Solved

ISA client setup

Posted on 2011-09-19
14
634 Views
Last Modified: 2012-05-12
We use ISA 2004, and are experiencing a few problems.

How should i set up my clients in my domain for ISA access, currently, ISA is their default gateway, we have the ISA client installed, and the IE script is set to point to ISA.

I have read that this can cause some confusion with which type of connection to use?

Should i remove the default gateways and the scripts for securenat and just use the firewall client?

Secondly, the ISA firewall client seems to block a peice of software we use called xarios/phonemanager. This uses port 2001, and works if the firewall client isnt installed. If it is installed it cant make a connection (it connects to another pc in our office). We have entered a rule allowing all internal from internal. What can i do to fix this? I have read it is something to do with the application settings on the Firewall client, but not sure exactly what i should change.

Thanks a lot in advance for any help!
0
Comment
Question by:CaptainGiblets
  • 6
  • 5
  • 3
14 Comments
 
LVL 3

Expert Comment

by:rafter81
ID: 36565928
For IE, we use wpad rather than the script as it has caused us issues in the past.  basically a dns record "wpad" pointing to your isa(s - round robin multiple entries).  We then put this in the use proxy and nothing in the scripts or auto.
We have the firewall client installed also.  This is for apps that don't recognise the IE settings and that may not work through your default gateway.

You can use the FWCTool.exe to set manual server configs for particular apps going through different servers if you need..

e.g.
WshShell.Run """%LOGONSERVER%\netlogon\Firewall Client 2004\FwcTool.exe"" SETMANUALSERVER /APP:APPNAME /SERVER:ISANAME", 0, True

That said I don't think it works on 2006 or TMG...
Hope it helps you...
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36565970
We do have the WPAD set up in DNS which is how it gets the settings in IE (we use automatically discover, and then it fills in the script etc itself).

Its nothing to do with things going through different servers, we only have the 1 ISA server, and the programme only works when the Firewall Client Agent is uninstalled or the Firewall Client service is disabled.
0
 
LVL 3

Expert Comment

by:rafter81
ID: 36566124
in the networks configuration - internal (or the relevent network) are all the firewall client settings in there correct?  Does the configuration script match?
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36566226
Here is a picture of the setup


Untitled.png
0
 
LVL 3

Expert Comment

by:rafter81
ID: 36566275
All looks fairly standard, although using wpad through DHCP we never got working correctly enough to be consistant.

using auto config in your browser as well as proxy server is interesting, I'd usually use one or other - proxy for us.  In the advanced settings in the browser, is there exeptions to not use the proxy.  Is the destination in there - either by name, IP or IP wild card?  We don't use the proxy for anything local.. i.e 192.168.*

It would also be interesting to see if within the firewall client, the web browser tab untick enable web browser.

Its worth testing with all the variations.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36566919
Just start over from the beginning and do it correctly.  The whole autodetection process is a continuous flow of things that must all be set correctly.  You can't have this piece over here working and that piece over there not working and another piece over there "kinda-sorta" working.  It all has to work correctly and smoothly together.

So start from the beginning and configure it correctly.  Here are the steps below.  Do not try to "out smart" the article,...I made the config choices I made when writing it for specific reasons, right down to the choice of upper-case or lower-case characters, so don't try to "out smart" it.
http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36567008
Secondly, the ISA firewall client seems to block a peice of software we use called xarios/phonemanager. This uses port 2001, and works if the firewall client isnt installed. If it is installed it cant make a connection (it connects to another pc in our office). We have entered a rule allowing all internal from internal. What can i do to fix this? I have read it is something to do with the application settings on the Firewall client, but not sure exactly what i should change.

Can't do much with that without knowing exactly what that thing does and exactly how it does it,...so all I can do is guess.

If the Apps has connection settings it must us the Netbios Name of the target,...it should not use a FQDN or an IP#.   If that is not possible to adjust then you need to config the Firewall Client to ignore that App's Executable.  So if the Apps Executable is called PHONEDUDE.EXE then the config would look like this (you just drop the ".EXE" from the file name)

[phonedude]
Disabled=1

This is added to the Config on the ISA/TMG in the MMC on the Configuration Node--->General  then select Define Firewall Client Settings in the right-side Window Pane.  Then choose the Application Settings Tab and pick New.   You can easily see how other Apps are already configured within it this way.   For example Microsoft Outlook (outlook.exe) is exempted from using the Firewall Client in this manner:

[outlook]
disabled=1

Just make sure you use the correct executable name. If you use the wrong one, or mis-spell it, then it will not work.  You can see the executable name as ISA interprets it by looking in the ISA logs before you begin doing this if you enable the Client Agent Column in the logs.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 29

Expert Comment

by:pwindell
ID: 36567031
Note:  It may take 30 minutes or more for the settings to take effect.  The ISA/TMG Server must send the new config out to all the Firewall Client installations and that only happens on a timed cycle.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36572891
I have set that up

The process is called PhoneManager in task manager, so i created that as disabled, but it is still being blocked by the firewall client service.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36573743
Nothing is being blocked by the firewall service.  It may be being sent to the firewall service when it should not be and then failing,....but it is not being blocked.  That is an important distinction.  The Firewall Service would see the source network and the destination network are the same thing and just ignore the traffic,..which is what it is supposed to do.  The phone manager then fails because the packets were sent to the ISA IP# instead of the IP# of the PC it was supposed to go to.

You need to watch the ISA logs with the Client Agent column displayed.  Watch for this particular traffic.  The log will show you the name of the executable initiating the connection.  There is no room for guess work here,..we have to investigate the hard facts.  If the logs are not showing these things then what you think is happening is not what is really happening and it would require further investigation.

The Firewall Client software is a simple concept.  It is just a Winsock Layered Service Provider (a Winsock LSP).  Anything that is passed to the Winsock Stack get passed to the ISA/TMG over a secure channel, but if the executable responsible for the traffic is exempted then the LSP ignores it and the traffic goes directly to the local Winsock Stack and is processes normally.  The LSP will also ignore the traffic if the traffic is correctly determined to be internal LAN traffic that should not cross the ISA/TMG.

Personally,...I think there is a lot more to this story than what we know so far,...but I am not there,...I cannot see your stuff with my own eyes.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36574198
I have sat and watched the logs from my IP address every time i try to run the software etc, and nothing is logged on the isa server. It only cant connect to the server when the service is enabled.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36574293
If it isn't logged then it is not being send to the ISA/TMG,...which is correct because it is not supposed to be sent to the ISA/TMG in the first place.  I don't know what to tell you then.  I guess there isn't anything else I can do with this.  Maybe that phone application has a flawed way in which it tries to communicate over Winsock.

You may just have to uninstall the Firewall Client from that particular machine and run it as only a Web Proxy Client and a SecureNAT Client.  But you will loose some functionality doing that.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36574320
Yes we have tried doing that on other machines, but it randomly prompts the machine when they try to steam music / videos and access ftp sites.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 36574362
Yep,..exactly.

You're going to have to decide what is more important to have.  It may also require a more planned and and detailed Access Rule scheme.  SecureNAT Clients can use almost any protocol but can only use anonymous Rules.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now