Welcome to ISAserver.org

Integration of the 3 client type into one

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Wish List >> Integration of the 3 client type into one

Page: [1]

Message

<< Older Topic Newer Topic >>

Integration of the 3 client type into one - 7.Mar.2006 4:59:24 AM

hornebag

Posts: 18
Joined: 2.Feb.2005
Status: offline

It would be really nice to see the Web Proxy, SecureNAT and Firewall client rolled into one solution that also does not require software to be installed on the client PC.

It's probably a but much to ask for in the next version, but it would be very nice.

Post #: 1

Featured Links*

RE: Integration of the 3 client type into one - 12.Mar.2006 9:49:39 PM

tshinder

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Horne,

Its actually impossible to do, since the TCP/IP protocol suite doesns't provide these components without an application layer component.

However, the Firewall and Web proxy client provision is something you can do at the same time now.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to hornebag)

Post #: 2

RE: Integration of the 3 client type into one - 16.Mar.2006 7:46:22 PM

RAJP

Posts: 49
Joined: 11.Mar.2006
Status: offline

Hi Tom,

This firewall client stuff has always confused me since I don't know of any other application proxy firewall that requires it. What's the big difference with ISA other than the ability to pass credentials?

Ray

(in reply to tshinder)

Post #: 3

RE: Integration of the 3 client type into one - 18.Mar.2006 5:43:06 PM

tshinder

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Ray,

With other application proxies, you have to configure the client applications to explicitly use the proxy server. In the case of the Firewall client, there is no per application provisioning. Just install the Firewall client and all Winsock applications can authenticate transparently with the ISA firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to RAJP)

Post #: 4

RE: Integration of the 3 client type into one - 25.Mar.2006 11:15:58 PM

RAJP

Posts: 49
Joined: 11.Mar.2006
Status: offline

OK, so for the majority of employees using just browsing and Outlook to an internal Exchange server, they don't need the firewall client? It is only necessary for employees using software that traverses the firewall, like some of the FedEx client applications?

The reason I'm asking is we don't use the firewall client at all, yet have about 1,500 employees configured as web proxy clients only and all seems to be well. So I could never figure out exactly why it was needed.

Thanks,

Ray

(in reply to tshinder)

Post #: 5

RE: Integration of the 3 client type into one - 26.Mar.2006 7:11:32 PM

tshinder

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Ray,

That's just about it.

However, the Firewall client completely the security circles for those sites and applications that don't work wtih authenticating Web proxies or any kind of Web proxy. In that case, you still want to be able to authenticate the outbound connection (for security compliances reasons). The Firewall client enables you to meet industry compliances requirements (you didn't allow an outbound anonymous connection) while still providing access to a site uncompliant with modern Web proxy devices.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to RAJP)

Post #: 6

RE: Integration of the 3 client type into one - 27.Mar.2006 12:09:33 AM

elmajdal

Posts: 4964
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

quote:

ORIGINAL: RAJP
The reason I'm asking is we don't use the firewall client at all, yet have about 1,500 employees configured as web proxy clients only and all seems to be well. So I could never figure out exactly why it was needed.

with all ur clients configured as WP only , brings to my mind 2 questions:

1- Are ur clients able to Establish a VPN Connection From Internal to External ??

2- Are ur clients able to upload, using FTP ?

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to RAJP)

Post #: 7

RE: Integration of the 3 client type into one - 2.Apr.2006 12:40:19 AM

RAJP

Posts: 49
Joined: 11.Mar.2006
Status: offline

quote:

ORIGINAL: elmajdal

quote:

ORIGINAL: RAJP
The reason I'm asking is we don't use the firewall client at all, yet have about 1,500 employees configured as web proxy clients only and all seems to be well. So I could never figure out exactly why it was needed.

with all ur clients configured as WP only , brings to my mind 2 questions:

1- Are ur clients able to Establish a VPN Connection From Internal to External ??

2- Are ur clients able to upload, using FTP ?

I have ISA off a Check Point FW-1 DMZ and FW-1 is the primary perimeter firewall. The ISA server internal interface is not in the default route to the Internet. ISA is used primarily to inspect HTTP traffic and control which user groups can go where.

No, they cannot establish outbound VPN connections because the ISA external interface traffic is controlled by a FW-1 rule. In addition, I have a "default deny" configuration in FW-1.

Likewise with FTP. They could upload by FTP, but I restrict just who can do so using FW-1's FTP Security Server. The security server inspects the verbs being used and if they're related to uploading, it checks who the user is. If they're not in a special group of a half-dozen employees that have a business need to use FTP Upload, it's blocked and I get an email.

My configuration is probably sufficiently different from yours so the answer is not relevant.

Ray

(in reply to elmajdal)

Post #: 8

RE: Integration of the 3 client type into one - 2.Apr.2006 5:12:43 PM

tshinder

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Ray,

The ISA firewall does the same thing with FTP as does the Check Point server.

When you use the Firewall client, it makes the routing infrastructure transparent, so you don't need to change the default gateway.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to RAJP)

Post #: 9

RE: Integration of the 3 client type into one - 23.May2006 4:58:16 PM

netgoalie

Posts: 2
Joined: 6.Jul.2005
Status: offline

quote:

However, the Firewall and Web proxy client provision is something you can do at the same time now.

Hi Tom:

By this do you mean that credentials are automatically passed from the firewall service to the web proxy service?
In ISA2K, credentials are lost when using the HTTP redirector to redirect from FW to Web Proxy. I'm told that
the same is true in ISA2004 (no redirector filter any more, but traffic is automatically redirected & credentials are
lost). Do you know if ISA2006 has changed this behavior such that the FW svc. passes credentials to Web proxy svc?
If not, I think this suggestion still has merit. We mainly use Web Proxy and only use FW client for applications that
aren't proxy friendly. Also, we require authentication; but, for any site accessed via FW client, we have to allow
it unauthenticated due to the above. It would be desirable to require authentication for all web access.

Thanks.

(in reply to tshinder)

Post #: 10