Introduction to ISA&TMG three types of client models (i)

have been busy studying Microsoft TMG products encountered CDN technology in the Site page after the application of CDN technology content will find that the display is not very stable, and some colleagues of Microsoft Chat a lot of solutions, but has not found a suitable solution, no way, You can only study to see if there are any problems that can be resolved from Microsoft's three client models.

It also reviews Microsoft's three client models and ISA and TMG, and wants to take a look at the three client models and share them with more bloggers who need them.

When it comes to firewall products, many people think of Cisco, Huawei, H3C, Juniper and some other network manufacturers provide hardware firewall products, but in fact, Microsoft also provides the application layer firewall, and this application layer of the firewall with its unique domain name set, URL set and other more flexible enterprise strategy management, Internet behavior Management has been recognized and used by many enterprises, whether Isa or TMG, in fact, the use of multiple communications layer to protect the company network. At the packet level, the ISA&TMG server enforces a firewall policy to control the data on the network interface and to judge the communication before it reaches any resources. You can only allow data to pass after the Microsoft Firewall service finishes processing the relevant rules to determine whether you want to process the request.

On the internal client concept, I believe that many users of the ISA product is not unfamiliar, when we step into the TMG such a new product, we found in the TMG still inherit the Isa period of three types of clients: Firewall Client, SecureNAT client and Web proxy client, As shown in the following illustration:

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/

In an enterprise-level deployment, when we select a client, it is very important to choose a client mode that is more suitable for the enterprise production environment, and we can take a brief look at the three client models by following the table below.

Function	SecureNAT Client	Firewall Client	Web Proxy Client
Deployment Details	No software deployment is required. To configure the computer as a SecureNAT client, set the default gateway address for this computer to route Internet requests to the ISA server computer.	Firewall Client software must be installed on the client computer.	No software deployment is required. To configure your computer as a Web proxy client, configure the Web browser settings on your computer to use the ISA server computer as a Web proxy. For automatic detection of Web browser settings, you must configure the Web proxy Autodiscover (WPAD) in Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP).
Operating system support	You can use any operating system that supports TCP/IP.	Microsoft Windows Server? 2003 or Windows? Server operation system and Windows? XP, Windows?7	Supports all platforms, but takes the form of WEB applications. A Web browser that can be configured to use a proxy server can act as a Web proxy client.
Protocol support	Supports all simple protocols. Complex protocols that require multiple primary or secondary connections require application filters on the ISA server computer.	Support for all Winsock applications.	WEB Proxy clients support Hypertext Transfer Protocol (HTTP), HTTP over SSL (HTTPS), and File Transfer Protocol (FTP) for download requests.
User-level Authentication	ISA server cannot authenticate the SecureNAT client.	Firewall clients can automatically send client credentials and requests to the ISA server computer.	If the ISA server requests credentials, you can authenticate the WEB proxy client. If anonymous access is enabled, no credentials are provided.
Other considerations	For clients other than Windows clients. Used when you need to support protocols other than TCP or UDP (such as ICMP or GRE). If you want to transfer the client's original source IP address to a published server, configure the published server as the SecureNAT client.	Used when it is necessary to support a secondary protocol. For strong access control. Record the user name in the log.	For user based Web Access, Web Proxy chaining, and automatic detection of configuration settings. Because a Web request is forwarded directly to the Web Proxy filter, it has good performance.

How do these three types of clients request the intranet client? Of course we say how to handle the request method, the key is we choose what kind of client mode, here I simply tidy up a bit:

Requests generated by applications that use the Winsock application programming Interface (API) are blocked by Firewall Client software if the Firewall Client computer mode (installed and enabled Firewall Client software) is used. If the requested address is a local address, the connection is established directly. Otherwise, it is sent to the Firewall service on the ISA server computer.

If you do not use Firewall Client mode or the SecureNAT client mode that is not configured for Web Proxy client mode, the Web request from the client (HTTP, HTTPS, or FTP for download) is transparently passed to the Web Proxy listener that receives the requested network. This is known as Transparent Network address translation (NAT) and is somewhat similar to the NAT on our network level.

If the Web Proxy client mode is used, the Web request initiated by the client is sent directly to the Web Proxy listener.

In fact, each client model has its own advantages, in the enterprise operation and maintenance management, we can better and more flexible use of these three kinds of clients or related combination to meet the needs of enterprise network access management.

This article is from the "Clumsy birds have" blog, please be sure to keep this source http://tingdongwang.blog.51cto.com/1056852/685794