From where to start the FWC? (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client



Message


iraq it -> From where to start the FWC? (25.Jan.2006 3:29:55 PM)

Hi,

I have small ISA network that consists from WP clients for Internet access and VPN. I didnt use the FWC before but today i installed it on my computer and i didnt see something to configure at the FWC icon so how can i beneft from it? and where should i implement it?

Thanks,




LLigetfa -> RE: From where to start the FWC? (25.Jan.2006 3:34:25 PM)

When you install FWC, it creates two shortcuts; one in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" and another in "C:\Documents and Settings\All Users\Start Menu\Programs".  Either of those links should bring up the GUI, or you can right-click the icon in the systray.




iraq it -> RE: From where to start the FWC? (25.Jan.2006 3:52:05 PM)

quote:

ORIGINAL: LLigetfa

When you install FWC, it creates two shortcuts; one in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" and another in "C:\Documents and Settings\All Users\Start Menu\Programs".  Either of those links should bring up the GUI, or you can right-click the icon in the systray.



I have it on the system try and i can access the Internet using it or using WP (disable FWC). But i remember that a list of protocols avialable in the properties but from where? Also, when do you think i need the FWC?

Thanks,




LLigetfa -> RE: From where to start the FWC? (25.Jan.2006 4:34:05 PM)

The FWC is what's known as a WinSock replacement.  What it does is intercept WinSock calls and subverts them based on the config.

The FWC is generally configured at the ISA server, under Configuration -> General -> Define Firewall Client Settings.




elmajdal -> RE: From where to start the FWC? (25.Jan.2006 4:37:51 PM)


Understanding the ISA 2004 Firewall Client
The Firewall client software is an optional client component that can be installed on any supported Windows operating system to provide enhanced security and accessibility. The Firewall client software provides the following enhancements to Windows clients:
  • Allows strong user/group-based authentication for all Winsock applications using the TCP and UDP protocols
  • Allows user and application information to be recorded in the ISA firewall's log files
  • Provides enhanced support for network applications, including complex protocols requiring secondary connections
  • Provides "proxy" DNS support for Firewall client machines
  • Allows you to publish servers requiring complex protocols without the aid of an application filter (although not 'officially' supported in the new ISA firewall)
  • Makes the network routing infrastructure transparent to the Firewall client machine

Read More on :
http://www.internetaccessmonitor.com/eng/products/articles/Why_the_ISA_Firewall_Client_Rocks/Why_the_ISA_Firewall_Client_Rocks.php


generally i recommend using the combination of the 3  clients type ,here is why:

Multiple ISA Server clients can be used on a single computer. This allows the ISA Server client to obtain the best benefits of all the clients.
Configuring the client computer as a SecureNAT client enables basic Web access and caching, as well as allows the client to utilize application filters to access other objects on the Internet. Although the SecureNAT client cannot provide authentication, access rules can restrict client access by IP address, schedule, protocol, and destination requested.
Adding the Web proxy client information to the Web browser provides more direct, efficient access to the Web proxy service. (SecureNAT clients use the firewall service and Web protocols are then passed to the Web proxy service.) Web proxy clients can also provide authentication information if required to do so by the ISA Server.
By installing the Firewall client, authentication will always be passed to the ISA Server, and the client can directly inform the firewall service of the needs of the application it is using.




iraq it -> RE: From where to start the FWC? (25.Jan.2006 6:03:40 PM)

quote:

ORIGINAL: elmajdal


Understanding the ISA 2004 Firewall Client
The Firewall client software is an optional client component that can be installed on any supported Windows operating system to provide enhanced security and accessibility. The Firewall client software provides the following enhancements to Windows clients:
  • Allows strong user/group-based authentication for all Winsock applications using the TCP and UDP protocols
  • Allows user and application information to be recorded in the ISA firewall's log files
  • Provides enhanced support for network applications, including complex protocols requiring secondary connections
  • Provides "proxy" DNS support for Firewall client machines
  • Allows you to publish servers requiring complex protocols without the aid of an application filter (although not 'officially' supported in the new ISA firewall)
  • Makes the network routing infrastructure transparent to the Firewall client machine


Read More on :
http://www.internetaccessmonitor.com/eng/products/articles/Why_the_ISA_Firewall_Client_Rocks/Why_the_ISA_Firewall_Client_Rocks.php


generally i recommend using the combination of the 3  clients type ,here is why:

Multiple ISA Server clients can be used on a single computer. This allows the ISA Server client to obtain the best benefits of all the clients.
Configuring the client computer as a SecureNAT client enables basic Web access and caching, as well as allows the client to utilize application filters to access other objects on the Internet. Although the SecureNAT client cannot provide authentication, access rules can restrict client access by IP address, schedule, protocol, and destination requested.
Adding the Web proxy client information to the Web browser provides more direct, efficient access to the Web proxy service. (SecureNAT clients use the firewall service and Web protocols are then passed to the Web proxy service.) Web proxy clients can also provide authentication information if required to do so by the ISA Server.
By installing the Firewall client, authentication will always be passed to the ISA Server, and the client can directly inform the firewall service of the needs of the application it is using.


Thanks for the link.

When i use the Internet as WP then i enable the FW, is that mean the user will switch to FW client mode? and is that mean the user will switch to FW client setting or use the WP rules?

When i enable the FW, is that mean i will have more access to protocols or i will have the same privillages as WP and the change just the features that mentions in the link above?

Thanks,




LLigetfa -> RE: From where to start the FWC? (25.Jan.2006 7:09:00 PM)

Having all three client types is recommended.  WHat you will find is that different applications will use the different client types depending on how and what protocols.  To know which will be used in a particular instance requires some knowledge of the application, protocols and the network OSI model.

Stefaan has a good tutorial on this site that explains it very well.




iraq it -> RE: From where to start the FWC? (25.Jan.2006 7:28:33 PM)

OK, i have WP clients and i dont have any problem but sometimes i need to use the Internet messenger so can FWC be a solution for that. Also, what other application do you think it recommeded to use it?

Thanks,




LLigetfa -> RE: From where to start the FWC? (25.Jan.2006 8:07:29 PM)

I put FWC on all my clients.  It fills the gap where WP falls short.




kdiekemper -> RE: From where to start the FWC? (3.Feb.2006 5:35:47 PM)

I am interested in the following statement made above "The Firewall client software is an optional client component that can be installed on any supported Windows operating system to provide enhanced security and accessibility."
 
We presently use only the FWC for the exact reason as stated above.
I want to start using the WPC along with the FWC to speed up our internet access, particularly our new WXP users  
 
Will using the WPC along with the FWC cause us to lose the enhanced security provided by the FWC?

Is there a reason why WXP is taking up to 4 min to connect to a web site that  W98 and WXP take only 2 min?
If I enable WPC along with the FWC on WXP users they get the same 2 min response as the W98 and WXP users that use only the FWC.

Thanks,
Ken  
 




LLigetfa -> RE: From where to start the FWC? (3.Feb.2006 5:54:42 PM)

IMHO "enhanced security" is in comparison to S-NAT, while "accessibility" is in comparison to WP.

As for XP, besides the known issue of DHCP WPAD, there shold not be a performance penalty.  I would look closely at how your DNS is setup and also make sure there is a PTR for ISA.  Take a network trace to see why it is taking twice as long.




kdiekemper -> RE: From where to start the FWC? (3.Feb.2006 9:05:59 PM)

Thanks for the reply to my question.

I read on www.syngress.com that when a FWC is also a WPC and the WPC configuration cannot handle a paticular request, the FWC configuration can step in. From this I get that the WPC client handles all request 1st without any  FWC use. I was hoping that I would get the same FWC security and accessibility but with the WPC add speed.

What is IMHO as you stated in your response?
Could you explain in more detail what you ment in your response in reguards to using FWC with WPC?

Thanks,
Ken




LLigetfa -> RE: From where to start the FWC? (3.Feb.2006 9:31:55 PM)

IMHO = In My Humble Opinion (some say I'm not very humble :p)

I setup all my clients with FWC set to autodetect using WPAD DHCP option 252.  The FWC then sets WP to "Use automatic configuration script" so browser requests will use WP wherever it is supported and revert to FWC for protocols/sites that are not supported or set to *Direct*.




kdiekemper -> RE: From where to start the FWC? (6.Feb.2006 5:43:56 PM)

Thanks for the info LLigetfa,

Could you explain in more detail what you ment by  "browser request will use WP whenever it is supported and revert to FWC for protocols/sites that are not supported or set to *Direct*."

Does FWC always use caching on a Intergrated ISA server or must WPC be enabled?

Ken




Page: [1]