In our company we are trying to deploy microsoft firewall client for isa server to all our clients however I have 2 problems in my mind that needs to be answered and I couldnt find the solution in anywhere
In our company there are 2 gateways one of them is isa server and the other one is adsl modem both have local ip address such as 10.0.0.6 and 10.0.0.8 but some users needs to access both of them in several times I mean sometimes they need to use isa server and sometimes they need to use adsl modem but as I figured out isa firewall client doesnt look to routing table and redirect all traffic to isa server so people who uses adsl are not able to use it.Is there any way to prevent this My other question is firewall client encrypting the http packages? Because we have a web filter(barracuda web filter 310) in our company and it blocks the restirected categorized web sites however if firewall client is installed on a computer it bypasses our web filter If firewall client has a capability to encrypt the packages can we disable it? Thanks
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I don't know what you believe the Firewall Client even does. There is nothing mystical about it,..it is just a Winsock Layer Service Provider. All it does is monitor calls to Winsock,..examine the destination of the traffic,...if the destination is not on the LAN it passes it to the ISA,...if the destiantion is on the LAN it ignores it and lets it go on its way "unmolested".
Anyway the real concern is the second Internet connection (the DSL). Just saying the users "sometimes need it" it not enough. I need to know exactly why they need it, when they need it, what they are actually doing with it,...and where they are going when they do it.
I didnt actually understand why you need the information of what our users do on second line(adsl) Its not a isa server related issue its just our company policy and thats something we cannot change and the reason they are using the second line is: we let them use adsl gateway when they need to do large downloads from internet so they are not making corporate gateway busy . My problem is when isa firewall client is open whatevery gateway that users chooses it always pass that traffic to isa server Do you know how can i fix that?
< Message edited by tolgatanriverdi -- 10.Sep.2008 9:44:21 AM >
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:
I didnt actually understand why you need the information of what our users do on second line(adsl) Its not a isa server related issue its just our company policy and thats something we cannot change and the reason they are using the second line is: we let them use adsl gateway when they need to do large downloads from internet so they are not making corporate gateway busy . My problem is when isa firewall client is open whatevery gateway that users chooses it always pass that traffic to isa server
That is why I need the details of what the second connection is there for and how/why it is used. This stuff does matter.
quote:
Do you know how can i fix that?
You don't actually because there isn't anything broken,..it is behaving exactly like it is supposed to. You cannot run two Internet connection with ISA. You can only use a second connection when the destination is specific (not general). In such cases the second connection must be either part of the External Side of the ISA or secondary "external" nic. You then use Static Routes on the ISA to tell it to use a different "gateway" for particular destinations (hence, why the destinations have to be specific).
If the seconday connection exists on the Internal side of the ISA then the destinations must still be specific, but must also be added to the Internal Network Definition so that the ISA interprets them as "internal". No static route is required in this case because:
1. ISA will not "back-route" it anyway 2. No one on the other end of the connection needs to use your ISA
You will not be able to have SecureNAT Clients in this situation because all the NAT Clients will be using this secondary connection as their default Gateway and not the ISA.
If none of these measures, then the only way the secondary connection can be used is if the user changes their default gateway to the secondary connection and then disables the Firewall Client and disable all proxy settings from the browser (including the autodetect settings).
Even if i disable the firewall client and change the default gateway to our second line(adsl) the traffic still goes through isa server is there any other service that i should disable?
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:
Even if i disable the firewall client and change the default gateway to our second line(adsl) the traffic still goes through isa server is there any other service that i should disable?
That is not all I said:
......................., then the only way the secondary connection can be used is if the user changes their default gateway to the secondary connection and then disables the Firewall Client and disable all proxy settings from the browser (including the autodetect settings).
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Isa Server Firewall Client Problem 
Isa Server Firewall Client Problem - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread