|
 Firewall Clients
A Firewall client is a computer with Firewall Client software installed and enabled, residing in a network protected by ISA Server. Firewall Client can be installed on each individual client computer, or you use the Windows Software Installation snap-in to centrally manage distribution of Firewall Client software.
Firewall Client uses a common Winsock provider. Setting up Firewall Client does not configure individual Winsock applications. Instead, a dynamic-link library (FwcWsp.dll) in the Firewall Client software becomes a Winsock layered service provider that all Winsock applications use transparently. The Firewall Client layered service provider intercepts Winsock function calls from client applications and routes requests to the original underlying base service provider for local destinations, or transparently to the Firewall service on the ISA Server computer for remote destinations.
Support for Older Versions of Firewall Client
The Firewall Client version included with ISA Server 2006 (version 4.0) and Firewall Client for ISA Server 2004 both support a more secure means of communication between the Firewall client and ISA Server. The Firewall Client software includes a user name (that represents either the user logged on to the Firewall client computer or the credentials specified using the FwcCreds.exe application) in most control channel messages. When ISA Server firewall policy requires user authentication, each Winsock session is authenticated separately. After successful authentication, encryption is applied to the Firewall Client control channel. Encryption is never applied to the application data channel. This setting prevents earlier versions of Firewall Client software from connecting. It also prevents any Firewall client running Windows NT® Server 4.0, Windows Millennium Edition, or Windows 98 from connecting. You can configure ISA Server to accept connections only from clients communicating in this secure way, or choose to support connections from older clients.
Configuring Firewall Client Settings
Firewall Client settings can be configured as follows:
- In ISA Server Management, you can specify application settings that apply to all Firewall clients, and configuration settings to be applied to Firewall clients on a specific network. During Firewall client installation, settings specified in ISA Server Management are stored in configuration files that are created on client computers, and applied to all users on the client computer. Following installation, Firewall client settings modified in ISA Server Management are propagated to a client computer each time a client computer is restarted, when a manual refresh is activated on the Firewall client computer, or every six hours after an initial refresh is made.
- Following Firewall client installation, you can modify application settings and configuration settings on a specific client computer.
The following configuration files are created on the client computer during Firewall Client installation:
- Common.ini. This file holds common configuration settings for all Winsock applications.
- Management.ini. This file contains Firewall Client configuration settings.
The location of the configuration files on the client computer is dependent on the operating system. For example, on Windows XP computers, the files are copied to two locations:
- \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004
- \Documents and Settings\username\Local Settings\Application Data\Microsoft\Firewall Client 2004
When modifications are made to Firewall client settings, the following order of preference is applied:
- The .ini files in the user's folder take precedence.
- Firewall Client looks next in the All Users folder. If a configuration setting is specified that contradicts the user-specific settings, it is ignored.
- Firewall Client then detects the ISA Server computer to which it should connect, in accordance with the settings specified in the Firewall Client Management dialog box.
- Firewall Client examines the server-level settings. Any configuration settings specified in ISA Server are applied. If a configuration setting is specified that contradicts the user-specific or computer-specific settings, it is ignored.
Modifying Configuration Settings in ISA Server Management
In ISA Server Management, you can modify settings for all Firewall clients in all networks, or modify Firewall client properties for the default Internal network, or user-defined internal or perimeter networks. The following table summarizes Firewall client settings in ISA Server Management.
| Setting |
Location in ISA Server Management |
Details |
|
Allow non-encrypted Firewall client connections
|
In Define Firewall Client Settings in the General node of the ISA Server Management console tree
|
This is a global setting that applies to all Firewall clients in all networks.
Allows non-encrypted connections to support Firewall Client versions earlier than Firewall Client for ISA Server 2004, or to enable Firewall clients running on Windows NT 4.0, Windows Me, or Windows 98 to connect.
When you select this option, non-encrypted traffic from authenticated users will be blocked. Note that users are only authenticated if firewall policy rules specifically require authentication.
|
|
Application Settings
|
In Define Firewall Client Settings in the General node of ISA Server Management
|
Firewall client application settings are global and apply to all Firewall clients in all networks. In ISA Server 2006 Enterprise Edition, it applies to all networks in an array.
Application settings consist of {key, value} pairs that specify how the Firewall Client software behaves with a specific application.
|
|
Enable Firewall client support for this network
|
On the Firewall Client tab of the network properties page
|
Enables a specific network to listen for requests from Firewall clients on port 1745.
|
|
Name
|
On the General tab of the network properties page
|
For a specific network, specifies the fully qualified domain name (FQDN) of the ISA Server computer for Firewall clients. Ensures that there is a DNS entry available for clients to resolve this name. If there is no DNS server available, the IP address is specified.
|
|
Use a Web proxy server
|
On the Firewall Client tab of the network properties page
|
Manually specifies the ISA Server computer that Firewall clients in the network should use as a Web proxy.
|
|
Automatically detect settings
|
On the Firewall Client tab of the network properties page
|
Indicates that the Web browser on Firewall client computers in the network should use a WPAD entry obtained from a DHCP or DNS server to automatically discover a WPAD server on which the file Wspad.dat is available. Wspad.dat contains information about the proxy server that should be used to service URL requests, and other Firewall client settings.
|
|
Use automatic configuration script
|
On the Firewall Client tab of the network properties page
|
Specifies that the Web browser on Firewall client computers in the network should obtain settings from a configuration file. The ISA Server default configuration file holds information about the proxy server that should be used for the URL request, and for the settings specified on the Web Browser tab and the Domains tab. In ISA Server 2006 Enterprise Edition, this script also contains a list of array members that can be used for a specific URL request, and the Cache Array Routing Protocol (CARP) algorithm used for distributed cache functionality. You can also create a custom proxy automatic configuration file.
|
|
Bypass proxy for Web servers in this network
|
On the Web Browser tab of the network properties page
|
Specifies that the Web browser should directly access resources located in its own network.
|
|
Directly access computers specified in the Domains tab
|
On the Web Browser tab of the network properties page
|
Indicates that the Web browser will bypass the proxy for destinations specified on the Domains tab of the network properties page.
|
|
Directly access these servers or domains
|
On the Web Browser tab of the network properties page
|
Provides a list of addresses or domains to be accessed directly.
|
|
If ISA Server is unavailable, use this backup route to connect to the Internet
|
On the Web Browser tab of the network properties page
|
Specifies that the Web browser should use a backup route to service Web proxy requests when ISA Server is unavailable.
|
|
Domain names
|
On the Domains tab of the network properties page
|
Specifies domains that are accessed directly. This ensures that clients connect directly to servers in the local network without looping back through ISA Server. Web browsers can use this list to bypass the Web proxy when connecting to specific external sites, connecting instead as Firewall clients or SecureNAT clients. This list is used when Directly access computers specified in the Domains tab is enabled on the Web Browser tab. To bypass the proxy, a request must match both the IP address range and the server or domain name specified in the list.
|
Modifying Settings on the Firewall Client Computer
You can configure settings on a Firewall client computer using the Microsoft Firewall Client Management dialog box or by modifying the configuration files. Note the following:
- Settings specified in the Microsoft Firewall Client dialog box on the client computer are applied to the current user only.
- You can modify settings for a specific user in the .ini files located in the \Documents and Settings\username\Local Settings\Application Data\Microsoft\Firewall Client 2004 folder.
- You modify settings for all users in the .ini files located in the Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder.
- After manually modifying .ini files you must restart the Firewall Client Agent service to apply the changes.
- When you click Apply Default Settings Now in the Settings tab of the Firewall Client Management console, settings are applied to users and services running on the client computer. The default settings are not applied to users who have previously modified their settings. You must have administrator rights on the local computer to apply default settings.
Modifying Application Settings
Application settings can be modified in ISA Server Management to apply to all Firewall clients, or to a specific Firewall client computer. The following table lists the entries that you can include when configuring the Firewall Client application settings. The first column lists the keys that can be included in the configuration files. The second column describes the values to which the keys can be set. Note that some settings can be configured only on the Firewall client computer.
| Keys |
Value |
|
ServerName
|
Specifies the name of the ISA Server computer to which the Firewall client should connect. (Can only be set on a Firewall client computer.)
|
|
Disable
|
Possible values: 0 or 1. When the value is set to 1, the Firewall Client application is disabled for the specific client application, except when the Firewall Client configuration explicitly exempts the process initiating traffic.
|
|
DisableEx
|
Possible values: 0 or 1. When the value is set to 1, the Firewall Client application is disabled for the specific client application. Applies to Firewall Client for ISA Server 2006. When set, overrides the Disable setting. For example, for svchost, DisableEx is enabled by default.
|
|
Autodetection
|
Possible values: 0 or 1. When the value is set to 1, the Firewall Client application automatically finds the ISA Server computer to which it should connect. (Can only be set on a Firewall client computer.)
|
|
NameResolution
|
Possible values: L or R. By default, dotted domain names are redirected to the ISA Server computer for name resolution and all other names are resolved on the local computer. When the value is set to R, all names are redirected to the ISA Server computer for resolution. When the value is set to L, all names are resolved on the local computer.
|
|
LocalBindTcpPorts
|
Specifies a TCP port, list, or range that is bound locally.
|
|
LocalBindUdpPorts
|
Specifies a UDP port, list, or range that is bound locally.
|
|
DontRemoteOutboundTcpPorts
|
Specifies an outbound TCP port, list, or range that will not be connected through ISA Server (connect requests that will not be sent to ISA Server). Use this entry to specify the ports on which clients should not communicate with ISA Server. This is useful when protecting the ISA Server firewall from attacks on the Internal network, which are spread by accessing a fixed port at random locations.
|
|
DontRemoteOutboundUdpPorts
|
Specifies an outbound UDP port, list, or range that is bound locally.
|
|
RemoteBindTcpPorts
|
Specifies a TCP port, list, or range that is bound remotely.
|
|
RemoteBindUdpPorts
|
Specifies a UDP port, list, or range that is bound remotely.
|
|
ProxyBindIP
|
Specifies an IP address or list that is used when binding with a corresponding port. Use this entry when multiple servers that use the same port need to bind to the same port on different IP addresses on the ISA Server computer. The syntax of the entry is:
ProxyBindIp=[port]:[IP address], [port]:[IP address]
The port numbers apply to both TCP and UDP ports.
|
|
ServerBindTcpPorts
|
Specifies a TCP port, list, or range for all ports that should accept more than one connection.
|
|
Persistent
|
Possible values: 0 or 1. When the value is set to 1, a specific server state can be maintained on the ISA Server computer if a service is stopped and restarted and if the server is not responding. The client sends a keep-alive message to the server periodically during an active session. If the server is not responding, the client tries to restore the state of the bound and listening sockets upon server restart.
|
|
ForceCredentials
|
Used when running a Windows service or server application such as a Firewall Client application. When the value is set to 1, it forces the use of alternate user authentication credentials that are stored locally on the computer that is running the service. The user credentials are stored on the client computer using the FwcCreds.exe application that is provided with the Firewall Client software. User credentials must reference a user account that can be authenticated by ISA Server, either local to ISA Server or in a domain trusted by ISA Server. The user account is normally set not to expire. Otherwise, user credentials need to be renewed each time the account expires. (Can only be set on a Firewall client computer.)
|
|
NameResolutionForLocalHost
|
Possible values: L (default), P, or E. Used to specify how the local (client) computer name is resolved, when the gethostbyname API is called.
The LocalHost computer name is resolved by calling the Winsock API function gethostbyname() using the LocalHost string, an empty string, or a NULL string pointer. Winsock applications call gethostbyname(LocalHost) to find their local IP address and send it to an Internet server.
When this option is set to L, gethostbyname() returns the IP addresses of the local host computer. When this option is set to P, gethostbyname() returns the IP addresses of the ISA Server computer. When this option is set to E, gethostbyname() returns only the external IP addresses of the ISA Server computer—those IP addresses that are not in the local address table.
|
|
ControlChannel
|
Possible values: Wsp.udp or Wsp.tcp (default). Specifies the type of control channel used.
|
|
EnableRouteMode
|
Possible values: 0 or 1 (default). When EnableRouteMode is set to 1 and a route relationship is configured between the Firewall client computer and the requested destination, the IP address of the Firewall client is used as the source address. When the value is set to 0, the IP address of the ISA Server computer is used.
This flag does not apply to older versions of Firewall Client.
|
On Firewall client computers, in addition to modifying the Common.ini and Management.ini files, you can create another file called Application.ini for all users or a specific user, to specify configuration information for specific applications. For example, to specify entries for a specific application (FW_Client_App.exe), the following sample might appear in the Application.ini file:
复制代码
[fw_Client_App]
Disable=0
NameResolution=R
LocalBindTcpPorts=7777
LocalBindUdpPorts=7000-7022, 7100-7170
RemoteBindTcpPorts=30
RemoteBindUdpPorts=3000-3050
ServerBindTcpPorts=100-300
ProxyBindIp=80:100.52.144.103, 82:110.51.0.0
Persistent=1
ForceCredentials=1
NameResolutionForLocalHost=L
Firewall Client Local Addresses
Whenever a Winsock application running on a Firewall client attempts to send a request to a computer, the Firewall Client layered service provider determines whether the destination IP address is local. If it is, the Firewall client sends the request directly to the destination. If the destination is remote, the request is sent to the Firewall service on an ISA Server computer, which handles the request in accordance with ISA Server access rules. By default, Firewall Client considers the following addresses as local:
- All addresses on the network on which it is located. ISA Server supplies the set of IP address ranges included in the network to all Firewall clients residing in the network. These IP address ranges are stored in memory by the Firewall Client Agent.
- All addresses specified in the local routing table on the Firewall client computer.
- All domain suffixes specified on the Domains tab of the network properties page for the network in which the Firewall client is located. When Firewall clients connect to a domain specified in this local domain table, the request bypasses the Firewall client configuration. This enables such clients to connect directly to servers in the local network without looping back through ISA Server.
- All IP addresses contained in a local address table (Locallat.txt), configured on the Firewall client computer. The Locallat.txt file may be created locally in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder. When you create the Locallat.txt file, enter IP address pairs in the file. Each address pair defines either a range of IP addresses or a single IP address. The following example shows a Locallat.txt file that has two entries. The first entry is an IP address range and the second entry is a single IP address. Note that the second entry is an IP address and not a subnet mask:
- 10.51.255.25510.51.255.255
- 10.52.144.10310.52.144.103
Request Handling
The Firewall client deals with IP address requests as follows:
- When a Winsock application on the client computer tries to connect to an IP address, the Firewall client examines the local domain table to determine whether the IP address is on the Internal network or is external to the network. If the domain name is found in the local domain table, name resolution is completed by the client. Otherwise, the client requests that ISA Server resolve the name on its behalf by passing the request to an external DNS server.
- When client requests are resolved by ISA Server on behalf of the Firewall client, name resolution is completed in line with the DNS settings configured on the network adapter associated with the network on which the Firewall client request is received. The resolved IP address is returned to the Firewall client computer, which then sends a request to the destination. ISA Server caches the result of DNS queries it makes for Firewall clients, in accordance with the DNS Time to Live (TTL) settings configured for the network adapter.
- After name resolution returns the IP address of the destination server, the Firewall client checks the local address table and Locallat.txt to determine whether the address is local. For internal addresses, the client connects directly. Otherwise, the request goes through the Firewall service on the ISA Server computer.
Name Resolution
Computers with Firewall Client installed have settings for each application that specify whether ISA Server does name resolution on behalf of the client. By default, name resolution for Winsock application requests running on a Firewall client computer is handled as follows:
- Dotted decimal notation or Internet domain names are redirected to the ISA Server computer for name resolution.
- Unqualified names are resolved on the local computer.
You can change this default behavior by modifying the NameResolution configuration setting with the following values:
- NameResolution=L. Use this setting to specify that an application request should be resolved on the local computer.
- NameResolution=R. Use this setting to specify that an application request should be resolved by the ISA Server computer.
It may be useful to modify this setting if you want to be sure where name resolution for an application is taking place. You can specify that settings should apply to all applications by modifying the setting in the Common.ini file. To specify the setting for a specific application, set the application name and the value in the Application.ini file.
When domains and computers are specified for direct access, Firewall client computers will attempt to resolve the name without going through ISA Server. Client computers will need a DNS server specified in the TCP/IP parameters so that they can resolve names correctly. In particular, they must be able to resolve the name of published resources to an internal IP address.
If applications have the NameResolution setting specified to L or R, this setting overrides any direct access settings. For example, if you specify that the NameResolution setting for FWC_Application.exe = R, FQDN resolution requests are always handled by ISA Server for that application, regardless of any entries in the ISA Server Firewall Client configuration files that specify the request destination as local.
Authentication
The Firewall client sends user information to the ISA Server computer with each request. This allows you to create access rules that apply to specific groups and users. Users must be logged on with an Active Directory® directory service user account, or in a workgroup scenario, with a user account that is mirrored on the ISA Server computer. When the user name is sent to the ISA Server computer, it is logged in the ISA Server Firewall logs. This makes tracking easy for Firewall client traffic.
(责任编辑:admin) |
