What client type should you use with ISA Server. This article will explain the differences among the ISA Server client types.
So you’ve decided to dump that aging PIX firewall and upgrade to a true layer 7 aware firewall. Good for you!
But which one should you use? If you’re working in a Microsoft shop, your best choice, hands down, is ISA Server
2000. One of the first planning decisions you need to make before rolling our your ISA Server firewall and VPN
server is what ISA Server clients types you want to support. The type of ISA Server client you decide on will be
based on what level of authentication and protocol support you require.
Let’s go over some of the features of the different ISA Server client types. There are three types of ISA Server clients:
Firewall clients: these are computers with the Firewall Client software
installed and enabled.
SecureNAT clients: these are computers that are ISA server clients but do
not have Firewall Client software installed.
Web Proxy clients: this term refers to client web applications that are
configured to use ISA Server.
By definition, the Firewall client cannot act as a SecureNAT client for TCP and UDP
requests because the Firewall client software intercepts all TCP and UDP Winsock requests.
On the other hand, both Firewall clients and SecureNAT clients can acts as Web Proxy clients.
If the Web Proxy client configuration cannot handle a request for a resource on the Web, the
Firewall and or SecureNAT client configuration can step in. The Firewall client is the only
client type that requires you to install client software. You must configure the client machine’s
web browser to make it a Web Proxy client.
Firewall Client
ISA Server’s firewall client is equivalent to the Winsock Proxy client in Proxy Server 2.0; it
is used for applications such as RealAudio, Windows Media, IRC, Telnet, and any other Internet
service that is written to the Winsock Application Programming Interface (API).
The firewall client software can be installed on any 32 bit Windows operating system. This includes the following:
Windows 95 OSR2
Windows 98
Windows Millennium Edition (ME)
Windows NT 4.0
Windows 2000/XP/2003
These are the only operating systems that will run the ISA firewall client software. The firewall
client is automatically enabled after you install the software, so you don’t need to restart the computer.
Installing the firewall client writes a log file on the computer the client was installed on. This
file has setup information that includes useful information as to which services were running during
installation and what client applications were installed. The log file is helpful in troubleshooting
problems you encounter during installation. Note that if you reinstall the firewall client software,
the log file will be overwritten.
The firewall client uses a Local Address Table (LAT) that is installed to the hard disk of the client
computer (in the Program Files\Microsoft Firewall Client folder). The LAT file is named Msplat.txt.
The LAT is used to determine whether a request made by a Winsock application should be sent to the ISA
Server or directly to another computer whose IP address is on the LAT. The LAT defines addresses that
are “trusted” by the ISA Server. Communications between trusted hosts (LAT hosts) are not screened by
the ISA Server. When the Firewall client computer calls another computer on the LAT, the firewall client
software is bypassed and the communications are not mediated by the ISA Server.
The primary advantage of the firewall client is that it allows you to apply access policies to authenticated
users. Without the Firewall client, you would only be able to apply access policies based on the IP address
of the requesting computer (except for those machines configured as Web Proxy clients). Users are authenticated
in the background and can have specific rules, such as bandwidth limitations, applied to their user accounts.
This is the best reason for using the firewall client instead of the SecureNAT client. Another compelling
reason to use the Firewall client is that you can use a much wider range of protocols. The SecureNAT client
is limited to simple, single connection, protocols. Also, those protocols much be listed in the Protocol
Definitions node of the ISA Server Management console. The only time the SecureNAT client can use complex
protocols is when there is an application filter in place to support that protocol. The FTP Access Application
Filter is an example of such a filter.
SecureNAT Client
Any computer configured with a default gateway capable of routing Internet bound requests through
the internal interface of the...
You must be logged in to view this entire article. Click Here to Finish Reading this Article
CramSession Memeber Benefit: Subscribe to Windows IT Pro for FREE!
Windows IT Pro is the only independent resource for managing, securing, and troubleshooting the Windows enterprise. Included in your subscription is: The inside scoop on
Microsoft won't tell you about Windows Server; Access to veteran experts like Mike Otey, Mark Minasi, and Paul Thurrott; Thousands of tips and solutions to help you get more done in less time; Tips
from the trenches and other nuggets of wisdom from readers like you; Comprehensive coverage of Active Directory, security, virtualization and disaster recovery, and more; Comparative, thorough, and
impartial product reviews; Admission into the single largest IT community in the world!
FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in
mind. We want to help you connect the technology dots and help you advance your company's business goals.
CCNA & CCNP Lab Suggestions
Many people ask me what would make a good CCNA lab? Well, that can be a tricky question based upon your budget and future Cisco aspirations. So let’s start off with a few basic concepts I hope we can
all agree on. Real Routers. Read more…
Email this Article
Print this Article
