Welcome to ISAserver.org

SecureNAT Client Requirements

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> SecureNAT Client Requirements

Page: [1]

Message

<< Older Topic Newer Topic >>

SecureNAT Client Requirements - 23.Nov.2005 3:06:21 PM

dfcrj

Posts: 46
Joined: 5.Sep.2003
From: AL
Status: offline

Basically no one here is running the firewall client, the ones we tested couldn't load certain web sites from our finanical partners so we abandoned it. With that said, we are all web proxy clients, because we have a GP that forces IE to use the ISA bypassing it for local address. I've read some on the SecureNAT, I was under the impression that if I went to a command line and done a ipconfig/all and the default gateway is the ISA, then we are SecureNAT.
My questions, do you have to manually configure the internal adapters? Inside our DNS we have the ISA set as the router for all clients. If you remove the IE settings, you can still surfing the internet, should you be able?
All users show up as anonymous under the logs about 25% of the time.
I'm skittish of installing the FW client, we are very, very shorthanded and can't possible troubleshoot every issue if they were to arise after the install.

Post #: 1

Featured Links*

RE: SecureNAT Client Requirements - 23.Nov.2005 9:14:18 PM

steavg

Posts: 174
Joined: 29.Jan.2004
From: Belgium
Status: offline

Hi,

Let's start by saying that the fwl client IS your best and most secure option. That being said, her are some answers to your questions:

"if I went to a command line and done a ipconfig/all and the default gateway is the ISA, then we are SecureNAT": Yes, even more, if your traffic (while moving from one network to another network) passes the ISA server, the originator is a SecureNAT client.

"do you have to manually configure the internal adapters?": No, DHCP will do just fine.

"Inside our DNS we have the ISA set as the router for all clients. If you remove the IE settings, you can still surfing the internet, should you be able?": I presume you mean DHCP instead of DNS ? If this is the case, all you clients will act as SecureNAT clients. If your DNS can resolve public names (e.g. www.isaserver.org) you should be able to surf whitout IE proxy. Do you realy want that --> NO.

Why not:

a) SecureNAT clients can not be authenticated
b) You should realy be using a split DNS infrastructure and let the ISA do the DNS-proxying (by configering you clients as web proxy clients or even better fwl clients)

Hope you can use some of the feedback,
Greetings,

Stefan

(in reply to dfcrj)

Post #: 2

RE: SecureNAT Client Requirements - 24.Nov.2005 5:38:06 AM

dfcrj

Posts: 46
Joined: 5.Sep.2003
From: AL
Status: offline

Yea I meant DHCP settings inside my DNS server, my mistake. My DNS can resolve public names because we have it setup in the forwards tab, if that's what you mean.
So i can setup the ISA to resolve public names and take that away from my DNS servers?
We had issues with the firewall client not allowing some web sites to load properly, not just for viewing, but actually reporting from our clients. Without the reporting we couldnt receive payments, reconcilation statements, etc. I tested it on 3 users without their knowledge to see how if affected them After that I placed it on the "want to do" list.

(in reply to steavg)

Post #: 3

RE: SecureNAT Client Requirements - 24.Nov.2005 9:07:54 AM

smelethil

Posts: 8
Joined: 21.Nov.2005
Status: offline

hi

I instaleed isa 2004 on my win 2000 adv server which is also a member of domain .i installed firewall client on client machines .some machines temporarly fails to authenticate with my isa server .after refreshing firewall client it will authenticate and again it will fail .so i configured it as securenat and web proxy ,but i cannot send and receive emails in securenat and web proxy .but in firewall client its o.k
my win2000 professional clients used to fail authentication.help me for this .my 5 pc's are outside firewall due to this reasons.how i can work well if i configure securenat in those clients to send and receive emails .i can browse frm these machines (securenat)

(in reply to dfcrj)

Post #: 4

RE: SecureNAT Client Requirements - 24.Nov.2005 7:41:04 PM

steavg

Posts: 174
Joined: 29.Jan.2004
From: Belgium
Status: offline

Hi dfcrj,

A) ISA will do the DNS resolution (DNS-proxy) if you configure your clients as web proxy or fwl client.
B) I would advice you to test the applications you are having issues with and have a look in the ISA log to see what is going wrong. Contact your apps. vendor to get the necessary info on what ports to open to get your apps. to talk with the Internet based apps. servers.

Once you get your apps. working with the fwl client you will be most happy that you use the fwl client :-), trust me.

Greetings,

Stefan

(in reply to smelethil)

Post #: 5

RE: SecureNAT Client Requirements - 25.Nov.2005 1:50:48 AM

dfcrj

Posts: 46
Joined: 5.Sep.2003
From: AL
Status: offline

Thanks S,
I'll look into the firewall client on a few other pc's that have standard needs to learn more about it. The more I read the more I found everyone recommending it. I'll also look into the DNS-proxy solution.
Thanks for your help!!
DFCRJ

(in reply to steavg)

Post #: 6

RE: SecureNAT Client Requirements - 29.Jan.2006 5:43:54 PM

denizyalcin

Posts: 122
Joined: 19.Jan.2005
From: Turkey
Status: offline

How can we force our internal LAN clients to be "firewall clients" and not to be "SecureNAT clients" (I totally skip "Web Proxy clients") even when we have our DHCP service on the ISA box and configure it as Mr. Shinder's book describes ?

(in reply to dfcrj)

Post #: 7

RE: SecureNAT Client Requirements - 29.Jan.2006 5:49:15 PM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

Since S-NAT clients cannot authenticate, by forcing authentication, you force clients to be either WP or FWC.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to denizyalcin)

Post #: 8