SecureNAT clients have to resolve names themselve, Web Proxy clients allow the ISA firewall to do it. So, always configure clients as Web Proxy clients since all OS's support this config and its better performance and more secure.
Thanks Tom, I'm sorry if I'm a little confused, I'll try to articulate why...
Wouldn't it be easier and just as secure to simply set the gateway to be the ISA server and not have to set the proxy on every computer in the organization? If I set the gateway on a client's computer to be the address of the ISA server, and a client clicks on an external address in the web browser, the client's computer hits the gateway (my ISA server) to route externally and ISA filters accordingly. The problem comes in the fact that ISA listens on port 8080 instead of 80 for web traffic (presumably so that it doesn't step on IIS's toes--which also listens on port 80). If I'm not using port 80 on IIS, and if I could switch the HTTP filter to use port 80 instead of 8080, then all I need to do is change DHCP to pass the ISA server's address as the gateway and everything should work.
The Web Proxy client configuration is *orders of magnitude* more secure than the SecureNAT client configuration. In fact, the SecureNAT configuration is for non-Windows clients and servers. For all MS client operating systems, you should always configure the clients as both Firewall and Web Proxy clients. Failing to do so dumbs the ISA firewall configuration down to a common PIX!
Thanks Tom. Could you explain (or point me to an article that explains) why the ProxyClient configuration is so much better than a SecureNAT client?
My company develops software which offers our customers with a wide range of database engines to choose from--one of them being Pervasive SQL. I have discovered that Pervasive 2000i and the MS Firewall client do not play nice together. We unfortunately have a lot of clients who are still using Pervasive 2000i, so I'm stuck. I can't load the MS Firewall Client on most of the computers in the organization.
Before the meeting to discuss whether we roll-out ISA as SecureNAT instead of ProxyClient, I'd like to know what we would be missing with SecureNAT so I can make a strong argument.
The Web Proxy client and Firewall client configs are completely different.
But, if you wanted to work with the Firewall client, what is the *exact* reason for the possible (maybe more apparent than real) conflict with the Firewall client software and the DB product? Does the DB product actually change the Windows TCP/IP stack? That is VERY strange if so.