I'm stuck and stumped and really looking for help and suggestions on what I can do to allow the ISA Firewall Client to coexist with ZoneAlarm and still be able to access the Windows update site, specifically to allow auto-update work to work on the client!
Here is the background to my problem:
I have a client that was originally configured with an ISA Firewall client. The client was working as expected.
Recent events (spyware) have forced me to look for ways to secure the client. My choice is ZoneAlarm Pro.
I installed ZoneAlarm Pro and everything has worked as expected except the Microsoft Windows Update website function fails with the error message: 0x80072F76.
I am expected to roll out ZoneAlarm to several dozen more PC's configured with ISA Firewall Client. This would disable the auto-update feature and I will be forced to update the dozens of computers manually. This is unacceptable to me! Here is a bit more background:
1) If I turn off Ad blocking and Cookie control in ZoneAlarm with the Firewall client installed and "use proxy" enabled in IE6 the update site works.
2) If I turn off ZoneAlarm the update site works.
3) I tried adding my LAT to the trusted sites (range) in ZoneALarm but that did not help.
I've talked to ZoneAlarm support but they appear clueless. There best suggestion the had was the holy grail of dumb support; uninstall / reinstall ZoneAlarm. I did as they asked but of course it made no difference.
I did my own research and found that:
If I uncheck "Use proxy server for your LAN connection" in IE6 with the default ZoneAlarm installation settings the Windows update site worked just fine. This proves that there is a conflict between the use of the proxy server (which was auto-configured when I installed the firewall client) and ZoneAlarm! Now if I can just figure out how to correc it...
Here is the latest update from ZoneAlarm support. They basically gave up and said that ZoneAlarm and ISA Firewall Client are incompatible. Can someone please concur or refute these statements? I require a Firewall client that will control what leaves the PC (as shown by leaktest.exe).
STRAIGHT FROM ZONEALARM TECH SUPPORT "Due to the potential for conflicts and problems that can arise from using multiple firewalls, Zone Labs recommends the use of only ZoneAlarm and a virus scanner."
"When multiple software firewalls are installed, there is no way of ordering which product will get a packet and which will report it; the determination as to which product gets operating system preference to monitor the traffic will be made at random. When running more than one firewall, ZoneAlarm might not be able to report on incoming port scans or hack attempts."
"In some cases, running two software firewalls at the same time can cause more problems than running only one."
Sorry for the late response but I never got time to come back to this.
If you read the last paragraph of your first post carefeully you see that:
- Case 1 - Windows update works just fine if you UNCHECK the "Use a proxy server" checkbox.
(Let's take a loot at what's happening behind the scenes. You remove IE proxy settings and try to open windowsupdate.com or whatever site. An Internet bound request for windowsupdate.com is generated. The firewall client traps the request and sends it to the configured ISA server. ZoneAlarm never gets its hands on the packets. Everything works fine.)
- Case 2 - Windows update doesn't work if you put back the proxy settings in IE.
(Let's see what's happening behind the scenes here. By putting in proxy settings, you've told IE to send all internet bound requests to a proxy server on your lan. This traffic is NOT intercepted by the firewall client and IE will work even if you removed the firewall client. ZoneAlarm sees this outgoing traffic and due to whatever reason it has, blocks the traffic and windwosupdate doesn't work.)
Zonelabs support said that it cannot be determined which firewall product will get the traffic and it will be selected at random which products gets OS preference to monitor the traffic. Well, "at random" is the default explanation when you don't have a clue. In your scenario it is clear that it works fine from firewall client PCs and doesn't from webproxy clients which clearly shows that firewall client is intercepting the traffic before Zonealarm can, which is why everything works fine from firewall clients. Problems show up only when requests are sent to webproxy service. This traffic can be intercepted by Zonealarm.)
Since it doesn't work from web proxy clients (those with IE proxy settings configured) and Firewall client is NOT playing any role here, I suggest you remove firewall client completely from a pc and see if it works. Technically it shouldn't. But this will give you the option to tell Zonelabs support that it didn't work even after you removed the other firewall component. Then they'll have to sit down and figure out why Zonealarm is blocking windowsupdate traffic.
Just try this, and let me know whatever your findings are and if my hypothesis is correct or not.
I've done as you asked, and it worked and failed exactly as you described. I've sent a note detailing those facts to Zone Labs with the following information: After removing the ISA Firewall Client software:
WINDOWS UPDATE WORKS WHEN: 1) ZoneAlarm is shut down AND proxy server is enabled 2) ZoneAlarm is running AND proxy server is disabled 3) ZoneAlarm is shut down AND proxy server is disabled
WINDOWS UPDATE FAILS WHEN: 4) When ZoneAlarm is running AND proxy server is enabled
I'll post the reply as soon as I receive it.
I appreciate the help, it's very kind of you, thank you.
Good to see your reply. But there are a few more things I wanna ask. You said that after removing the Firewall Client software the windowsupdate works even when proxy server is disabled (by proxy server disabled I believe you mean proxy settings removed in IE) no matter zonealarm is running or shut down. Good! It's good when things work. Even beter if you understand how they do. That's what I wanna do.
You removed firewall client which is one of the three possible ways to connect to ISA's services. The other two are webproxy client (same thing as proxy settings in IE or other proxy aware apps) and the SNAT clients (that you configure by putting the internal ip of the isa box in the default gateway of your clients' tcp/ip configuration). You also removed the proxy settings in IE. STILL windowsupdate worked.
Have you by knowledge or by chance configured your client machines as NAT clients too? Do they have the internal ip of ISA server in their tcp/ip config as the default gateway? I believe that's the case since there is no fourth way to connect to ISA's services and the first two methods have been disabled as you told me.
Well, this also tells us something more. After removing the firewall client, if the internet bound traffic is reaching ISA server through the standard tcp/ip interface (checking netmask and sending to default gateway and all), ZoneAlarm SHOULD be able to monitor this traffic as well, being the only and lonely firewall on the system. STILL windowsupdate works. This means this is an issue with how ZoneAlarm handles traffic through a proxy server. Check and see if what I've said about your clients' tcp/ip configuration is correct. If it is, forward this information as well to zonelabs. It might help 'em figure out why ZoneAlarm is behaving like it is and also cook up a better answer than "at random" . I'll be waiting for your reply. This is some pretty interesting scenario we got here.
Yes, I have the ISA Server as the client's IP gateway. Good call, I'm pretty new at this, but I still should have realized the signficance within this scenario. Thanks for pointing it out. I also forwarded that piece of information on to Zone Labs. I'm guessing they won't get back to me until Monday morning (I don't think they staff on the weekends). I'll let you know when I get a response.
Hope you are having a good weekend, and as always thank you!
Yes, I am having a great weekend. Trying to meet deadlines! So finally we identified your problem. Let's get to finding a solution now.
So far our finding is that ZoneAlarm is causing Windowsupdate to fail when IE proxy settings are configured. One simple way to fix this would be to remove the IE proxy settings while having the firewall client installed. IE would still work 'cause firewall clien will pickup all the requests and redirect them to ISA's firewall service.
Step 2. When web requests arrive at the ISA box, they are treated as directed by the Http redirector filter. Default setting is to redirect requests to the web proxy service. Back to where we started! Again we've got web requests being processed by webproxy service. But this time ZoneAlarm doesn't know this. The question now is, "Will Windowsupdate work or not?" I can't say for sure but probably it will. If it does, you can chill and have a great weekend. Problem solved.
However there are some downsides to this. If you are using user level authentication, this configuration will 'cause your web requests to fail 'cause user credentials are torn off by the http redirector when redirecting requests from firewall to web proxy sevice.
You can get around this problem by configuring the http redirector to not to redirect requests to the webproxy service and send directly to the requested server. But this has a downside too. Web requests will never be processed by the web proxy and won't be able to take advantage of the web cache maintained by web proxy. (This could be verrrry important when downloading dozens of megabytes of updates on a couple hundred computers ).
So weigh out your options and decide what configuration suits you best. I don't know if you are using user level authentication or not, else I could tell you. Try this and let me know whateve your findings are. Also keep me posted on what Zonelabs say this time. Hope you are having a good weekend too. HTH.
I just realized something. You said Windowsupdate worked without the firewall client and without the IE proxy settings.
-1- You are NOT using user level access control. (NAT clients cannot pass user credentials).
-2- Windowsupdate WILL work without the proxy settings and firewall client installed. (NAT requests are also processed by the firewall service so Windowsupdate should have no problem with firewall client.)
Great. I think your problem is already solved now. You can just install firewall client, remove the IE proxy settings and rest in peace. Think about a nice weekend. . But do write and tell me about Zonelabs' response. I'd be interested in what answer they cook up this time.
Well, what's obvious to you is new knowledge for me! To paraphrase what I think you said:
"Removing the IE Proxy settings while leaving the ISA firewall client installed will still default to having requests redirected to (make use of) the proxy server."
With the end result being
ISA Firewall client and ZoneAlarm can coexist and the client(s) will still be serviced through a proxy server and Windows update will work as designed.
If I interpreted you correctly, this provides a complete solution for all my current concerns.
Did I interpret what you wrote correctly?
No word yet from ZoneLabs. I'm still guessing nothing until Monday.
Do you happen to know of any good books or tutorials that discuss the overall architecture of ISA? I thought I had a rudimentary understanding of ISA, but after listening to you I realized that I need a much better understanding in order to continue using ISA successfully.
You interpreted me 100% correct. All your current concerns have been adressed for now, I believe.
I didn't expect a reply from Zonelabs so soon either. The compatibility issue (if it is one) that you identified between the use of a proxy server and ZoneAlarm must be keeping 'em awake at night. Do post their reply in its entirety on the board please.
Yes, there are a number of good books available on ISA. The first book I read about it was "Configuring ISA Server - Building Firewalls for Windows 2000" by Dr. Tom. Pretty nice book! You may want to visit http://www.isaserver.org/pages/books.asp for a list of many other books that are available. Microsoft is also releasing ISA 2004 soon. I suggest you get a book on that when it's available.
Here is ZoneLabs meager response (in it's entirety as requested). Please note the typo/omission that is indicative of the care they are giving this problem (they meant to say "as we *do not* recommend...".
I find it disheartening that I waited a weekend to get a response from ZoneLabs that did not recognize the environment change (removal of the ISA Firewall client from the equation) and simply restated there ignorance of the situation.
I apologize for any inconvenience, however, I cannot recommend any setting in order to get the two to work togethor, as we recommend or guarantee 2 firewalls to work togethor. You may however find other users that have gotten it configured to work togethor within our forum. I have included a link below if you wish to look there.
This IS quite disheartening to get such a reply from a company like Zonelabs that is indicative of the little care and attention they are giving to analayzing user problems and responding to them.
Did you pay for the ZoneAlarm softare? If you did, I believe you should make them fix the problem or admit this is an issue with their product that will be fixed. A lot of others must have paid for this too.
Thanks for the compliments. I'm only learning yet and questions like yours are very helpful in understanding such real-world situations before I encounter them myself. HTH.