Thanks to Chad Gross for this!
Assigning the Firewall Client
to client PCs via Group Policies is pretty simple & straight-forward
with SBS2k3:
1) Open Start | Administrative Tools | Group Policy
Management
2) Expand Forest | Domains | <yourdomain> | My Business |
Computers
3) Highlight SBSComputers
4) Click on Action | Create and Link a GPO here
5) Name your new GPO (e.g. 'Microsoft Firewall Client
Installation Policy')
6) Your new GPO should now appear in the right-hand pane of
the management console. Right-click on the GPO and select 'Edit'
7) Expand Computer Configuration | Software Settings |
Software Installation
8) Action | New | Package
9) Enter the UNC path to the firewall client installer file
(\\<servername>\mspclnt\ms_fwc.msi
by default)
10) Select 'Assigned' as the deployment method & click OK.
11) Close the Group Policy Editor console
12) Back in the Group Policy Management Console, right-click on
your GPO and select 'Enforced'
That's it - your GPO for deploying the Firewall Client is now in
place. As for when this change takes place, this depends . . .
If you create & enforce this GPO before joining workstations to
the domain, this GPO will be part of the overall group policies
that the workstation receives upon joining the domain.
If you create & enforce this GPO after clients have been
joined to the domain, you have two options:
1) touch each PC to manually update the Group Policies by
running gpupdate /force at the
command prompt.
2) By default, group policies are updated every 90 minutes - so
you could wait for the backgroup update to refresh the policy.
3) Reboot the machine which will update the Group Policies.
The interesting thing to remember is that when you assign an
application to a Computer, the software installation actually
occurs at startup before you get a logon banner. Therefore, if
you create & enforce this GPO after PCs have been joined to the
domain, the PCs will still have to be rebooted for the firewall
client to actually be installed. As a result, to make this
installation as truly efficient as possible, I create & enforce
this GPO before joining PCs to the domain. This minimizes the
number of reboots that have to occur when configuring client
PCs.
Another little trick re: minimizing Administrator requirements
at each PC - with SBS2k3, when the firewall client is installed,
it configures IE to use ISA as it's proxy. Only problem is that
it only does this for the user profile that installs the
firewall client. (And with a GPO install assigned to the
Computer, no user gets this configured). Naturally, this means
that IE needs to be configured for each user that logs into the
PC. Ugh, right?
Not quite :^)
1. On your SBS, navigate to C:\Program Files\Microsoft
Windows Small Business Server\ClientSetup\Clients\Setup.
2. Open the install.ins file with notepad.
3. Find the [Proxy] section and edit it so that it looks like:
[Proxy]
HTTP_Proxy_Server=http://YourServerName:8080
FTP_Proxy_Server=http://YourServerName:8080
Gopher_Proxy_Server=http://YourServerName:8080
Secure_Proxy_Server=http://YourServerName:8080
Socks_Proxy_Server=http://YourServerName:8080
Use_Same_Proxy=1
Proxy_Enable=1
Proxy_Override="<local>"
AutoDetect=0
4. Save the file. The next time any user logs in to any PC,
their IE will be properly configured to use ISA as a proxy.
This is something else that is very beneficial if you do it
early during your server configuration (and before you have
users asking why they can't get out to the internet :^)
--
Chad A. Gross - SBS MVP
SBS ROCKS!
www.msmvps.com/cgross
www.gosbs.org
Original Document:
http://msmvps.com/blogs/kwsupport/archive/2004/06/06/7670.aspx