Internet Related/Filtering/Firewall Thread, ISA 2006 + Firewall client + Exceptions! in Technical; This is being a pain in the rear.
We're using ISA Server 2006, every PC on the network has the ...
8th November 2012, 12:07 PM #1
ISA 2006 + Firewall client + Exceptions!
This is being a pain in the rear.
We're using ISA Server 2006, every PC on the network has the Forefront TMG Client (it works with ISA2006 and i seen fit to update it when i remade our base image, but we had the same problem with isa client 2006 too). When someone logs on, the group policy settings take affect, then the firewall client overwrites the policies settings with its own configuration which blanks the exceptions box.
I've tried setting up exceptions within the ISA server under the Internal network > Web browser > Directly access these servers for domains section, that didn't work. I've tried unticking the box for "Use a web proxy server" under "Web browser configuration on the firewall client computer" which is in the "firewall client" tab of the internal network configuration. When i did that some PCs started getting issues connecting to the internet, I couldn't find out exactly but it sounded like unticking this box meant the firewall client was also unticking that box on client PCs (thus no proxy connection). The only thing I haven't tried is unticking "Enable firewall client support for this network" but i don't really know what effect that will have either....
I think what i need to know is the exact effect these settings within the ISA server have on the client. Do they clear the setting or do they just stop the client from forcing the setting? and does anyone have any suggestions for getting my exceptions working properly?
Also lastly, this might sound pretty stupid but what does the firewall client actually bring to the table? I get the impression i need it in order to get a more in depth look on the monitoring but does it benefit us in any other way? (Half tempted just to globally disable the firewall client service!)
IDG Tech News
8th November 2012, 12:37 PM #2
TMG Client is good if you want to do HTTPS inspection otherwise you probably won't miss it. In any case I don't think ISA 2006 does HTTPS inspection and, even if it did, there are data privacy issues with it. I removed the client from our network about 6 months ago (as it interfered with anything else using an LSP, e.g. Sophos, NetOp, etc) and I've not really noticed any difference.
For more info try this page: Microsoft Forefront TMG - installing and configuring the Forefront TMG client.
8th November 2012, 12:41 PM #3
Ah in there, one of the standard features: User or group based Firewall policies for Web- and non-Web proxy based TCP and UDP traffic (and only for theses protocols)
Originally Posted by timzim
I have two website blocking rules, one for teachers one for students, does that mean these group specific rules wouldn't work if the client wasn't there to determine which the user belongs to? Everything else is on an all user basis it seems.
8th November 2012, 12:52 PM #4
But you can do the same with your firewall policy rules - you can apply them to specific user groups without using the firewall client. RTFM...
8th November 2012, 01:02 PM #5
Yea that's what I've got, but what i mean is does ISA rule need the client PC to be running the firewall client in order to interpret which group the user who is accessing that web page belongs to? In other words does the client send any user information to the server? (does that make sense? lol)
Originally Posted by timzim
As you might be able to tell i didn't set this up so experience with it is minimal
8th November 2012, 01:12 PM #6
It does but that same information is still used if you remove the client - the user uses SecureNAT to access the internet. The client gives you more control over certain apps than SecureNAT but, for most intents & purposes, you can use SecureNAT, which will still use AD group-based rules to control your users' access.
Here's another article to give you a bit more info: Forefront Threat Management Gateway (TMG) 2010 Firewall Client Features and Benefits
Thanks to timzim from:
mrbios (8th November 2012)
By alunmjones in forum Internet Related/Filtering/Firewall
Last Post: 24th October 2012, 01:54 PM
By yibie in forum Learning Network Manager
Last Post: 18th April 2012, 10:57 AM
By yeoman in forum Windows
Last Post: 16th January 2010, 05:01 PM
By fox1977 in forum Windows
Last Post: 21st October 2008, 09:25 PM
By mrbios in forum Windows
Last Post: 15th July 2008, 04:08 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)