Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 743
  • Last Modified:

ISA client setup

We use ISA 2004, and are experiencing a few problems.

How should i set up my clients in my domain for ISA access, currently, ISA is their default gateway, we have the ISA client installed, and the IE script is set to point to ISA.

I have read that this can cause some confusion with which type of connection to use?

Should i remove the default gateways and the scripts for securenat and just use the firewall client?

Secondly, the ISA firewall client seems to block a peice of software we use called xarios/phonemanager. This uses port 2001, and works if the firewall client isnt installed. If it is installed it cant make a connection (it connects to another pc in our office). We have entered a rule allowing all internal from internal. What can i do to fix this? I have read it is something to do with the application settings on the Firewall client, but not sure exactly what i should change.

Thanks a lot in advance for any help!
0
CaptainGiblets
Asked:
CaptainGiblets
  • 6
  • 5
  • 3
1 Solution
 
rafter81Commented:
For IE, we use wpad rather than the script as it has caused us issues in the past.  basically a dns record "wpad" pointing to your isa(s - round robin multiple entries).  We then put this in the use proxy and nothing in the scripts or auto.
We have the firewall client installed also.  This is for apps that don't recognise the IE settings and that may not work through your default gateway.

You can use the FWCTool.exe to set manual server configs for particular apps going through different servers if you need..

e.g.
WshShell.Run """%LOGONSERVER%\netlogon\Firewall Client 2004\FwcTool.exe"" SETMANUALSERVER /APP:APPNAME /SERVER:ISANAME", 0, True

That said I don't think it works on 2006 or TMG...
Hope it helps you...
0
 
CaptainGibletsAuthor Commented:
We do have the WPAD set up in DNS which is how it gets the settings in IE (we use automatically discover, and then it fills in the script etc itself).

Its nothing to do with things going through different servers, we only have the 1 ISA server, and the programme only works when the Firewall Client Agent is uninstalled or the Firewall Client service is disabled.
0
 
rafter81Commented:
in the networks configuration - internal (or the relevent network) are all the firewall client settings in there correct?  Does the configuration script match?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
CaptainGibletsAuthor Commented:
Here is a picture of the setup


Untitled.png
0
 
rafter81Commented:
All looks fairly standard, although using wpad through DHCP we never got working correctly enough to be consistant.

using auto config in your browser as well as proxy server is interesting, I'd usually use one or other - proxy for us.  In the advanced settings in the browser, is there exeptions to not use the proxy.  Is the destination in there - either by name, IP or IP wild card?  We don't use the proxy for anything local.. i.e 192.168.*

It would also be interesting to see if within the firewall client, the web browser tab untick enable web browser.

Its worth testing with all the variations.
0
 
pwindellCommented:
Just start over from the beginning and do it correctly.  The whole autodetection process is a continuous flow of things that must all be set correctly.  You can't have this piece over here working and that piece over there not working and another piece over there "kinda-sorta" working.  It all has to work correctly and smoothly together.

So start from the beginning and configure it correctly.  Here are the steps below.  Do not try to "out smart" the article,...I made the config choices I made when writing it for specific reasons, right down to the choice of upper-case or lower-case characters, so don't try to "out smart" it.
http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/
0
 
pwindellCommented:
Secondly, the ISA firewall client seems to block a peice of software we use called xarios/phonemanager. This uses port 2001, and works if the firewall client isnt installed. If it is installed it cant make a connection (it connects to another pc in our office). We have entered a rule allowing all internal from internal. What can i do to fix this? I have read it is something to do with the application settings on the Firewall client, but not sure exactly what i should change.

Can't do much with that without knowing exactly what that thing does and exactly how it does it,...so all I can do is guess.

If the Apps has connection settings it must us the Netbios Name of the target,...it should not use a FQDN or an IP#.   If that is not possible to adjust then you need to config the Firewall Client to ignore that App's Executable.  So if the Apps Executable is called PHONEDUDE.EXE then the config would look like this (you just drop the ".EXE" from the file name)

[phonedude]
Disabled=1

This is added to the Config on the ISA/TMG in the MMC on the Configuration Node--->General  then select Define Firewall Client Settings in the right-side Window Pane.  Then choose the Application Settings Tab and pick New.   You can easily see how other Apps are already configured within it this way.   For example Microsoft Outlook (outlook.exe) is exempted from using the Firewall Client in this manner:

[outlook]
disabled=1

Just make sure you use the correct executable name. If you use the wrong one, or mis-spell it, then it will not work.  You can see the executable name as ISA interprets it by looking in the ISA logs before you begin doing this if you enable the Client Agent Column in the logs.
0
 
pwindellCommented:
Note:  It may take 30 minutes or more for the settings to take effect.  The ISA/TMG Server must send the new config out to all the Firewall Client installations and that only happens on a timed cycle.
0
 
CaptainGibletsAuthor Commented:
I have set that up

The process is called PhoneManager in task manager, so i created that as disabled, but it is still being blocked by the firewall client service.
0
 
pwindellCommented:
Nothing is being blocked by the firewall service.  It may be being sent to the firewall service when it should not be and then failing,....but it is not being blocked.  That is an important distinction.  The Firewall Service would see the source network and the destination network are the same thing and just ignore the traffic,..which is what it is supposed to do.  The phone manager then fails because the packets were sent to the ISA IP# instead of the IP# of the PC it was supposed to go to.

You need to watch the ISA logs with the Client Agent column displayed.  Watch for this particular traffic.  The log will show you the name of the executable initiating the connection.  There is no room for guess work here,..we have to investigate the hard facts.  If the logs are not showing these things then what you think is happening is not what is really happening and it would require further investigation.

The Firewall Client software is a simple concept.  It is just a Winsock Layered Service Provider (a Winsock LSP).  Anything that is passed to the Winsock Stack get passed to the ISA/TMG over a secure channel, but if the executable responsible for the traffic is exempted then the LSP ignores it and the traffic goes directly to the local Winsock Stack and is processes normally.  The LSP will also ignore the traffic if the traffic is correctly determined to be internal LAN traffic that should not cross the ISA/TMG.

Personally,...I think there is a lot more to this story than what we know so far,...but I am not there,...I cannot see your stuff with my own eyes.
0
 
CaptainGibletsAuthor Commented:
I have sat and watched the logs from my IP address every time i try to run the software etc, and nothing is logged on the isa server. It only cant connect to the server when the service is enabled.
0
 
pwindellCommented:
If it isn't logged then it is not being send to the ISA/TMG,...which is correct because it is not supposed to be sent to the ISA/TMG in the first place.  I don't know what to tell you then.  I guess there isn't anything else I can do with this.  Maybe that phone application has a flawed way in which it tries to communicate over Winsock.

You may just have to uninstall the Firewall Client from that particular machine and run it as only a Web Proxy Client and a SecureNAT Client.  But you will loose some functionality doing that.
0
 
CaptainGibletsAuthor Commented:
Yes we have tried doing that on other machines, but it randomly prompts the machine when they try to steam music / videos and access ftp sites.
0
 
pwindellCommented:
Yep,..exactly.

You're going to have to decide what is more important to have.  It may also require a more planned and and detailed Access Rule scheme.  SecureNAT Clients can use almost any protocol but can only use anonymous Rules.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now