After reading so many different articles I've got my head in a bit of a spin withe the methodology I should "try" to implement. So I'm praying that someone can either confirm my thoughts or help with direction.
Background first:
ISA 2006 Enterprise Edge Firewall (2 nics - all updates installed) - currently all users are securenat.
This ISA install is actually a sort of lab environment but I have been asked to make it more accessible to more of our engineers for access to the internet, email (pop, smtp, ) etc etc.
All the rulesI currently have in place which allow access to pass through the ISA server work fine with securenat and I have no deny rules, except the default "deny everyting" which is in place from installation.
Problem:
Ergo....as more people are going to be using this system to get to the outside world I want to start restricting access as to who can get through the firewall and to what (internal to external) also, so later on I can implement reporting/monitoring if need be- I know securenat cannot do this.
eg: Only the group "Sales" can access smtp and pop3, anybody not a member of that group will be denied. Only the group "Tech" can access http and https, anybody not a member of that group will be denied.
ISA links upto my 2003 AD fine. So I can create a security group in AD, create a group in ISA and place the AD group in the ISA group. Then attach the ISA group to a rule (replacing "All Users").
You know what is coming now I bet :)
How can I enforce that only the groups specified in the rule will allow access to/through that rule?
I know that the webproxy only allows http, https and ftp (via the browser) and it is not recommended to tick the "require all users to authenticate" box on the internal isa nic.
So is my only option to install the firewall client?
To be very honest I would rather not, as it's just another piece of software to install and manage.
If I do have to install the firewall client would this have an impact on laptop users as all the laptops have mcafee enterpise firewall installed on them (not managed by me) and users do take them home to work from and naturally they will connect to them to the internet. Also where do I find the client on my system to install?
Another thought springing to mind is that some of the users will need to use an FTP client, namely ipswitch ws_ftp. I know you can program up a firewall rule within the app to make it authenticate to the proxy but unsure if ISA would accept such a type of authentication first.
Apologies if I have rattled on somewhat I have tried to keep this a brief as I can and sensible. I was actually lying in bed last night at 3am thinking of how to put my queries across. Of course it has come out nothing like I imagined :)
Thanks in advance.
Cheers
PS: Sorry I meant to say at the start I was unsure which group to post in as my problmes seems to spread across different areas.
< Message edited by FlashPan -- 11.Feb.2009 12:29:40 PM >
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yes, you will need to use the firewall client if you want to control access to non-web protocols based upon user/group.
Just add the relevant user/group condition to the rule and if the firewall client is installed, it will work as the conenction will provide authentication details which will keep ISA happy. AD users and groups will both work just fine
Although its called the Firewall Client, it is not a host based firewall like Windows Firweall or BlackICE etc, but a Winsock proxy client (a kinda redirector for TCP/UDP protocols if you like).
The FW client is also clever enough to disable itself when off the network (e.g. when it can't connect to ISA) so laptop users should be fine when remote....
I will give it a shot :) and let you know how I get on.
Just to be clear though. If I implement the firewall client, I don't need to use the webproxy configuration (was trying wpad) and should take the away the default gateway ip on all the clients nic settings?
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
It is recommended to use both the web proxy and firewall client together...you shouldn't need the client to be secureNAT clients anymore once you do this...
At the moment I'm still running some of my clients as securenat and have made 1 laptop a firewall client. Some issues I'm going to have to work through with some of the rules I have in place as in who should have access to that rule but I'm thinking I can make an actual computer instead of a user a member of the AD and ISA groups.
Something to keep in mind is that for Vista and above, you'll need to configure your Firewall clients as SecureNAT clients too, because of some new stuff in the DNS client service.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: tshinder
Something to keep in mind is that for Vista and above, you'll need to configure your Firewall clients as SecureNAT clients too, because of some new stuff in the DNS client service.
HTH, Tom
Ah yes, good point...so the new recommendation (to cater for Vista potential) is to configure as all three client types (WP, FW and SNAT)?
This could give me a kink in my planning as I am exclusively using vista.
But so far all works well. I've setup the vista machines as web proxy and firewall clients (no gateway ip give) and no negative issues to report of except 1.
To recap I have been able to:
Assign user group permissions to various elements:
HTTP, HTTPS, SMTP, POP3, IMAP, FTP Client, WSUS to name a few.
The only issue I have is that outlook 2007 cannot resolve the smtp and pop3 address of the external mail server.
Working in securenat it was fine. Using the firewall client I made changes to the config (disable and 0) and it would still not work. So I am now using the ip address of the smtp and pop3 in outlook and it works???
I can only think that this is an issue with my 2003 internal dns servers? But they worked fine under securenat mode?
So I am prepared for the future is their any more info about the problmes using the firewall client on vista?
When I downloaded the client from the ms website is did state that it was compatible with vista.
My only other major task for right now is to get sophos enterprise to download its updates.
I created an access rule to allow http from the internal server holding sophos enterprise to a url set of the update website addresses provided by sophos.
Then within sophos enterpise you can add the proxy address of the isa server and port 8080. et viola :)
I might be moving over to mcafee at some point so I hope it is as easy as that? :)
A thought though for the recommendation of making vista clients securenat as well as proxy and firewall client.
If I was to enable all 3 ,which topology would take precedence?
Vista users starts internet connetion - will the firewall client take that request over 1st by deault?
I'm just thinking of how this could affect the access rules in place as who can and cannot get an internet connection as well as other services
I'm also thinking that if a vista users trys to access something which is then blocked by an access rule will securenat then try the same after the firewall client? If so will that not mean of lot of "annoymous" access requests appearing in logging etc?
The ISA client type that's used depends on the application and protocol.
If the application supports the Web proxy clent configuration - then that will be used first
If the application doesn't support Web proxy cleint configuration, but is a Winsock application and uses the TCP or UDP protocols, then the Firewall client will be used
If the application isn't a Winsock application and doesn't support the Web proxy client configuration, then the SecureNAT client configuration will be used.
So, in reality, it's not the machine that is a Web proxy, firewall or SecureNAT client, it the specific application on the machine.
I'm assuming this is the same scenerio for Windows 7? This reminds me of when you don't have a default gateway assigned to your NIC and you try to setup Outlook 2007 manually for your exchange server it will not resolve the exchange server name. There's registry fix for it but it just does not make sense.
At work (they used to use ISA, I dont know if they still do), when we go to surf the Net in explorer/firefox, the standard windows pop-up authentication screen appears and we have to type in our network name and password in order to surf sites that are not on the company intranet. This was implemented in conjunction with some filtering system which logs who visited what site
I have no idea how they do it (am interested myself), but this might be a useful solution. we dont have any firewall client installed.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 General] >> General >> Allow Or Deny? - AKA Should I Use The Firewall Client? 
Allow Or Deny? - AKA Should I Use The Firewall Client? - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread