We're using ISA Server 2006, every PC on the network has the Forefront TMG Client (it works with ISA2006 and i seen fit to update it when i remade our base image, but we had the same problem with isa client 2006 too). When someone logs on, the group policy settings take affect, then the firewall client overwrites the policies settings with its own configuration which blanks the exceptions box.
I've tried setting up exceptions within the ISA server under the Internal network > Web browser > Directly access these servers for domains section, that didn't work. I've tried unticking the box for "Use a web proxy server" under "Web browser configuration on the firewall client computer" which is in the "firewall client" tab of the internal network configuration. When i did that some PCs started getting issues connecting to the internet, I couldn't find out exactly but it sounded like unticking this box meant the firewall client was also unticking that box on client PCs (thus no proxy connection). The only thing I haven't tried is unticking "Enable firewall client support for this network" but i don't really know what effect that will have either....
I think what i need to know is the exact effect these settings within the ISA server have on the client. Do they clear the setting or do they just stop the client from forcing the setting? and does anyone have any suggestions for getting my exceptions working properly?
Also lastly, this might sound pretty stupid but what does the firewall client actually bring to the table? I get the impression i need it in order to get a more in depth look on the monitoring but does it benefit us in any other way? (Half tempted just to globally disable the firewall client service!)
TMG Client is good if you want to do HTTPS inspection otherwise you probably won't miss it. In any case I don't think ISA 2006 does HTTPS inspection and, even if it did, there are data privacy issues with it. I removed the client from our network about 6 months ago (as it interfered with anything else using an LSP, e.g. Sophos, NetOp, etc) and I've not really noticed any difference.
Ah in there, one of the standard features: User or group based Firewall policies for Web- and non-Web proxy based TCP and UDP traffic (and only for theses protocols)
I have two website blocking rules, one for teachers one for students, does that mean these group specific rules wouldn't work if the client wasn't there to determine which the user belongs to? Everything else is on an all user basis it seems.
But you can do the same with your firewall policy rules - you can apply them to specific user groups without using the firewall client. RTFM...
Yea that's what I've got, but what i mean is does ISA rule need the client PC to be running the firewall client in order to interpret which group the user who is accessing that web page belongs to? In other words does the client send any user information to the server? (does that make sense? lol)
As you might be able to tell i didn't set this up so experience with it is minimal
It does but that same information is still used if you remove the client - the user uses SecureNAT to access the internet. The client gives you more control over certain apps than SecureNAT but, for most intents & purposes, you can use SecureNAT, which will still use AD group-based rules to control your users' access.