As the subject suggests, I would like the Firewall Client to ignore Telnet altogether. Not BLOCK it, but ignore it and just let it fall through the IP stack where my network's routing will handle it.
I was thinking add telnet application Disable=1 but it doesn't seem to do the trick.
Many of our users use a mainframe TN3270 connection to an external host. Our TN3270 sessions are absolutely mission critical. I don't want them passing through the ISA...in case I had to reboot it or something.
I want these connections to "fall-out" of the FWC and pass through our PIX firewall.
I know I can accomplish this by adding the external TN3270 host to our Internal network set. (This used to be called the "LAT" in previous versions). However, then I am getting in the business of adding external systems to our LAT, and thus losing the ability to have the ISA control, say, an FTP session to this host.
So in a nutshell, TN3270 is mission critical. I don't want it relying on the ISA.
Also....we have about 700 TN3270 sessions. I don't need to control or monitor these, so there really isn't any reason to run them through the ISA. They will just present an unnecessary load on the ISA that we don't need. That way the ISA can be more or less dedicated to doing web proxying, and controlling access to the more "premium" services, such as IM, ftp, etc.
If I have 700 telnet sessions on the ISA and I need to reboot or restart the firewall service, that's a lot of unhappy people.
I don't agree that a PIX would run more stable than an ISA server, but if you want to exclude an application from being handled by the Firewall client you need to create an entry with the application name without the extension (.exe) and specify Disable=1. Keep in mind that you want be able to authenticate the traffic from that application anymore.
Thank you. I don't want to get into an argument about whther ISA or PIX is more stable. We all have different needs and configurations that might render one solution a better fit than another. But for whatever the reason, there are times when I want to tell the FWC to ignore an application...even if for sheer troubleshooting needs.
So how do I verify on my client that these settings are taking effect? I see there is the common.ini and application.ini however they don't seem to reflect any changes....even after a reboot and using the Test button in the FWC. Does the firewall service need to be restarted to make central FWC settings take effect?
first of all you need to determine the application name on the client. Use Task Manager for that. Next, create the entry on the ISA server. Once that done, open IE and get http://wpad/wspad.dat . That's the configuration file the client will get from the ISA server and check if you see the entry you created. At last, refresh the Firewall client config (detect now).
first of all you need to determine the application name on the client. Use Task Manager for that. Next, create the entry on the ISA server. Once that done, open IE and get http://wpad/wspad.dat . That's the configuration file the client will get from the ISA server and check if you see the entry you created. At last, refresh the Firewall client config (detect now).
Thanks for the detailed instructions! One question, though. Where do I do the http://wpad/wspad.dat ? I do this on the ISA server and I get page cannot be displayed. I am not running automatic discovery.
< Message edited by sixdoubleo -- 16.Dec.2005 10:32:40 PM >
Where do I do the http://wpad/wspad.dat ? I do this on the ISA server and I get page cannot be displayed. I am not running automatic discovery.
You do that on a client. If you don't have a DNS wpad entry then use the FQDN of the ISA internal interface instead of wpad. That should work equally well.
Where do I do the http://wpad/wspad.dat ? I do this on the ISA server and I get page cannot be displayed. I am not running automatic discovery.
You do that on a client. If you don't have a DNS wpad entry then use the FQDN of the ISA internal interface instead of wpad. That should work equally well.
HTH, Stefaan
Hmm...that doesn't work either. http://ISA01/wspad.dat gives the same "page cannot be displayed" error. I wonder if something within the ISA's Firewall Client setup is misconfigured. Is there a service or something which published the FWC settings?
I now have an exception for Attachmate Extra and the firewall client is ignoring Attachmate Extra. I prefer this MUCH better to the way I was doing this before....which was to include the TN3270 server in our LAT.
You've been a great help. I appreciate you taking the time to help me. Hope you have a good weekend.