Outlining Client Access with ISA Server 2004
It is somewhat of a misnomer to describe ISA clients as "clients" in the traditional software sense. In reality, a single ISA Client can appear to be all three types of ISA clients to the server itself. In a sense, each client is really defined more by how it uses the ISA Server rather than what is on the client machine itself. To understand this concept, it is important to understand what constitutes each one of the types of clients and how ISA views client traffic.
Defining the ISA Firewall Client
ISA Server 2004 comes with a full-blown ISA Client software component that can be installed on all workstations. The full ISA Software Client provides for the following capabilities:Per-User Rules Configuration and Logging
One of the biggest advantages to the Firewall client is its capability to authenticate the client traffic and have the ISA Server determine not only from what IP address the client is coming, but also from what Active Directory user account it originated. This allows for the creation of per-user or per-group Firewall policy rules, enabling administrators to restrict access to specific applications, networks, and other resources on a per-user basis. This information is also logged in ISA, so that per-user reports on such things as per-user website usage and security audits can be performed.Winsock Application Support
The Firewall client works directly with the Windows Sockets (Winsock) drivers to provide for rich support for application written to take advantage of WinSock functionality.Complex Protocol Support
The Firewall client is capable of handling complex protocol definitions in ISA Server, including those that make use of secondary protocols as part of their definition.
TIPAs with any piece of software, the Firewall client requires occasional updates on all the systems. For example, ISA Server 2004 Standard version Service Pack 1 introduced a new version of the Firewall client. For security and functionality reasons, it is therefore important to keep the software up to date, using software such as Systems Management Server (SMS) 2003 or other software management software.
Defining the SecureNAT Client
The second defined client type in ISA Server 2004 is the SecureNAT client, which is essentially any IP client that can be physically routed to the ISA Server in one manner or another. This includes any type of client with a TCP/IP stack that is forced to send its traffic through the ISA Server.For example, a simple network with a single internal subnet that has the ISA Server's internal IP address listed as the default gateway for that subnet would see all client requests from that network as SecureNAT client traffic, as shown in Figure 11.1.
Figure 11.1. Understanding SecureNAT clients in a simple network configuration.
Figure 11.2. Understanding SecureNAT clients in a complex network configuration.
Defining the Web Proxy Client
A Web Proxy client is a client connection that comes from a CERN-compatible browser client such as Internet Explorer or FireFox. Web Proxy clients interact directly with the proxy server capabilities of ISA Server 2004, and relay their requests off the ISA Server, which operates as a content caching solution to the clients. This enables commonly downloaded content to be stored on the ISA Proxy server and served up to clients more quickly. For more information on this concept, see Chapter 8, "Deploying ISA Server 2004 as a Content Caching Server."NOTEIt is very common to have Web Proxy clients also displayed as SecureNAT or Firewall clients in the ISA Server monitoring tools. This is because, fundamentally, the description of a Web Proxy client simply refers to the web browserbased application traffic that comes from a SecureNAT or Firewall client.
Outlining the VPN Client
Technically speaking, ISA Server recognizes a fourth type of client: Virtual Private Network (VPN) clients. A VPN client is a client system that remotely establishes an encrypted tunnel to an ISA Server. For more information on VPN clients and for deployment scenarios involving them, see Chapter 9, "Enabling Client Remote Access with ISA Server 2004 Virtual Private Networks (VPNs)."