It would be really nice to see the Web Proxy, SecureNAT and Firewall client rolled into one solution that also does not require software to be installed on the client PC.
It's probably a but much to ask for in the next version, but it would be very nice.
This firewall client stuff has always confused me since I don't know of any other application proxy firewall that requires it. What's the big difference with ISA other than the ability to pass credentials?
With other application proxies, you have to configure the client applications to explicitly use the proxy server. In the case of the Firewall client, there is no per application provisioning. Just install the Firewall client and all Winsock applications can authenticate transparently with the ISA firewall.
OK, so for the majority of employees using just browsing and Outlook to an internal Exchange server, they don't need the firewall client? It is only necessary for employees using software that traverses the firewall, like some of the FedEx client applications?
The reason I'm asking is we don't use the firewall client at all, yet have about 1,500 employees configured as web proxy clients only and all seems to be well. So I could never figure out exactly why it was needed.
However, the Firewall client completely the security circles for those sites and applications that don't work wtih authenticating Web proxies or any kind of Web proxy. In that case, you still want to be able to authenticate the outbound connection (for security compliances reasons). The Firewall client enables you to meet industry compliances requirements (you didn't allow an outbound anonymous connection) while still providing access to a site uncompliant with modern Web proxy devices.
Posts: 5907
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:
ORIGINAL: RAJP The reason I'm asking is we don't use the firewall client at all, yet have about 1,500 employees configured as web proxy clients only and all seems to be well. So I could never figure out exactly why it was needed.
with all ur clients configured as WP only , brings to my mind 2 questions:
1- Are ur clients able to Establish a VPN Connection From Internal to External ??
2- Are ur clients able to upload, using FTP ?
_____________________________
Tarek Majdalani
Forefront MVP Website : http://www.elmajdal.net Covering ISA Server/TMG, Windows Server 2008 & Windows 7,Windows 8, Exchange Server 2010,2013
ORIGINAL: RAJP The reason I'm asking is we don't use the firewall client at all, yet have about 1,500 employees configured as web proxy clients only and all seems to be well. So I could never figure out exactly why it was needed.
with all ur clients configured as WP only , brings to my mind 2 questions:
1- Are ur clients able to Establish a VPN Connection From Internal to External ??
2- Are ur clients able to upload, using FTP ?
I have ISA off a Check Point FW-1 DMZ and FW-1 is the primary perimeter firewall. The ISA server internal interface is not in the default route to the Internet. ISA is used primarily to inspect HTTP traffic and control which user groups can go where.
No, they cannot establish outbound VPN connections because the ISA external interface traffic is controlled by a FW-1 rule. In addition, I have a "default deny" configuration in FW-1.
Likewise with FTP. They could upload by FTP, but I restrict just who can do so using FW-1's FTP Security Server. The security server inspects the verbs being used and if they're related to uploading, it checks who the user is. If they're not in a special group of a half-dozen employees that have a business need to use FTP Upload, it's blocked and I get an email.
My configuration is probably sufficiently different from yours so the answer is not relevant.
However, the Firewall and Web proxy client provision is something you can do at the same time now.
Hi Tom:
By this do you mean that credentials are automatically passed from the firewall service to the web proxy service? In ISA2K, credentials are lost when using the HTTP redirector to redirect from FW to Web Proxy. I'm told that the same is true in ISA2004 (no redirector filter any more, but traffic is automatically redirected & credentials are lost). Do you know if ISA2006 has changed this behavior such that the FW svc. passes credentials to Web proxy svc? If not, I think this suggestion still has merit. We mainly use Web Proxy and only use FW client for applications that aren't proxy friendly. Also, we require authentication; but, for any site accessed via FW client, we have to allow it unauthenticated due to the above. It would be desirable to require authentication for all web access.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Wish List >> Integration of the 3 client type into one 
Integration of the 3 client type into one - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread