Chapter 10
For the latest information, please see http://www.microsoft.com/isaserver/.
An ISA Server 2004 client is a machine that connects to a resource by going through the ISA Server 2004 firewall. In general, the ISA Server 2004 client is located on an Internal or perimeter network segment and connects to the Internet through the ISA Server 2004 firewall.
There are three ISA Server 2004 client types:
· The SecureNAT client
· The Web Proxy client
· The Firewall client
A SecureNAT client is a machine configured with a default gateway that can route Internet- bound requests through the ISA Server 2004 firewall. If the SecureNAT client is on a network directly connected to the ISA Server 2004 firewall, the default gateway of the SecureNAT client is the IP address of the network interface on the ISA Server 2004 firewall connected to that segment. If the SecureNAT client is located on a network segment that is remote from the ISA Server 2004 firewall, the SecureNAT client is configured with an IP address of a router that routes Internet bound requests through the ISA Server 2004 firewall machine.
A Web Proxy client is a machine whose browser is configured to use the ISA Server 2004 firewall as its Web Proxy server. The browser can be configured to use the IP address of the ISA Server 2004 firewall as its Web Proxy server, or it can be set to use the ISA Server 2004 firewall’s Web Proxy autoconfiguration script. The autoconfiguration script confers a higher level of flexibility in controlling how Web Proxy clients connect to the Internet. User names are recorded in the Web Proxy logs when the machine is configured as a Web Proxy client.
A Firewall client is a machine that has the Firewall client software installed. The Firewall client software intercepts all Winsock application requests (typically, all TCP and UDP requests) and forwards them directly to the Firewall service on the ISA Server 2004 firewall. User names are automatically entered into the Firewall service log when the Firewall client machine connects to the Internet through the ISA Server 2004 firewall.
The following table summarizes the features provided by each client type.
Table 1: ISA Server 2004 Client Types and Features
|
Feature |
SecureNAT client |
Firewall client |
Web Proxy client |
|
Installation |
Yes, requires some network configuration changes |
Yes |
No, requires Web browser configuration |
|
Operating system support |
Any operating system that supports TCP/IP |
Only Windows platforms |
All platforms, but by way of a Web application |
|
Protocol support |
Application filters for multiconnection protocols |
All Winsock applications |
HTTP, Secure HTTP (HTTPS), and FTP |
|
User-level authentication support |
Yes, for VPN clients only |
Yes |
Yes |
We will discuss the following procedures in this ISA Server 2004 Configuration Guide document:
· Configuring the ISA Server 2004 SecureNAT client
· Configuring the ISA Server 2004 Web Proxy client
· Configuring the ISA Server 2004 Firewall client
The SecureNAT client configuration is simple. The only requirement is that the machine be configured with a default gateway that routes Internet-bound requests through the ISA Server 2004 firewall machine. There are two primary methods you can use to configure a machine as a SecureNAT client:
· Manually configure the TCP/IP settings on the machine
· Create a DHCP scope option that assigns the default gateway address
In the scenarios discussed in this ISA Server 2004 Configuration Guide, the domain controller is configured as a SecureNAT client. Network servers such as domain controllers, DNS servers, WINS servers and Web servers are typically configured as SecureNAT clients. The domain controller has been manually configured as a SecureNAT client.
In Chapter 4 of this ISA Server 2004 Configuration Guide, you installed a DHCP server and created a DHCP scope. The DHCP scope was configured with a scope option assigning DHCP clients a default gateway address that is the Internal interface of the ISA Server 2004 firewall. The default configuration of Windows systems is to use DHCP to obtain IP addressing information.
If you are using the network configuration described in Chapter 1 of this ISA Server 2004 Configuration Guide, the Internal network client is configured with a static IP address. In the following walkthrough, we will configure the Internal network client to use DHCP to demonstrate how DHCP works, and then return the client to its static IP address.
Perform the following steps to configure the Windows 2000 machine as a DHCP client and return the machine to a static IP address:
1. At the CLIENT machine, right-click the My Network Places icon on the desktop and click Properties.
2. In the Network and Dial-up Connections window, right-click the Local Area Connection entry and click Properties.
3. In the Local Area Connection Properties dialog box, click the Internet Protocol (TCP/IP) entry and click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, select Obtain an IP address automatically and Obtain DNS server address automatically. Click OK.
5. Click OK in the Local Area Connection Properties dialog box.
6. Confirm the new IP address assignment by using the ipconfig command. Click Start and Run. In the Open text box, enter cmd.
7. In the Command Prompt window, enter ipconfig /all and press ENTER. Here you can see the IP address assigned to the client, as well as the DNS, WINS and default gateway addresses.
8. Close the Command Prompt window. Return to the TCP/IP Properties dialog box and change the CLIENT machine to use a static IP address again. The IP address is 10.0.0.4; the subnet mask is 255.255.255.0; the default gateway is 10.0.0.1, and the DNS server address is 10.0.0.2.
The Web Proxy client configuration requires that the Web browser be set to use the ISA Server 2004 firewall as its Web Proxy server. There are several ways to configure the Web browser as a Web Proxy client. It can be:
· manually configured to use the IP address of the ISA Server 2004 firewall as its Web Proxy server
· manually configured to use the autoconfiguration script
· automatically configured during Firewall client installation
· automatically configured using wpad entries in DNS and DHCP
In Chapter 5 of the ISA Server 2004 Configuration Guide, you created wpad entries in DNS and DHCP to support autoconfiguration of Web Proxy and Firewall client machines. Wpad autodiscovery is the preferred method of configuring the Web Proxy client, as it allows users to automatically receive Web Proxy settings without requiring them to configure their browsers.
Another way you can automatically configure Web browsers as Web Proxy clients is to have the browsers automatically configured when the Firewall client installed. This is the preferred method of configuring browsers for machines that will also act as Web proxy clients.
The last option is to manually configure the browser. This option should be used when the automatic configuration options are not available.
If you are using the example network configuration described in this ISA Server 2004 Configuration Guide, your DNS and DHCP servers are configured to provide wpad information to the Web browsers so that they are autoconfigured. However, if you choose to not use autoconfiguration, you can manually configure the browser. We will examine browser configuration during Firewall client installation in the next section.
Perform the following steps to manually configure the Internet Explorer 6.0 Web browser:
1. On the CLIENT machine, right-click the Internet Explorer icon on the desktop and click Properties.
2. In the Internet Properties dialog box, click the Connections tab. On the Connections tab, click the LAN Settings button.
3. There are several Web proxy configuration options in the Local Area Network (LAN) Settings dialog box. Put a check mark in the Automatically detect settings check box to enable the browser to use the wpad settings in DNS and DHCP. This is the default setting for Internet Explorer Web browsers. Place a check mark in the Use automatic configuration script check box, and enter the location of the autoconfiguration script. The autoconfiguration script is stored on the ISA Server 2004 firewall at the following location:
http://ISALOCAL.msfirewall.org:8080/array.dll?Get.Routing.Script
The client machine must be able to resolve the name of the ISA Server 2004 firewall included in the autoconfiguration script to the IP address on the Internal interface of the firewall. Note that if the machine is able to use wpad to Automatically detect settings, the information contained in the autoconfiguration script will be downloaded to the Web Proxy client machine. Put a check mark in the Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections) check box, and enter the IP address on the Internal interface of the ISA Server 2004 firewall in the Address text box. Enter the TCP port number that the Web Proxy filter lists on the Port text box, which is by default 8080. Click OK in the Local Area Network (LAN) Settings dialog box.
4. Click OK in the Internet Properties dialog box.
The Web browser is now configured as a Web Proxy client.
The Firewall client software enables you to control Internet access on a per user/group basis for all Winsock (TCP or UDP) connections to the Internet. The Firewall client software automatically sends user credentials in the background to the ISA Server 2004 firewall machine. The user accounts can belong to the local SAM on the ISA Server 2004 firewall, or, if the ISA Server 2004 and the clients belong to the same Windows domain, then the user accounts can be stored in the Windows NT 4.0 SAM or Windows 2000/Windows Server 2003 Active Directory.
The firewall client software can be installed from the ISA Server 2004 machine or from another machine on the network. If you want to install the Firewall client software from the ISA Server 2004 firewall computer, you must enable a System Policy Rule to allow access to the share. A more secure configuration is to install the Firewall client share to a file server on the Internal network.
In the following walkthrough, we will install the Firewall client share on the domain controller computer and then install the Firewall client software on the Windows 2000 client computer.
Perform the following steps to install the Firewall client share on the domain controller computer:
1. Insert the ISA Server 2004 CD-ROM into the CD drive on the domain controller. In the autorun menu, click the Install ISA Server 2004 icon.
2. On the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page, click Next.
3. On the License Agreement page, select I accept the terms in the license agreement, and click Next.
4. On the Customer Information page, enter your User name, Organization and Product Serial Number. Click Next.
5. On the Setup Type page, select the Custom option.
6. On the Custom Setup page, click the Firewall Services entry and click the This feature will not be available option. Click the ISA Server Management entry and click the This feature will not be available option. Click the Firewall Client Installation Share entry and click the This feature, and all subfeatures, will be installed on the local hard drive. Click Next.
7. Click Install on the Ready to Install the Program page.
8. Click Finish on the Installation Wizard Completed page.
You can now install the Firewall client software from the Firewall client share on the domain controller. Perform the following steps to install the Firewall client software:
1. At the CLIENT computer on the Internal network, click Start and then click the Run command. In the Open text box, enter \\EXCHANGE2003BE\mspclnt\setup and click OK.
2. Click Next on the Welcome to the Install Wizard for Microsoft Firewall Client.
3. Click Next on the Destination Folder page.
4. On the ISA Server Computer Selection page, select the Automatically detect the appropriate ISA Server computer option. This option will work because we have created a wpad entry in DNS. If you had not created a wpad entry, you could have selected the Connect to this ISA Server computer option and entered the name or IP address of the ISA Server 2004 firewall in the text box. Click Next.
5. Click Install on the Ready to Install the Program page.
6. Click Finish on the Install Wizard Completed page.
The next step is to configure Firewall client support for the Internal network. Perform the following steps on the ISA Server 2004 firewall computer:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Expand the Configuration node and click the Networks node. Right-click the Internal Network and click Properties.
2. In the Internal Properties dialog box, click the Firewall Client tab. Confirm that a check mark appears in the Enable Firewall client support for this network check box. Confirm that there are checkmarks in the Automatically detect settings and Use automatic configuration script check boxes in the Web browser configuration on the Firewall client computer frame. Put a check mark in the Use a Web proxy server check box. Use the fully-qualified domain name of the ISA Server 2004 firewall computer in the ISA Server name or IP address text box. In this example, the fully-qualified domain name of the ISA Server 2004 computer is ISALOCAL.msfirewall.org. Click Apply.
3. Click the Auto Discovery tab. Place a check mark in the Publish automatic discovery information check box. Leave the default port as 80. Click Apply and OK.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
We can now configure the Firewall client. Perform the following steps on the client computer on the Internal network:
1. At the CLIENT computer, double-click the Firewall client icon in the system tray.
2. In the Microsoft Firewall Client for ISA Server 2004 dialog box, confirm that a check mark appears in the Enable Microsoft Firewall Client for ISA Server 2004 check box. Confirm that the Automatically detect ISA Server option is selected.
3. Click the Detect Now button. The name of the ISA Server 2004 firewall computer will appear in the Detecting ISA Server dialog box when the client finds the ISA Server 2004 firewall. Click Close.
4. Confirm that a check mark appears in the Enable Web browser automatic configuration check box and click the Configure Now button. Note that based on the settings we created on the ISA Server 2004 firewall, the browser has been automatically configured. Click OK in the Web Browser Settings Update dialog box.
5. Click Apply and then click OK in the Microsoft Firewall Client for ISA Server 2004 dialog box.
The machine is now configured as a Firewall client and can access the Internet in its role as a Firewall client based on the Access Rules configured on the ISA Server 2004 firewall.
In this ISA Server 2004 Configuration Guide section we discussed the various ISA Server 2004 client types and the features provided by each client. After discussing the types of ISA Server 2004 clients, we went over the procedures required to install and configure each client type. In the next chapter of this ISA Server 2004 Configuration Guide, we will outline the procedures for creating and modifying the outbound access policy rules created by the Network Template.