This article describes how to install the Microsoft Internet Security and Acceleration (ISA) Server 2004 Microsoft Firewall Client program on client computers by using a command-line or by using Group Policy.

 

Modify the Microsoft Firewall Client installation share

By default, when you install ISA Server 2004 the Firewall Client program installation files are stored in the following folder location: In some scenarios, you may want the Firewall Client program installation files to be located on another computer. To do so, you must perform a custom ISA Server installation. To perform a custom ISA Server installation, follow these steps:

1.	On the computer where you want to store the Firewall Client program installation files, start ISA Server 2004 Setup.
2.	In the Microsoft ISA Server 2004 Installation Wizard, click Next.
3.	Click I accept the terms in the license agreement, and then click Next.
4.	Type your user name and organization in the corresponding boxes, type your product serial number in the Product Serial Number box if applicable, and then click Next.
5.	Click Custom, and then click Next.
6.	Click Firewall Services, click This feature will not be available, click ISA Server Management, click This feature will not be available, click Firewall Client Installation Share, click This feature will be installed on local hard drive, and then click Next.
7.	Click Install, and then click Finish when the installation is completed successfully.

Perform an unattended Firewall Client installation

To install the Firewall Client program from a command line, type the following command: Where:

•	Path is the path of the Firewall Client program installation files, such as: \\Servername\mspclnt
•	NameOfTheIsaServerComputer is the name of the ISA Server computer where you want the Firewall client to connect.
•	ENABLE_AUTO_DETECT=1 specifies that the Firewall client automatically detects the ISA Server computer to connect to.
•	REFRESH_WEB_PROXY=1 specifies that the Firewall Client program configuration is updated by the Web Proxy configuration from the ISA Server computer.

For example, you have a scenario where all the following conditions are true:

•	The Firewall Client installation files are located on a server named Computer1 and are shared by using the default share name.
•	You want to specify an ISA Server computer that is named Firewall01.
•	You do not want to use the Web Proxy configuration from the ISA Server computer.

In this scenario, to install the Firewall Client program, type the following command from the client computer, and then press ENTER: Note There is no space between /v and the initial double quotation marks ("). Additionally, you must include a space before /qn at the end of the command line.

If you want to configure the Firewall Client program to automatically detect the ISA Server computer, you must configure Firewall client and Web Proxy client auto discovery in Windows. For additional information about how to do this, see the "Configure auto discovery" section.

 

Install Firewall Client by using Group Policy

To deploy the Firewall Client program by using Group Policy, follow these steps:

1.	Configure the network share for the Firewall Client program installation files. To do this, see the "To modify the Microsoft Firewall Client installation share" section.
2.	Start the Active Directory Users and Computers tool.
3.	Right-click the organizational unit that contains the computers where you want to install the Firewall Client program, and then click Properties.
4.	Click the Group Policy tab, and then click New.
5.	Type a descriptive name for the Group Policy object, and then press ENTER.
6.	If you do not want this policy applied to certain computers, follow these steps: a. Click Properties, and then click the Security tab. b. Click Add, type the name of the group that contains the computers where you do not want the Firewall Client program installed, and then click Check Names. c. When the name is resolved, click OK. d. Click the group name that you added, and then click to clear the following two check boxes in the Allow column, and then click OK: Read Apply Group Policy
7.	Click Edit, expand Computer Configuration, expand Software Settings, right-click Software installation, point to New, and then click Package.
8.	In the File name box, type the Universal Naming Convention (UNC) path of the MS_FWC.msi file, and then click Open. For example, type \\Servername\mspclnt\ms_fwc.msi, and then click Open. Note Specify the location of the MS_FWC.msi file by using a UNC path even if this file is stored on the local computer.
9.	Click Assigned, and then click OK.
10.	Quit the Group Policy Object Editor tool, and then click Close.

To configure the Firewall Client program to automatically detect the ISA Server computer, you must configure Firewall client and Web Proxy client auto discovery in Windows. For additional information about how to do this, see the "Configure auto discovery" section.

 

Configure auto discovery

To configure the Firewall Client program to automatically detect the ISA Server computer, you must configure Firewall client and Web Proxy client auto discovery in Windows. For additional information about how to configure Firewall Client and Web Proxy client auto discovery in Windows, click the following article numbers to view the articles in the Microsoft Knowledge Base: Additionally, you must configure ISA Server 2004 to provide automatic discovery information to Firewall clients and to Web Proxy clients. To do this, follow these steps:

1.	Start the ISA Server Management tool.
2.	Expand ServerName, where ServerName is the name of your ISA Server computer.
3.	Expand Configuration, and then click Networks.
4.	Right-click the network that you want ISA Server to publish auto discovery information about, and then click Properties. For example, right-click Internal, and then click Properties.
5.	Click the Auto Discovery tab, click to select the Publish automatic discovery information check box, and then click OK.
6.	Click Apply to update the firewall policy, and then click OK.

 

Troubleshooting

•

You cannot assign a different ISA server to each organizational unit. You cannot assign a different ISA server to each organizational unit by using the Mspclnt.ini file. This was possible in Microsoft Internet Security and Acceleration Server 2000. If you want to assign a different ISA server to each organization unit, you must create a Group Policy object for that organizational unit that runs the Setup.exe command from the Mspclnt share. Configure the Setup.exe command to specify the ISA server where you want the Firewall Client program to connect. For additional information about the command-line structure to use, see the "To perform an unattended Firewall Client installation" section.

•

The Firewall Client program does not automatically detect the ISA Server computer. After you deploy the Firewall Client program, the Firewall Client program may not automatically detect the ISA Server computer if another service listens on the port that ISA Server uses to publish auto discovery information. By default, ISA Server publishes auto discovery information on port 80. If another service such as Microsoft Internet Information Services (IIS) is running on the ISA Server computer, Firewall clients may not be able to obtain auto discovery information. To troubleshoot this issue, temporarily stop other services that listen on port 80.

 

For additional information about Group Policy in Microsoft Windows 2000, visit the following Microsoft Web site: For additional information, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about the Firewall Client program, search on "Advanced Firewall Client settings" in ISA Server 2004 Help.