Integration of the 3 client type into one

Integration of the 3 client type into one (Full Version)

All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Wish List

Message

hornebag -> Integration of the 3 client type into one (7.Mar.2006 4:59:24 AM)
It would be really nice to see the Web Proxy, SecureNAT and Firewall client rolled into one solution that also does not require software to be installed on the client PC. It's probably a but much to ask for in the next version, but it would be very nice.

tshinder -> RE: Integration of the 3 client type into one (12.Mar.2006 9:49:39 PM)
Hi Horne, Its actually impossible to do, since the TCP/IP protocol suite doesns't provide these components without an application layer component. However, the Firewall and Web proxy client provision is something you can do at the same time now. HTH, Tom

RAJP -> RE: Integration of the 3 client type into one (16.Mar.2006 7:46:22 PM)
Hi Tom, This firewall client stuff has always confused me since I don't know of any other application proxy firewall that requires it. What's the big difference with ISA other than the ability to pass credentials? Ray

tshinder -> RE: Integration of the 3 client type into one (18.Mar.2006 5:43:06 PM)
Hi Ray, With other application proxies, you have to configure the client applications to explicitly use the proxy server. In the case of the Firewall client, there is no per application provisioning. Just install the Firewall client and all Winsock applications can authenticate transparently with the ISA firewall. HTH, Tom

RAJP -> RE: Integration of the 3 client type into one (25.Mar.2006 11:15:58 PM)
OK, so for the majority of employees using just browsing and Outlook to an internal Exchange server, they don't need the firewall client? It is only necessary for employees using software that traverses the firewall, like some of the FedEx client applications? The reason I'm asking is we don't use the firewall client at all, yet have about 1,500 employees configured as web proxy clients only and all seems to be well. So I could never figure out exactly why it was needed. Thanks, Ray

tshinder -> RE: Integration of the 3 client type into one (26.Mar.2006 7:11:32 PM)
Hi Ray, That's just about it. However, the Firewall client completely the security circles for those sites and applications that don't work wtih authenticating Web proxies or any kind of Web proxy. In that case, you still want to be able to authenticate the outbound connection (for security compliances reasons). The Firewall client enables you to meet industry compliances requirements (you didn't allow an outbound anonymous connection) while still providing access to a site uncompliant with modern Web proxy devices. HTH, Tom

elmajdal -> RE: Integration of the 3 client type into one (27.Mar.2006 12:09:33 AM)
quote: ORIGINAL: RAJP The reason I'm asking is we don't use the firewall client at all, yet have about 1,500 employees configured as web proxy clients only and all seems to be well. So I could never figure out exactly why it was needed. with all ur clients configured as WP only , brings to my mind 2 questions: 1- Are ur clients able to Establish a VPN Connection From Internal to External ?? 2- Are ur clients able to upload, using FTP ?

RAJP -> RE: Integration of the 3 client type into one (2.Apr.2006 12:40:19 AM)
quote: ORIGINAL: elmajdal quote: ORIGINAL: RAJP The reason I'm asking is we don't use the firewall client at all, yet have about 1,500 employees configured as web proxy clients only and all seems to be well. So I could never figure out exactly why it was needed. with all ur clients configured as WP only , brings to my mind 2 questions: 1- Are ur clients able to Establish a VPN Connection From Internal to External ?? 2- Are ur clients able to upload, using FTP ? I have ISA off a Check Point FW-1 DMZ and FW-1 is the primary perimeter firewall. The ISA server internal interface is not in the default route to the Internet. ISA is used primarily to inspect HTTP traffic and control which user groups can go where. No, they cannot establish outbound VPN connections because the ISA external interface traffic is controlled by a FW-1 rule. In addition, I have a "default deny" configuration in FW-1. Likewise with FTP. They could upload by FTP, but I restrict just who can do so using FW-1's FTP Security Server. The security server inspects the verbs being used and if they're related to uploading, it checks who the user is. If they're not in a special group of a half-dozen employees that have a business need to use FTP Upload, it's blocked and I get an email. My configuration is probably sufficiently different from yours so the answer is not relevant. Ray

tshinder -> RE: Integration of the 3 client type into one (2.Apr.2006 5:12:43 PM)
Hi Ray, The ISA firewall does the same thing with FTP as does the Check Point server. When you use the Firewall client, it makes the routing infrastructure transparent, so you don't need to change the default gateway. HTH, Tom

netgoalie -> RE: Integration of the 3 client type into one (23.May2006 4:58:16 PM)
quote: However, the Firewall and Web proxy client provision is something you can do at the same time now. Hi Tom: By this do you mean that credentials are automatically passed from the firewall service to the web proxy service? In ISA2K, credentials are lost when using the HTTP redirector to redirect from FW to Web Proxy. I'm told that the same is true in ISA2004 (no redirector filter any more, but traffic is automatically redirected & credentials are lost). Do you know if ISA2006 has changed this behavior such that the FW svc. passes credentials to Web proxy svc? If not, I think this suggestion still has merit. We mainly use Web Proxy and only use FW client for applications that aren't proxy friendly. Also, we require authentication; but, for any site accessed via FW client, we have to allow it unauthenticated due to the above. It would be desirable to require authentication for all web access. Thanks.

Page: [1]