Introduction to ISA&TMG three types of client mode (ii) Firewall Client

In enterprise operation management, firewall clients are computers that have Firewall Client software installed and enabled, located on a network protected by ISA server. You can install Firewall clients by installing Firewall clients on each client computer, or by using the Windows Software installation snap-in to centrally manage the distribution of firewall Client software.

The Firewall client uses a public Winsock provider. When you set up a firewall client, you do not configure individual Winsock applications, but instead make the dynamic link library (FwcWsp.dll) in the Firewall Client software a Winsock tiered service provider that is used transparently by all Winsock applications. Firewall Client Layered Service providers block Winsock function calls from client applications and route requests to the original underlying service provider when the target is local, or to the Firewall service on the TMG/ISA server computer when the target is a remote target.

The Firewall Client version supports a more secure way of communicating between the Firewall client and the ISA server. The firewall client credentials are sent transparently with each request through the TCP control channel, and the credentials are encrypted so that they are not blocked.

How do Firewall clients handle IP address requests?

1. When an Winsock application on a client computer attempts to connect to an IP address, the Firewall client checks the local domain table to determine whether the IP address is in the internal network or in the external network. If the domain name is found in the local area table, the client will complete the name resolution. Otherwise, the client passes the request to the external DNS server, requesting the ISA server to resolve the domain name on its behalf.

2. When ISA server resolves client requests on behalf of a firewall client, it completes name resolution based on the DNS settings configured on the network adapter associated with the network that receives the Firewall client request. The resolved IP address is returned to the Firewall client computer, and then the computer sends the request to the target. ISA server can cache the results of DNS queries made for firewall clients based on the DNS lifetime (TTL) configured for the network adapter.

3, name resolution returns the IP address of the target server, the Firewall client checks the local address table and Locallat.txt to determine whether the address is a local address. For internal addresses, the client connects directly. Otherwise, the request is sent to the Firewall service on the ISA server computer.

Let's take a look at the Firewall Client name resolution method:

If the computer that has the Firewall client installed has settings for each application, these settings specify whether the ISA server represents the client for name resolution. By default, name resolution is requested for an Winsock application that runs on a firewall client computer as follows:

Redirects the dotted decimal notation or Internet domain name to the ISA server computer for name resolution.

Unqualified names are parsed on the local computer.

You can also change this default behavior by modifying the Nameresolution configuration setting to the following values to allow name resolution to be handled by the remote TMG/ISA server:

Nameresolution=l. Use this setting to specify that application requests should be resolved on the local computer.

Nameresolution=r. Use this setting to specify that application requests should be resolved by the ISA server computer.

However, it is useful to modify this setting if you want to determine where the application's name resolution occurs.

When you specify a domain and a computer for direct access, the Firewall client computer attempts to resolve the name without passing through the ISA server. The client computer will need to specify the DNS server in the TCP/IP parameters so that the name can be resolved correctly. In particular, these client computers must be able to resolve the name of the published resource to an internal IP address.

If the application's nameresolution setting is specified as L or R, this setting overrides any direct access settings. For example, if the Nameresolution setting is specified as Fwc_application.exe = R, the application's FQDN resolution request is always handled by the ISA Server, regardless of whether the project in the ISA Server Firewall Client configuration file specifies the request target as Local Standard.

For identity, how does a Firewall client authenticate?

The Firewall client sends the user information along with each request to the ISA server computer. This allows you to create access rules that apply to specific groups and users. Users must use Active Directory? Directory service user account to log on, and if you use a workgroup scenario, log on using the user account that is photogenic for the ISA server computer. When a user name is sent to the ISA Server computer, the user name is logged in the ISA Server firewall log. This makes it easy to track Firewall client traffic.

The above is some simple about Firewall Client introduction, share, hehe ~

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/