+ Post New Thread
Results 1 to 6 of 6
Internet Related/Filtering/Firewall Thread, ISA 2006 + Firewall client + Exceptions! in Technical; This is being a pain in the rear. We're using ISA Server 2006, every PC on the network has the ...
  1. #1
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,582
    Thank Post
    368
    Thanked 269 Times in 221 Posts
    Rep Power
    101

    ISA 2006 + Firewall client + Exceptions!

    This is being a pain in the rear.

    We're using ISA Server 2006, every PC on the network has the Forefront TMG Client (it works with ISA2006 and i seen fit to update it when i remade our base image, but we had the same problem with isa client 2006 too). When someone logs on, the group policy settings take affect, then the firewall client overwrites the policies settings with its own configuration which blanks the exceptions box.

    I've tried setting up exceptions within the ISA server under the Internal network > Web browser > Directly access these servers for domains section, that didn't work. I've tried unticking the box for "Use a web proxy server" under "Web browser configuration on the firewall client computer" which is in the "firewall client" tab of the internal network configuration. When i did that some PCs started getting issues connecting to the internet, I couldn't find out exactly but it sounded like unticking this box meant the firewall client was also unticking that box on client PCs (thus no proxy connection). The only thing I haven't tried is unticking "Enable firewall client support for this network" but i don't really know what effect that will have either....

    I think what i need to know is the exact effect these settings within the ISA server have on the client. Do they clear the setting or do they just stop the client from forcing the setting? and does anyone have any suggestions for getting my exceptions working properly?

    Also lastly, this might sound pretty stupid but what does the firewall client actually bring to the table? I get the impression i need it in order to get a more in depth look on the monitoring but does it benefit us in any other way? (Half tempted just to globally disable the firewall client service!)

  2. #2

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    TMG Client is good if you want to do HTTPS inspection otherwise you probably won't miss it. In any case I don't think ISA 2006 does HTTPS inspection and, even if it did, there are data privacy issues with it. I removed the client from our network about 6 months ago (as it interfered with anything else using an LSP, e.g. Sophos, NetOp, etc) and I've not really noticed any difference.

    For more info try this page: Microsoft Forefront TMG - installing and configuring the Forefront TMG client.

  3. #3
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,582
    Thank Post
    368
    Thanked 269 Times in 221 Posts
    Rep Power
    101
    Quote Originally Posted by timzim View Post
    Ah in there, one of the standard features: User or group based Firewall policies for Web- and non-Web proxy based TCP and UDP traffic (and only for theses protocols)

    I have two website blocking rules, one for teachers one for students, does that mean these group specific rules wouldn't work if the client wasn't there to determine which the user belongs to? Everything else is on an all user basis it seems.

  4. #4

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    But you can do the same with your firewall policy rules - you can apply them to specific user groups without using the firewall client. RTFM...

  5. #5
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,582
    Thank Post
    368
    Thanked 269 Times in 221 Posts
    Rep Power
    101
    Quote Originally Posted by timzim View Post
    But you can do the same with your firewall policy rules - you can apply them to specific user groups without using the firewall client. RTFM...
    Yea that's what I've got, but what i mean is does ISA rule need the client PC to be running the firewall client in order to interpret which group the user who is accessing that web page belongs to? In other words does the client send any user information to the server? (does that make sense? lol)

    As you might be able to tell i didn't set this up so experience with it is minimal

  6. #6

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    It does but that same information is still used if you remove the client - the user uses SecureNAT to access the internet. The client gives you more control over certain apps than SecureNAT but, for most intents & purposes, you can use SecureNAT, which will still use AD group-based rules to control your users' access.

    Here's another article to give you a bit more info: Forefront Threat Management Gateway (TMG) 2010 Firewall Client Features and Benefits

  7. Thanks to timzim from:

    mrbios (8th November 2012)



SHARE:
+ Post New Thread

Similar Threads

  1. isa 2006 and hardware firewall
    By alunmjones in forum Internet Related/Filtering/Firewall
    Replies: 2
    Last Post: 24th October 2012, 01:54 PM
  2. Isa Server 2006 Firewall
    By yibie in forum Learning Network Manager
    Replies: 0
    Last Post: 18th April 2012, 10:57 AM
  3. ISA 2006 Web Chaining
    By yeoman in forum Windows
    Replies: 10
    Last Post: 16th January 2010, 05:01 PM
  4. Replies: 1
    Last Post: 21st October 2008, 09:25 PM
  5. Installing ISA firewall client....
    By mrbios in forum Windows
    Replies: 8
    Last Post: 15th July 2008, 04:08 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •