• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to force clients to use FWC only while keeping WP enabled

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> How to force clients to use FWC only while keeping WP enabled Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to force clients to use FWC only while keeping WP e... - 31.Jan.2006 11:12:14 AM   
DavideB

 

Posts: 13
Joined: 8.Oct.2001
From: Italy
Status: offline
In a domain I would like to force the use of Firewall Client on the clients were it has been installed, not letting these clients to use the Web Proxy service. At the same time, I would like to leave the Web Proxy service enabled on the ISA server as there is no need of FWC on some clients.

We are an ISV and we are trying to find the best ISA configuration for the deployment of ClickOnce (.Net 2.0) installation packages from the web.
If the client (so the browser) is configured to use (and detect) a Web Proxy that requires authentication, the installation of a ClickOnce package fails with a 407 error as the ClickOnce package doesn't pass the current security credentials to the proxy. If the client is forced to use the FWC the ClickOnce package installation succeeds.

DHCP and DNS are configured to point to the ISA server, the default gateway of the clients is the ISA server.
The firewall policy rule for the internal network allows access to a specific domain user group.
Another firewall policy is defined for SecureNat clients (a group of servers).

How can I configure the ISA and FWC in order to be sure that once FWC is installed on the client, it becomes the only way for any application (browser and ClickOnce apps) to pass through the ISA server?

I made few attempts but haven't found the right configuration.
Best regards,
Davide Bedin
Post #: 1
RE: How to force clients to use FWC only while keeping ... - 3.Feb.2006 2:35:43 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Davide,

You need to configure the destination sites for Direct Access to bypass the Web proxy client configuration, or remove the Web proxy client configuration from the Firewall clients, and then unbind the HTTP security filter from the HTTP protocol.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to DavideB)
Post #: 2
RE: How to force clients to use FWC only while keeping ... - 3.Feb.2006 3:12:51 PM   
DavideB

 

Posts: 13
Joined: 8.Oct.2001
From: Italy
Status: offline
Hi Tom,
thank you for your help.

The first option does not match my scenario as I would like to enable the use of ClickOnce apps and not only the ones coming from a specific site.

In my ISA server, on the Internal network configuration, Firewall and Web Proxy client support are enabled. On the Firewall client configuration tab, clients are configured to automatically detect settings, to use automatic configuration script and web proxy server is disabled.
I thought this would force clients with FWC to always use it for any request to a web resource but I was wrong.

I'm not sure I correctly understood the second option. How can I remove the Web proxy client configuration from the Firewall clients, and then unbind the HTTP security filter from the HTTP protocol?

Thanks,
Davide

(in reply to tshinder)
Post #: 3
RE: How to force clients to use FWC only while keeping ... - 3.Feb.2006 3:20:09 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Davide,

Check my two articles on Direct Access on this site, and then ask me questions based on the information in those articles, if things are still not working after implementing the principles discussed there.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to DavideB)
Post #: 4
RE: How to force clients to use FWC only while keeping ... - 3.Feb.2006 4:37:46 PM   
DavideB

 

Posts: 13
Joined: 8.Oct.2001
From: Italy
Status: offline
Thanks for the info.
I read the 2 articles on Direct Access and applied the proposed solution. I enabled direct access to the web site where the ClickOnce app is hosted and It works as expected.
Unfortunately, my problem is slightly different, as I would like to find a way to enable the deployment of any ClickOnce application through ISA, not a specific app coming from a known web site.
Is there any other possible way to approach my problem?

Thank you again for your help,
Davide

(in reply to tshinder)
Post #: 5
RE: How to force clients to use FWC only while keeping ... - 5.Feb.2006 8:14:02 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Davide,

If the ClickOnce doesn't work through Web proxies, then the proxy admin must bypass the Web proxy.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to DavideB)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> How to force clients to use FWC only while keeping WP enabled Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts