FIrewall Client installation on ISA Server (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> Firewall Client



Message


faisy -> FIrewall Client installation on ISA Server (20.Sep.2002 10:27:00 PM)

Im using a dialup & ISDN each with standaloone ISA sever. On both PCs two of our manager do their day to day work. They also needed outlook. To configure it properly I installed ISA Firewall Client on ISA server. During installation it says, it is not recommended to install it on ISA. But without it outlook wasn't working. Even I''ve configured POP3 & SMTP including the access rules.

But some times it create problems of outlook unable to connect POP3/SMTP server on ISA. While ISA clients use outlook on the same POP3/SMTP server withoooout any error.

What are the problems which arises after using client on ISA itself?

Also are there any problems in using MS Terminal service on ISA. We are using it for some tasks which we need to do on remote or on ISA server.




tshinder -> RE: FIrewall Client installation on ISA Server (20.Sep.2002 10:46:00 PM)

Hi FNF,

Never, EVER install the Firewall client on the ISA Server. It is a *forbidden* configuration.

HTH,
Tom




faisy -> RE: FIrewall Client installation on ISA Server (20.Sep.2002 11:02:00 PM)

quote:
Originally posted by tshinder:
Hi FNF,

Never, EVER install the Firewall client on the ISA Server. It is a *forbidden* configuration.

HTH,
Tom

Ok fine. But tell me how to enable outlook to access remote POP3/SMTP account, if I use to work on ISA server instead of being on client machine?

Secondly what are the effects on ISA if I do so?




spouseele -> RE: FIrewall Client installation on ISA Server (20.Sep.2002 11:06:00 PM)

Hi FNF,

for applications on ISA itself, you'll have to define packet filters to get outbound access. POP3 uses TCP port 110 outbound and SMTP uses TCP port 25 outbound.

HTH,
Stefaan




faisy -> RE: FIrewall Client installation on ISA Server (21.Sep.2002 1:32:00 PM)

quote:
Originally posted by spouseele:
Hi FNF,

for applications on ISA itself, you'll have to define packet filters to get outbound access. POP3 uses TCP port 110 outbound and SMTP uses TCP port 25 outbound.

HTH,
Stefaan

I've defined the POP3 & SMTP packet filters to allow traffic of these protocols. But when I use outlook on ISA server, it doesn't work witout firewall client. Some times it does if I disable firewall client. Web browsing works fine. Any reason for that strange behaviour of outlook on ISA server?




spouseele -> RE: FIrewall Client installation on ISA Server (21.Sep.2002 1:45:00 PM)

Hi FNF,

I assumed you have first followed Tom's advice "Never, EVER install the Firewall client on the ISA Server. It is a *forbidden* configuration." and de-installed the Firewall client on ISA. Once that done, use packet filters to get outbound POP3/SMTP access with Outlook on ISA.

HTH,
Stefaan




faisy -> RE: FIrewall Client installation on ISA Server (23.Sep.2002 10:35:00 AM)

quote:
Originally posted by spouseele:
Hi FNF,

I assumed you have first followed Tom's advice "Never, EVER install the Firewall client on the ISA Server. It is a *forbidden* configuration." and de-installed the Firewall client on ISA. Once that done, use packet filters to get outbound POP3/SMTP access with Outlook on ISA.

HTH,
Stefaan

I've already defined POP3 & SMTP packet filters. Now I've even uninstalled the Firewall Client.

Now guess what? Every client is able to connect to remote POP3 server. But on ISA I'm unable to connect to that POP server using MS Outlook.

Any idea how to make it work on ISA server? Its not working after uninstalling Firewall Client.




spouseele -> RE: FIrewall Client installation on ISA Server (23.Sep.2002 9:01:00 PM)

Hi FNF,

hmm... I've reread the complete topic and now I see you are using a dialup connection for the external interface. I have never used dialup connections on ISA, but If I remember well that will *not* work. Only the web proxy and firewall service seems to trigger the dialup connection, not traffic originating on the ISA server itself and allowed by packet filters. So, ...

BTW --- ISA is supposed to be a firewall, not a general purpose workstation or application server! [Razz]

HTH,
Stefaan




faisy -> RE: FIrewall Client installation on ISA Server (23.Sep.2002 9:56:00 PM)

quote:
Originally posted by spouseele:
Hi FNF,

I've reread the topic and now I see you are using a dialup connection for the external interface. I have never used dialup connections on ISA, but If I remember well that will *not* work. Only the web proxy and firewall service seems to trigger the dialup connection, not traffic originating on the ISA server itself and allowed by packet filters. So, ...

BTW --- ISA is supposed to be a firewall, not a general purpose workstation or application server! [Razz]

HTH,
Stefaan

Hi Spouseele,

I'm using one ISA on Dialup connection for almost 8 months & it was & is working perfectly. (except that POP / SMTP issue) Same is the case with our 2nd ISA, which is having ISDN connection.

Any way now I've uninstalled Firewall client on my ISA server. For POP & SMTP I temporarily enable All Incoming / Outgoing Traffic & then disable that filter.That is how now Im using Outlook on ISA. (I know its even worst that earlier case. [Frown] )

I think you are right by saying " ISA is supposed to be a firewall, not a general purpose workstation or application server "

Now can any one tell me why Firewall Client is not recommended on ISA. (I know even during its installation, it says its not recommended..)




spouseele -> RE: FIrewall Client installation on ISA Server (23.Sep.2002 11:15:00 PM)

Hi FNF,

you will have to ask that question to Microsoft! [Razz]

The Firewall client is a Winsock Redirector and is implemented as a Winsock LSP (Layered Service Provider) service. Basically, it intercepts all winsock requests (TCP/UDP), checks if the requested destination is in the LAT and if that's not the case forward the request to the Firewall service on ISA. If you want more information on how it works, check out my article http://www.isaserver.org/pages/article.asp?id=347 .

So, it seems rather obvious to me that intercepting requests on the firewall itself and forwarding them to the firewall service on the same server is asking for trouble. The Firewall client is just not designed to be implemented on ISA itself! [Big Grin]

HTH,
Stefaan




tshinder -> RE: FIrewall Client installation on ISA Server (23.Sep.2002 11:18:00 PM)

Hi FNF,

If you're running applications on the ISA Server itself (POP, SMTP, NNTP, etc), you need to create packet filters to support them. Since you're sitting at the ISA Server, you can manually dial up the connection.

HTH,
Tom




spouseele -> RE: FIrewall Client installation on ISA Server (23.Sep.2002 11:30:00 PM)

Hi Tom,

thanks for dropping in because I have no experience with dialup connections! [Big Grin]

Thanks,
Stefaan




faisy -> RE: FIrewall Client installation on ISA Server (24.Sep.2002 11:44:00 AM)

quote:
Originally posted by tshinder:
Hi FNF,

If you're running applications on the ISA Server itself (POP, SMTP, NNTP, etc), you need to create packet filters to support them. Since you're sitting at the ISA Server, you can manually dial up the connection.

HTH,
Tom

I've defined POP3 & SMTP packet filters to allow traffic of these protocols. On clients its working perfectly, but on ISA server it isn't working.

Im really thankful to you & spouseele for giving me your ideas on this topic.




faisy -> RE: FIrewall Client installation on ISA Server (24.Sep.2002 2:35:00 PM)

I forgot to mention that my dialup & ISDN accounts have Static IPs on external interfaces. [Smile]




T_Lawson -> RE: FIrewall Client installation on ISA Server (27.Sep.2002 3:36:00 PM)

Here is what Microsoft has to say...

The Internet Security and Acceleration Server 2000 Firewall Client Is Not Supported on Internet Security and Acceleration Server 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q304919

You Do Not Receive a Warning Not to Install ISA Firewall Client on ISA Server 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313430




tshinder -> RE: FIrewall Client installation on ISA Server (30.Sep.2002 8:19:00 PM)

quote:
Originally posted by spouseele:
Hi Tom,

thanks for dropping in because I have no experience with dialup connections! [Big Grin]

Thanks,
Stefaan

Hi Stefaan,

Thanks! I support a good number of ISDN connections, so I have experience with that. All those ISDN links have dedicated IP addresses though.

Thanks!

Tom




tshinder -> RE: FIrewall Client installation on ISA Server (30.Sep.2002 8:21:00 PM)

quote:
Originally posted by FastNFurious:
I forgot to mention that my dialup & ISDN accounts have Static IPs on external interfaces. [Smile]

Hi FNF,

If you have packet filters for POP3 and the other protocols, you will be able to use the client apps on the ISA Server.

How do you have the packet filters configured?

Thanks!

Tom




faisy -> RE: FIrewall Client installation on ISA Server (1.Oct.2002 11:21:00 AM)

quote:
If you have packet filters for POP3 and the other protocols, you will be able to use the client apps on the ISA Server.

How do you have the packet filters configured?

Under Access Policy > IP Packet Filters I've created two filters for SMTP & POP3 using predefined filters for POP3 & SMTP. Under Local Computer tab its Default IP on the external interface. Under Remote Computer its for All REmote Computers.




tshinder -> RE: FIrewall Client installation on ISA Server (1.Oct.2002 5:49:00 PM)

Hi FNF,

You better check the directions on those packet filters [Big Grin]

(you need to create your own).

HTH,
Tom




Page: [1]