• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Convince me that there's actually a point to the Firewall Client...

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Convince me that there's actually a point to the Firewall Client... Page: [1]
Login
Message << Older Topic   Newer Topic >>
Convince me that there's actually a point to the Firewa... - 11.Oct.2005 9:36:00 PM   
a13antichrist

 

Posts: 46
Joined: 5.Jul.2005
Status: offline
I'm having a little trouble grasping the utility of this thing. OK sure, if you want to allow your users to access the web with a whole variety of applications, it might be worthwhile. But what about when your interest is in keeping things as tight as possible - which is the way it should be anyway.

The first thing I've noticed is that regardless of the proxy settings you put in Internet Explorer, Internet Explorer can nevertheless access the internet. Fortunately, the Firewall client is short-sighted enough to not consider the fact that anyone would ever want to use anything other than Internet Explorer, so this can be killed either by creating a program entry for iexplore in the FWC settings & setting to disable=1 (to not use the FWC settings). Or alternatively just remove all Proxy config settings from the ISA FWC configuration; though I haven't tried that and am not sure what else it might break.

This would be a workaround; however looking at what the FWC is actually bringing to the table makes me wonder whether it's worth going through that bother. On my LAN Firefox is the ONLY application that should have access to the external interface from client machines. Now, I'm told I can use the FWC configured for Direct Access for my internal [OWA] web server that the users need to access; this is supposed to use the Firewall client to pass authentication to the ISA server, so that I can then authenticate using Integrated Authentication to the Website itself.

That all sounds lovely.. except that it doesn't work. If I set user access rules on the HTTP/S access rule from the internal network to the DMZ where the webserver is, I get an authentication box. Doesn't sound like transparent passing of credentials to me! If I turn off the authentication on the access rule it works fine, but then I've lost both usr control AND the ability to redirect / to /exchange - which is worse than before! I've configured the app with disable=0 in the firewall client configuration.

On the other hand, why would you even want to do this? The very purpose of putting the ISA there was to PROTECT the internal network by allowing the ISA to inspect the traffic; if it's just going to need bypasses for everything I want to access, how is that helping at all??

So where's the advantage? Or what is it that I haven't set up properly?

[ October 11, 2005, 09:41 PM: Message edited by: a13antichrist ]
Post #: 1
RE: Convince me that there's actually a point to the Fi... - 12.Oct.2005 1:43:00 PM   
jay24k

 

Posts: 22
Joined: 18.May2005
Status: offline
Do you need it? No
But we do. Why? Without it, you can't go to any secure websites. That's the way it should be setup. If you allow anonymous connections, then I can see why.

(in reply to a13antichrist)
Post #: 2
RE: Convince me that there's actually a point to the Fi... - 12.Oct.2005 5:49:00 PM   
a13antichrist

 

Posts: 46
Joined: 5.Jul.2005
Status: offline
Hi Jay,

The point is I don't want to use anonymous access but at the moment I'm forced to because the FWC isn't passing auth info like it's supposed to.

(in reply to a13antichrist)
Post #: 3
RE: Convince me that there's actually a point to the Fi... - 13.Oct.2005 8:22:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
quote:
If I set user access rules on the HTTP/S access rule from the internal network to the DMZ where the webserver is, I get an authentication box
Have you taken a sniff to see if this is an HTTP 401 or is it a 407 response?

(in reply to a13antichrist)
Post #: 4
RE: Convince me that there's actually a point to the Fi... - 21.Oct.2005 4:06:00 AM   
pnoble

 

Posts: 4
Joined: 21.Oct.2005
Status: offline
here any non IE always gets prompted, IE is fine however, which leads me to think that fwc only hands the credentials off to IE.

one thing that did surprise me about the fwc... its there to enable complex web apps to work without much configuration, as Jim said some time ago, its an enabler not a disabler, however maybe im missing a point here but ISA2004 has a default deny on everything unless explicitly allowed, except in the fwc where its the other way round.

so in policing the FWC connections its always a reactive-after-the-fact app filter that has to be created to explicitly block an app rather than default deny and then explicitly allowing.

(in reply to a13antichrist)
Post #: 5
RE: Convince me that there's actually a point to the Fi... - 25.Oct.2005 12:11:00 AM   
a13antichrist

 

Posts: 46
Joined: 5.Jul.2005
Status: offline
You can add config options for Firefox and Netscape to allow the FWC to transparently auth those apps. However since both those apps CAN auth to the Web Proxy filter, and I don't want any other apps to access the web, my conclusion is that I actually don't want the FWC isntalled at all, since as you say, it's an enabler, not a disabler. If I install it I have to go through and disable every app that Microsoft has stuck in by default that I don't want accessing the Internet.
Not to mention the fact that it lets IE out to the net without having the Proxy settings set correctly - and you have to perform another fix-it step to correct that as well! And that step is also flaky - if you set the HTTP redirector to drop all HTTP requests, you then can't get the transparent auth from Netscape and Firefox. Typical...

(in reply to a13antichrist)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Convince me that there's actually a point to the Firewall Client... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts