

From where to start the FWC?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> From where to start the FWC? Page: [1]
Login
Message << Older Topic   Newer Topic >>
From where to start the FWC? - 25.Jan.2006 3:29:55 PM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi,

I have small ISA network that consists from WP clients for Internet access and VPN. I didnt use the FWC before but today i installed it on my computer and i didnt see something to configure at the FWC icon so how can i beneft from it? and where should i implement it?

Thanks,
Post #: 1
RE: From where to start the FWC? - 25.Jan.2006 3:34:25 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
When you install FWC, it creates two shortcuts; one in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" and another in "C:\Documents and Settings\All Users\Start Menu\Programs".  Either of those links should bring up the GUI, or you can right-click the icon in the systray.


_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to iraq it)
Post #: 2
RE: From where to start the FWC? - 25.Jan.2006 3:52:05 PM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
quote:

ORIGINAL: LLigetfa

When you install FWC, it creates two shortcuts; one in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" and another in "C:\Documents and Settings\All Users\Start Menu\Programs".  Either of those links should bring up the GUI, or you can right-click the icon in the systray.



I have it on the system try and i can access the Internet using it or using WP (disable FWC). But i remember that a list of protocols avialable in the properties but from where? Also, when do you think i need the FWC?

Thanks,

(in reply to LLigetfa)
Post #: 3
RE: From where to start the FWC? - 25.Jan.2006 4:34:05 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
The FWC is what's known as a WinSock replacement.  What it does is intercept WinSock calls and subverts them based on the config.

The FWC is generally configured at the ISA server, under Configuration -> General -> Define Firewall Client Settings.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to iraq it)
Post #: 4
RE: From where to start the FWC? - 25.Jan.2006 4:37:51 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

Understanding the ISA 2004 Firewall Client
The Firewall client software is an optional client component that can be installed on any supported Windows operating system to provide enhanced security and accessibility. The Firewall client software provides the following enhancements to Windows clients:
  • Allows strong user/group-based authentication for all Winsock applications using the TCP and UDP protocols
  • Allows user and application information to be recorded in the ISA firewall's log files
  • Provides enhanced support for network applications, including complex protocols requiring secondary connections
  • Provides "proxy" DNS support for Firewall client machines
  • Allows you to publish servers requiring complex protocols without the aid of an application filter (although not 'officially' supported in the new ISA firewall)
  • Makes the network routing infrastructure transparent to the Firewall client machine

Read More on :
http://www.internetaccessmonitor.com/eng/products/articles/Why_the_ISA_Firewall_Client_Rocks/Why_the_ISA_Firewall_Client_Rocks.php


generally i recommend using the combination of the 3  clients type ,here is why:

Multiple ISA Server clients can be used on a single computer. This allows the ISA Server client to obtain the best benefits of all the clients.
Configuring the client computer as a SecureNAT client enables basic Web access and caching, as well as allows the client to utilize application filters to access other objects on the Internet. Although the SecureNAT client cannot provide authentication, access rules can restrict client access by IP address, schedule, protocol, and destination requested.
Adding the Web proxy client information to the Web browser provides more direct, efficient access to the Web proxy service. (SecureNAT clients use the firewall service and Web protocols are then passed to the Web proxy service.) Web proxy clients can also provide authentication information if required to do so by the ISA Server.
By installing the Firewall client, authentication will always be passed to the ISA Server, and the client can directly inform the firewall service of the needs of the application it is using.

< Message edited by elmajdal -- 25.Jan.2006 4:39:52 PM >

(in reply to iraq it)
Post #: 5
RE: From where to start the FWC? - 25.Jan.2006 6:03:40 PM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
quote:

ORIGINAL: elmajdal


Understanding the ISA 2004 Firewall Client
The Firewall client software is an optional client component that can be installed on any supported Windows operating system to provide enhanced security and accessibility. The Firewall client software provides the following enhancements to Windows clients:
  • Allows strong user/group-based authentication for all Winsock applications using the TCP and UDP protocols
  • Allows user and application information to be recorded in the ISA firewall's log files
  • Provides enhanced support for network applications, including complex protocols requiring secondary connections
  • Provides "proxy" DNS support for Firewall client machines
  • Allows you to publish servers requiring complex protocols without the aid of an application filter (although not 'officially' supported in the new ISA firewall)
  • Makes the network routing infrastructure transparent to the Firewall client machine


Read More on :
http://www.internetaccessmonitor.com/eng/products/articles/Why_the_ISA_Firewall_Client_Rocks/Why_the_ISA_Firewall_Client_Rocks.php


generally i recommend using the combination of the 3  clients type ,here is why:

Multiple ISA Server clients can be used on a single computer. This allows the ISA Server client to obtain the best benefits of all the clients.
Configuring the client computer as a SecureNAT client enables basic Web access and caching, as well as allows the client to utilize application filters to access other objects on the Internet. Although the SecureNAT client cannot provide authentication, access rules can restrict client access by IP address, schedule, protocol, and destination requested.
Adding the Web proxy client information to the Web browser provides more direct, efficient access to the Web proxy service. (SecureNAT clients use the firewall service and Web protocols are then passed to the Web proxy service.) Web proxy clients can also provide authentication information if required to do so by the ISA Server.
By installing the Firewall client, authentication will always be passed to the ISA Server, and the client can directly inform the firewall service of the needs of the application it is using.


Thanks for the link.

When i use the Internet as WP then i enable the FW, is that mean the user will switch to FW client mode? and is that mean the user will switch to FW client setting or use the WP rules?

When i enable the FW, is that mean i will have more access to protocols or i will have the same privillages as WP and the change just the features that mentions in the link above?

Thanks,

(in reply to elmajdal)
Post #: 6
RE: From where to start the FWC? - 25.Jan.2006 7:09:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Having all three client types is recommended.  WHat you will find is that different applications will use the different client types depending on how and what protocols.  To know which will be used in a particular instance requires some knowledge of the application, protocols and the network OSI model.

Stefaan has a good tutorial on this site that explains it very well.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to iraq it)
Post #: 7
RE: From where to start the FWC? - 25.Jan.2006 7:28:33 PM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
OK, i have WP clients and i dont have any problem but sometimes i need to use the Internet messenger so can FWC be a solution for that. Also, what other application do you think it recommeded to use it?

Thanks,

(in reply to LLigetfa)
Post #: 8
RE: From where to start the FWC? - 25.Jan.2006 8:07:29 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I put FWC on all my clients.  It fills the gap where WP falls short.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to iraq it)
Post #: 9
RE: From where to start the FWC? - 3.Feb.2006 5:35:47 PM   
kdiekemper

 

Posts: 54
Joined: 26.Sep.2005
Status: offline
I am interested in the following statement made above "The Firewall client software is an optional client component that can be installed on any supported Windows operating system to provide enhanced security and accessibility."
 
We presently use only the FWC for the exact reason as stated above.
I want to start using the WPC along with the FWC to speed up our internet access, particularly our new WXP users  
 
Will using the WPC along with the FWC cause us to lose the enhanced security provided by the FWC?

Is there a reason why WXP is taking up to 4 min to connect to a web site that  W98 and WXP take only 2 min?
If I enable WPC along with the FWC on WXP users they get the same 2 min response as the W98 and WXP users that use only the FWC.

Thanks,
Ken  
 

(in reply to iraq it)
Post #: 10
RE: From where to start the FWC? - 3.Feb.2006 5:54:42 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
IMHO "enhanced security" is in comparison to S-NAT, while "accessibility" is in comparison to WP.

As for XP, besides the known issue of DHCP WPAD, there shold not be a performance penalty.  I would look closely at how your DNS is setup and also make sure there is a PTR for ISA.  Take a network trace to see why it is taking twice as long.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to kdiekemper)
Post #: 11
RE: From where to start the FWC? - 3.Feb.2006 9:05:59 PM   
kdiekemper

 

Posts: 54
Joined: 26.Sep.2005
Status: offline
Thanks for the reply to my question.

I read on www.syngress.com that when a FWC is also a WPC and the WPC configuration cannot handle a paticular request, the FWC configuration can step in. From this I get that the WPC client handles all request 1st without any  FWC use. I was hoping that I would get the same FWC security and accessibility but with the WPC add speed.

What is IMHO as you stated in your response?
Could you explain in more detail what you ment in your response in reguards to using FWC with WPC?

Thanks,
Ken

(in reply to iraq it)
Post #: 12
RE: From where to start the FWC? - 3.Feb.2006 9:31:55 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
IMHO = In My Humble Opinion (some say I'm not very humble :p)

I setup all my clients with FWC set to autodetect using WPAD DHCP option 252.  The FWC then sets WP to "Use automatic configuration script" so browser requests will use WP wherever it is supported and revert to FWC for protocols/sites that are not supported or set to *Direct*.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to kdiekemper)
Post #: 13
RE: From where to start the FWC? - 6.Feb.2006 5:43:56 PM   
kdiekemper

 

Posts: 54
Joined: 26.Sep.2005
Status: offline
Thanks for the info LLigetfa,

Could you explain in more detail what you ment by  "browser request will use WP whenever it is supported and revert to FWC for protocols/sites that are not supported or set to *Direct*."

Does FWC always use caching on a Intergrated ISA server or must WPC be enabled?

Ken

(in reply to LLigetfa)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> From where to start the FWC? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts