لطفا منتظر باشید ...
Lesson 1 Configuring Local Clients for Secure Internet Access
After you install ISA Server, you can begin to configure Internet access for the client computers. For all client requests, ISA Server processes the request by analyzing access policy rules to determine whether access is allowed. If the client request is allowed, ISA Server dynamically opens and closes the ports required for the communication.
Establishing secure Internet access for local clients requires that you first decide whether to configure your internal clients as secure network address translation (SecureNAT) clients or firewall clients. You can then configure the Web browsers on your client computers to use the ISA Server Web Proxy service. Finally, once your clients are configured, you must create protocol rules in ISA Server that allow Internet protocols to pass through the firewall.
After this lesson, you will be able to
Describe the differences in features and configuration requirements among SecureNAT, Firewall, and Web Proxy clients
Configure client computers for secure Internet access through ISA Server
Configure Microsoft Internet Explorer to use the ISA Server Web Proxy service
Install Firewall Client software on the client computer
Estimated lesson time: 60 minute
About ISA Server Clients
ISA Server supports the following three types of clients.
Firewall clients are client computers that have the Firewall Client software installed and enabled.
SecureNAT clients are client computers that do not have the Firewall Client software installed.
Web Proxy clients are client Web applications configured to use ISA Server.
Table 3.1 compares these ISA Server client types.
Table 3.1 Comparison of ISA Server Clients
| Feature | SecureNAT client | Firewall client | Web Proxy client |
|---|---|---|---|
| Installation required? | No, but some network configuration changes required | Yes | No, requires Web browser configuration |
| Operating system support | Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/ IP) | Only Windows platforms | All platforms, but by way of Web application |
| Protocol support | Requires application filters for multi-connection protocols | All Winsock applications | Hypertext Transfer Protocol (HTTP), Secure HTTP (S-HTTP), File Transfer Protocol (FTP), and Gopher |
| User-level authentication | No | Yes | Yes |
| Server applications | No configuration or installation required | Requires configuration file | N/A |
Firewall Client computers and SecureNAT client computers may also be Web Proxy clients. This is because all Web Proxy client sessions (in other words, Web requests initiated from any browser configured to use the ISA Server as a proxy) are sent directly to the Web Proxy service. All other network requests, whether Firewall Client sessions or SecureNAT client sessions, are sent directly to the Firewall service on ISA Server.
Assessing Client Requirements
Before you deploy or configure client software, assess the needs of your organization. Determine which applications and services your internal clients require. Decide how you will be publishing servers. Then see how the different client types supported by ISA Server can meet these needs.
Essentially, your choice for each client computer is whether to install Firewall Client software on the computer, or whether simply to configure the client as a SecureNAT client. Table 3.2 displays some of the conditions under which you may favor one or the other client type.
Configuring Internet access will not establish Internet access for the ISA Server computer itself. To achieve this, you need to create IP packet filters, which are discussed in Chapter 4.
Table 3.2 Choosing ISA Server Client Type
| Network need | Recommended client type | Reason |
|---|---|---|
| You want to avoid deploying client software or configur ing client computers. | SecureNAT | SecureNAT clients do not require any software or specific configuration. Firewall clients require that you deploy Firewall Client software. |
| You are using ISA Server only for the forward caching of Web objects. | SecureNAT | If you use SecureNAT clients in this scenario, you will not have to deploy any special software or configure your client computers. Instead, client requests are transparently passed to the ISA Server Firewall service and then on to the Web Proxy service for caching. |
| You want to create user-based access rules to control non-Web Internet access. | Firewall Client | If you use firewall clients, you can configure user- based access policy rules for non-Web Internet sessions. You can always configure user-based rules for Web Proxy clients on both SecureNAT and Firewall Client computers. However, these rules will be effective only if you configure ISA Server to require Web applications to include authentication information with each session. |
| You are publishing servers that are located on your internal network. | SecureNAT | Internal servers can be published as SecureNAT clients. This eliminates the need for creating special configuration files on the publishing server. Instead, you simply create a server publishing rule on the ISA Server. |
| Your network supports roaming computers and users. | Firewall Client | SecureNAT clients do not support automatic discovery of ISA Server. When you configure automatic discovery, all Web Proxy and firewall clients automatically discover an appropriate ISA Server computer. In this way, roaming clients can connect to the ISA Server computer as appropriate and when necessary. |
| Your clients need access (outside of Web browsers) to protocols with secondary connections such as FTP. | Firewall Client | SecureNAT clients do not support protocols with secondary connections. |
| You want to support dial-on-demand for non-Web sessions from your clients. | Firewall Client | Though Web Proxy sessions support automatic dial-out on both SecureNAT and Firewall client computers, only Firewall Client supports dial-on-demand for non-Web sessions. |
Configuring SecureNAT Clients
SecureNAT clients do not require specific software to be deployed on the client computers. However, you must consider your network topology and ensure that the ISA Server computer can service requests from the client computers.
Specifically, the default gateway for the SecureNAT clients must be properly configured. When setting the default gateway property, identify which of the following two types of network topology you are configuring:
Simple network. A simple network topology does not have any routers configured between the SecureNAT client and the ISA Server computer.
Complex network. A complex network topology has one or more routers connecting multiple subnets that are configured between a SecureNAT client and the ISA Server computer.
Configuring SecureNAT Clients on a Simple Network
To configure SecureNAT clients on a simple network, you should set the SecureNAT client's default gateway settings to the IP address of the ISA Server computer's internal network address card. You can set this manually, using the Transmission Control Protocol/Internet Protocol (TCP/IP) settings on the client. (These settings can be configured by clicking the Network icon in Control Panel.) Alternatively, you can configure these settings automatically for the client using the Dynamic Host Configuration Protocol (DHCP) service.
Configuring SecureNAT Clients on a Complex Network
To configure SecureNAT clients on a complex network, you should set the default gateway settings to the last router in the chain between the SecureNAT client and the ISA Server computer. In this case, you do not have to change the default gateway settings for the SecureNAT clients.
Optimally, the router should use a default gateway that routes traffic along the shortest path to the ISA Server computer. Also, the router should not be configured to discard packets destined for addresses outside the corporate network; ISA Server determines how to route the packets.
Additional SecureNAT Configuration for Dial-up Networks
For both simple and complex networks relying upon a dial-up connection to the Internet, SecureNAT clients require additional configuration. To establish Internet access outside of a Web browser from a client computer that does not have Firewall Client installed, you must first create a dial-up entry policy element in ISA Management, and then you need to configure the Network Configuration node properties to use that dial-up entry when routing to upstream servers. This is discussed in more detail in Lesson 2 of this chapter.
Resolving Names for SecureNAT Clients
SecureNAT clients will probably request objects both from computers in the local network and from the Internet. Thus, SecureNAT clients require Domain Name System (DNS) servers that can resolve names both for external and internal computers.
Internet Access Only
If your SecureNAT clients require Internet access only and do not need to resolve DNS names internal to your network, you should configure the TCP/IP settings for these clients to use external (Internet-based) DNS servers. You then need to create a protocol rule allowing the clients to use a DNS Query operation.
Internal Network and Internet Access
If SecureNAT clients will request data both from the Internet and from internal network servers, the clients should use a DNS server located on the internal network. You should configure the DNS server to resolve both internal addresses and Internet addresses. Alternatively, you can configure the clients' TCP/IP properties to recognize an external DNS server as the preferred server and your internal DNS server as an alternate DNS server.
Firewall Clients
A firewall client is a computer with Firewall Client software installed and enabled. The firewall client runs Winsock applications that use ISA Server's Firewall service. When a firewall client uses a Winsock application to request an object from a computer, the client checks its copy of the local address table (LAT) to see whether the specified computer is in the LAT. If the computer is not in the LAT, the request is sent to the ISA Server Firewall service. The firewall service handles the request and forwards it to the appropriate destination as permissions allow. Firewall Client software can send Windows user information, which is required for authentication purposes, to the ISA Server.
After installing the client software, you can modify the server name to which the client connects by specifying a different name either on the ISA Server computer to which the client currently connects or by changing the name in the Firewall Client software. The configuration changes take effect after the firewall configuration is refreshed. To centrally manage the Firewall Client software configuration, modify Firewall Client properties from the Client Configuration node in ISA Management. This node includes centralized configuration control for both the Firewall Client software and the firewall client's Web browser settings.
As shown in Figure 3.1, the ISA Server computer contains a network share named mspclnt to which a client computer can connect over the local network. This share contains the installation program, which you can use to install the Firewall Client software onto your client computer. You can install Firewall Client software on client computers that run Microsoft Windows ME, Windows 95, Windows 98, Windows NT 4.0, or Windows 2000. 16-bit Winsock applications are supported, but only on Windows 2000 and Windows NT 4.0. After you install and enable the Firewall Client software, the computer functions as a firewall client.
Figure 3.1 The network share mspclnt contains the Firewall Client setup files.
Follow these steps to install Firewall Client software:
At a command prompt on the client computer, type:
Path\Setup
where path is the path to the shared ISA Server client installation files.
The ISA Server client installation files are located in a folder on the ISA Server computer with the share name ISA_Server_name\MSPClnt.
Follow the on-screen instructions. Do not install Firewall Client software on the ISA Server computer.
Firewall Client Application Settings
Installing the Firewall Client software does not automatically configure individual Winsock applications. Instead, the client software uses the same Winsock dynamic link library (.dll) that the other applications use. The firewall client then intercepts the application calls and decides whether to route the request to the ISA Server computer.
In processing Winsock requests, the Firewall Client application looks for a Wspcfg.ini file in the directory where the client Winsock application is installed. If this file is found, it looks for a [WSP_Client_App] section, where WSP_Client_App is the name of the Winsock application without the .exe extension. If this section does not exist, the Firewall Client application next looks for the [Common Configuration] section. If this section also does not exist, it looks for the same sections in the Mspclnt.ini file. The first section, and only that section, found by using this search method is used to apply the application-specific configuration settings.
Advanced Client Configuration
For most Winsock applications, the default Firewall Client configuration works with no need for further modification. However, in some cases, you will need to add client configuration information. You can store the client configuration information in one of the following two locations:
Mspclnt.ini. This is the global client configuration file, which is located in the Firewall Client installation folder. The Mspclnt.ini file is periodically downloaded by the client from the ISA Server computer and overwrites previous versions. Consequently, you can make configuration changes at the ISA Server computer and the settings will automatically be downloaded to the client computers. Make configuration changes in ISA Management from the Client Configuration node. In the details pane, access the properties of the firewall client. In the Firewall Client Properties dialog box, click the Application Settings tab, then create, edit or delete application settings. Firewall clients periodically download these settings.
Wspcfg.ini. This file is located in a specific client application folder. The ISA Server computer does not overwrite this file. Consequently, if you can make configuration changes in this file, they will apply only to the specific client.
Sample Wspcfg.ini File
The following is a sample [WSP_Client_App] section in a client configuration file for the WSP Client App.exe section:
[WSP_Client_App]
Disable=0
NameResolution=R
LocalBindTcpPorts=7777
LocalBindUdpPorts=7000–7022, 7100–7170
RemoteBindTcpPorts=30
RemoteBindUdpPorts=3000–3050
ServerBindTcpPorts=100–300
ProxyBindIp=80:110.52.144.103, 82:110.51.0.0
KillOldSession=1
Persistent=1
ForceProxy=i:172.23.23.23
ForceCredentials=1
NameResolutionForLocalHost=L
Table 3.3 describes the entries that can be placed in a configuration file for a Winsock application.
Table 3.3 Firewall Client Configuration Entries for Winsock Applications
| Entry | Description |
|---|---|
| Disable | Possible values: 0 or 1. When the value is set to 1, the Firewall service is disabled for the specific client application. |
| NameResolution | Possible values: L or R. By default, dotted decimal notation or Internet domain names are redirected to the ISA Server computer for name resolution and all other names are resolved on the local computer. When the value is set to R, all names are redirected to the ISA Server computer for resolution. When the value is set to L, all names are resolved on the local computer. |
| LocalBindTcpPorts | Specifies a TCP port, list, or range that is bound locally. |
| LocalBindUdpPorts | Specifies a UDP port, list, or range that is bound locally. |
| RemoteBindTcpPorts | Specifies a TCP port, list, or range that is bound remotely. |
| RemoteBindUdpPorts | Specifies a UDP port, list, or range that is bound remotely. |
| ServerBindTcpPorts | Specifies a TCP port, list, or range for all ports that should accept more than one connection. |
| ProxyBindIp | Specifies an IP address or list that is used when binding with a corresponding port. Use this entry when multiple servers that use the same port need to bind to the same port on different IP addresses on the ISA Server computer. The syntax of the entry is: ProxyBindIp=[port]:[IP address], [port]:[IP address] The port numbers apply to both TCP and UDP ports. |
| KillOldSession | Possible values: 0 or 1. When the value is set to 1, it specifies that, if the ISA Server computer holds a session from an old instance of an application, that session is terminated before the application is granted a new session. This option is useful, for example, if an application crashed or did not close the socket on which it was listening. By closing the old session, ISA Server immediately discovers that the application was terminated and can immediately release the port used by the old session. |
| Persistent | Possible values: 0 or 1. When the value is set to 1, a specific server state can be maintained on the ISA Server computer if a service is stopped and restarted and if the server is not responding. The client sends a keep-alive message to the server periodically during an active session. If the server is not responding, the client tries to restore the state of the bound and listening sockets upon server restart. |
| ForceProxy | Used to force a specific ISA Server computer for a specific Winsock application. The syntax of the entry is: ForceProxy=[Tag]:[Entry] where Tag equals i for an IP address or n for a name. Entry equals the address or the name. If the n tag is used, the Firewall service only works over IP. |
| ForceCredentials | Used when running a Windows NT or Windows 2000 service or server application as a Firewall client application. When the value is set to 1, it forces the use of alternate user authentication credentials that are stored locally on the computer that is running the service. The user credentials are stored on the client computer using the Credtool.exe application that is provided with the Firewall Client software. User credentials must reference a user account that can be authenticated by ISA Server, either local to ISA Server or in a domain trusted by ISA Server. The user account is normally set not to expire; otherwise, user credentials need to be renewed each time the account expires. |
| NameResolutionForLocalHost | Possible values are L (default), P, or E. Used to specify how the local (client) computer name is resolved, when the gethostbyname API is called. The LocalHost computer name is resolved by calling the Winsock API function gethostbyname() using the LocalHost string, an empty string, or a NULL string pointer. Winsock applications call gethostbyname(LocalHost) to find their local IP address and send it to an Internet server. When this option is set to L, gethostbyname() returns the IP addresses of the local host computer. When this option is set to P, gethostbyname() returns the IP addresses of the ISA Server computer. When this option is set to E, gethostbyname() returns only the external IP addresses of the ISA Server computer—those IP addresses that are not in the LAT. |
| ControlChannel | Possible Values: Wsp.udp (default) or Wsp.tcp. Specifies the type of control-channel used. |
Web Proxy Service
The Web Proxy service (w3proxy) is a Windows 2000 service that supports requests from any Web browser. This provides nearly every desktop operating system, including Windows NT, Microsoft Windows 95, Windows 98, Windows 2000, Macintosh, and UNIX with Web access. The Web Proxy service works at the application level on behalf of a client requesting an Internet object that can be retrieved by using one of the protocols supported by the Web Proxy: File Transfer Protocol, Hypertext Transfer Protocol, and Gopher protocol. The Web Proxy service also supports the Secure HTTP (S-HTTP) protocol for secure sessions that use Secure Sockets Layer (SSL) connections.
Web Proxy clients—typically, browsers—must be specifically configured to use the ISA Server computer. When a user requests a Web site, the browser parses the Uniform Resource Locator (URL). If a dot address is used, as in a fully qualified domain name or IP address, the browser considers the destination to be remote and sends the HTTP request to the ISA Server computer for processing.
You can use ISA Management to monitor Web Proxy service status. Similarly, you can use ISA Management to stop or start the Web Proxy service. Monitoring and Service Control is available from the Monitoring node.
When you stop the Web Proxy service, the information in the cache is not deleted. However, when you restart the Web Proxy service, several seconds may pass before the cache is fully enabled and functional. If the Web Proxy service has crashed, ISA Server restores the information in the cache. This takes some time, and performance may not be optimal until the cache is eventually restored.
Configuring Web Proxy Clients
You do not have to install any software to configure Web Proxy clients. However, you must configure the proxy capable applications on the client computers to use the ISA Server computer as the proxy server.
Figure 3.2 Configure LAN settings in Internet Explorer to use the browser with ISA Server.
You can also set an option by which ISA Server automatically downloads a client configuration script located on the ISA Server computer every time a Web browser is opened. The output of this script provides an ordered series of ISA Server computers that the browser uses to retrieve the object that is specified by the URL.
The script is stored at a specific URL on any ISA Server computer in an array. This makes it easy to update all Web browser settings without having to reconfigure each individual Web browser. Internet Explorer version 3.02 and later and Netscape 2.0 and later support this feature.
The default configuration URL is
http://Computer_name/array.dll?Get.Routing.Script
where Computer_name is the name of the ISA Server computer. This is the URL where the configuration script is located. ISA Server automatically generates this configuration script based on the Direct Access and Backup Route options.
Follow these steps to manually configure Internet Explorer 5.0 to use the Web Proxy service:
Open Internet Explorer.
On the Tools menu, click Internet Options.
On the Connections tab, click LAN Settings.
Select the Use A Proxy Server check box.
In the Address text box, type the name of an ISA Server computer or array, then in the Port text box, type a valid port number (usually 8080).
Direct Access
You can configure computers on the local network to be accessed directly from the client by creating a Web browser exception list. You can also specify that all computers included in the Local Domain Table (LDT) can be accessed directly from the client. Clients use the LDT to determine if a name resolution request should be performed directly or via ISA Server.
Practice: Establishing Secure Internet Access for Web Proxy Clients
Exercise 1: Creating a Protocol Rule
In this exercise, you create a protocol rule that allows secure Internet access.
To open the New Protocol Rule wizard
Log on to Server1 as Administrator.
Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
Click the View menu and verify that Taskpad is selected.
In the console tree, expand the Servers and Arrays node, and then expand the MyArray node.Configuration nodes for Server1 appear.
Expand the Access Policy node and select the Protocol Rules folder.
In the details pane, click the Create A Protocol Rule icon.
To create a new protocol rule with the New Protocol Rule wizard
In the Protocol Rule Name text box, type AllowIP.This exercise is intended to provide a simplified means of allowing all internal clients access to all IP traffic. In a real-world deployment scenario, you may want to limit access to specific protocols for specific users, groups, or client sets.
Click Next.
On the Rule Action screen, verify that the Allow radio button is selected, and then click Next.
On the Protocols screen, verify that All IP Traffic appears in the Apply This Rule To drop-down list box, and then click Next.
On the Schedule screen, verify that Always appears in the Use This Schedule drop-down list box, and then click Next.
On the Client Type screen, verify that the Any Request radio button is selected, and then click Next.
On the Completing the New Protocol Rule Wizard screen, click Finish.The AllowIP rule appears in the details pane.
After you create a new protocol rule, you might need to wait a few minutes before it begins to function. Before proceeding to Exercise 2, you may either wait a few minutes or restart the ISA Server services as described in Chapter 3, Lesson 4.
Exercise 2: Configuring Internet Explorer to Use the Web Proxy Service
This exercise enables Internet Explorer to work with the ISA Server Web Proxy service. Use the dial-up connection on Server1 to establish a connection to your ISP.
Log on to Domain01 from Server2 as Administrator.
Open Internet Explorer.
If the Internet Connection Wizard appears, advance through the wizard by configuring a manual (LAN) connection.
On the Tools menu, click Internet Options.
On the Connections tab, click LAN Settings.
Select the Use A Proxy Server check box.
In the Address text box, type 192.168.0.1, then in the Port text box, type 8080.
Click OK to close the Local Area Network (LAN) Settings dialog box.
Click OK to close the Internet Options dialog box.
You should now be able to browse Web sites freely with Internet Explorer on Server2.
Practice: Installing Firewall Client
Perform this exercise on the Server2 computer.
Open My Network Places, and browse the network to find \\server1\mspclnt\.
Double-click the SETUP icon in \\server1\mspclnt\.The Microsoft Firewall Client – Install wizard appears.
Click Next.
On the Destination Folder screen, accept the default location, and then click Next.
On the Ready To Install The Program screen, click Install.The firewall client is installed and then the Install Wizard Completed screen appears.
Click Finish.
Lesson Summary
Establishing secure Internet access for local clients requires that you first configure protocol rules in ISA Server that allow Internet protocols to pass through the ISA Server firewall to the client computers. You can then decide whether to configure your internal clients as SecureNAT clients, which requires little configuration, or as firewall clients, which requires you to install the Firewall Client software on the client computers.
Before you deploy or configure client software, assess your organization's needs. If you need to support roaming clients, to apply access policy to authenticated users, to support protocols with secondary connections, or to allow dial-on-demand for non-Web Internet sessions, you should deploy Firewall Client software. If you are using the ISA Server to protect publishing servers, if ISA Server is installed in Cache mode, or if you want to avoid installing software on the client computers, you can configure your client computers as SecureNAT clients.
Both Firewall client computers and SecureNAT client computers may also be Web Proxy clients. The Web Proxy service (w3proxy) is a Windows 2000 service that supports requests from any proxy capable application. You do not have to install any software to configure Web Proxy clients. However, you must configure the Web browser applications on the client computers to use the ISA Server computer as the proxy server.
