• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FW client and other browser apps

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> FW client and other browser apps Page: [1]
Login
Message << Older Topic   Newer Topic >>
FW client and other browser apps - 21.May2003 2:04:00 PM   
Guest
Hello All,

I have a pc that has the fw client that connects over the internet to a remote citrix server. The problem is they have to connect to the WAN (which is a totally different connection)with IE to run another browser app, which doesn't need to go through the ISA server. Is there a way to circumvent the fw client for that app?
  Post #: 1
RE: FW client and other browser apps - 21.May2003 10:04:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kevinl,

can you give us some more info about the exact network setup? A little simple ASCII diagram can explain a lot. Just place it between the Instant UBB Code tag 'CODE'.

HTH,
Stefaan

(in reply to Guest)
Post #: 2
RE: FW client and other browser apps - 22.May2003 4:19:00 PM   
Guest
I don't know how to do the ubb code thing so I'll give my best stick figure!

/--internet gw
ISA x.x.152.102
ie 152.102 /-------/
Client w/FW-------|
gw 152.1 \-------\
\--WAN gw x.x.152.1

The client is setup as a webproxy client with a firewall client. The internet works fine, but we have a browser based app that needs to go out through the WAN gw. The client gw is set to the WAN router. I have a static route on the client that is supposed to route the app through the WAN, but it seems the firewall client will not let this happen. I'm guessing because the app is using the browser and the browser is locked into the firewall client. I set the advanced under proxy to bypass the address the app needs, but it doesn't work.

Thanks

(in reply to Guest)
  Post #: 3
RE: FW client and other browser apps - 22.May2003 4:39:00 PM   
kevinl

 

Posts: 8
Joined: 22.May2003
Status: offline
oops, that didn't work.

code:
            /-------isa----internet
client----------|
\--------------WAN GW

The description from the previous post explains it.

[ May 22, 2003, 04:39 PM: Message edited by: kevinl ]

(in reply to Guest)
Post #: 4
RE: FW client and other browser apps - 23.May2003 12:01:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kevinl,

to understand how the client host should be configured, you must first understand on which layer in the TCP/IP protocol stack the different ISA client types works. Check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html , section 4 'Configuring ISA Clients' for further info.

Assuming you *completely* trust the destinations reachable through the WAN, you should include those destinations in the LAT on ISA server. This will tell the Firewall client *not* to redirect those requests to the ISA server. Following the same logic, those destinations should also be configured for direct access in the Web Proxy configuration. How the default gateway should be set on the client is depending on your internal network structure. If you point the default gateway to the WAN router you don't need a static route.

Now, what if you don't trust the destinations reachable through the WAN? You can configure a tri-homed ISA server and use the DMZ interface to connect to the WAN router. The important point here is that you can't use a default gateway on this interface. So, you should explicitely define on ISA static persistent routes for the destinations reachable through the WAN router. To learn more about this configuration, check out:
- http://www.isaserver.org/tutorials/ISA_Server_DMZ_Scenarios.html
- http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fwc110801%2Fwcblurb110801%2Easp

HTH,
Stefaan

(in reply to Guest)
Post #: 5
RE: FW client and other browser apps - 23.May2003 6:21:00 PM   
kevinl

 

Posts: 8
Joined: 22.May2003
Status: offline
Hello Spouseele,

Very informative article. Thanks. My default gateway on my client is set to the WAN ip. The browser is set to bypass isa for the WAN address considered local. The WAN ip is in the LAT. None of these has worked. I guess I'll try something else. Thanks!

[ May 23, 2003, 07:13 PM: Message edited by: kevinl ]

(in reply to Guest)
Post #: 6
RE: FW client and other browser apps - 23.May2003 9:23:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kevinl,

you said "The browser is set to bypass isa for the WAN address considered local. The WAN ip is in the LAT." What do you mean with the WAN IP? It sounds like this is the IP address of the WAN router. If that's the case, it will not work. [Razz]

Reread carefully my previous post. I told you to include the destinations reachable through the WAN in the LAT on ISA server and configure them for direct access in the Web Proxy configuration too. It should work this way! [Big Grin]

HTH,
Stefaan

(in reply to Guest)
Post #: 7
RE: FW client and other browser apps - 27.May2003 5:52:00 PM   
kevinl

 

Posts: 8
Joined: 22.May2003
Status: offline
When I say "WAN IP", I mean the address I need to connect to over the WAN, not the WAN router. It is in the LAT and the web proxy configuration. So I guess it's back to the drawing board.

Thanks!

(in reply to Guest)
Post #: 8
RE: FW client and other browser apps - 27.May2003 10:09:00 PM   
kevinl

 

Posts: 8
Joined: 22.May2003
Status: offline
I spoke too soon. I have been informed that the setup worked. Always check out your own work I guess. Thanks

(in reply to Guest)
Post #: 9
RE: FW client and other browser apps - 28.May2003 10:03:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kevinl,

good to hear you have it working and thanks for the follow up! [Smile]

Stefaan

(in reply to Guest)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> FW client and other browser apps Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts