?
Solved

ISA client setup

Posted on 2011-09-19
14
Medium Priority
?
704 Views
Last Modified: 2012-05-12
We use ISA 2004, and are experiencing a few problems.

How should i set up my clients in my domain for ISA access, currently, ISA is their default gateway, we have the ISA client installed, and the IE script is set to point to ISA.

I have read that this can cause some confusion with which type of connection to use?

Should i remove the default gateways and the scripts for securenat and just use the firewall client?

Secondly, the ISA firewall client seems to block a peice of software we use called xarios/phonemanager. This uses port 2001, and works if the firewall client isnt installed. If it is installed it cant make a connection (it connects to another pc in our office). We have entered a rule allowing all internal from internal. What can i do to fix this? I have read it is something to do with the application settings on the Firewall client, but not sure exactly what i should change.

Thanks a lot in advance for any help!
0
Comment
Question by:CaptainGiblets
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
14 Comments
 
LVL 3

Expert Comment

by:rafter81
ID: 36565928
For IE, we use wpad rather than the script as it has caused us issues in the past.  basically a dns record "wpad" pointing to your isa(s - round robin multiple entries).  We then put this in the use proxy and nothing in the scripts or auto.
We have the firewall client installed also.  This is for apps that don't recognise the IE settings and that may not work through your default gateway.

You can use the FWCTool.exe to set manual server configs for particular apps going through different servers if you need..

e.g.
WshShell.Run """%LOGONSERVER%\netlogon\Firewall Client 2004\FwcTool.exe"" SETMANUALSERVER /APP:APPNAME /SERVER:ISANAME", 0, True

That said I don't think it works on 2006 or TMG...
Hope it helps you...
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36565970
We do have the WPAD set up in DNS which is how it gets the settings in IE (we use automatically discover, and then it fills in the script etc itself).

Its nothing to do with things going through different servers, we only have the 1 ISA server, and the programme only works when the Firewall Client Agent is uninstalled or the Firewall Client service is disabled.
0
 
LVL 3

Expert Comment

by:rafter81
ID: 36566124
in the networks configuration - internal (or the relevent network) are all the firewall client settings in there correct?  Does the configuration script match?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36566226
Here is a picture of the setup


Untitled.png
0
 
LVL 3

Expert Comment

by:rafter81
ID: 36566275
All looks fairly standard, although using wpad through DHCP we never got working correctly enough to be consistant.

using auto config in your browser as well as proxy server is interesting, I'd usually use one or other - proxy for us.  In the advanced settings in the browser, is there exeptions to not use the proxy.  Is the destination in there - either by name, IP or IP wild card?  We don't use the proxy for anything local.. i.e 192.168.*

It would also be interesting to see if within the firewall client, the web browser tab untick enable web browser.

Its worth testing with all the variations.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36566919
Just start over from the beginning and do it correctly.  The whole autodetection process is a continuous flow of things that must all be set correctly.  You can't have this piece over here working and that piece over there not working and another piece over there "kinda-sorta" working.  It all has to work correctly and smoothly together.

So start from the beginning and configure it correctly.  Here are the steps below.  Do not try to "out smart" the article,...I made the config choices I made when writing it for specific reasons, right down to the choice of upper-case or lower-case characters, so don't try to "out smart" it.
http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36567008
Secondly, the ISA firewall client seems to block a peice of software we use called xarios/phonemanager. This uses port 2001, and works if the firewall client isnt installed. If it is installed it cant make a connection (it connects to another pc in our office). We have entered a rule allowing all internal from internal. What can i do to fix this? I have read it is something to do with the application settings on the Firewall client, but not sure exactly what i should change.

Can't do much with that without knowing exactly what that thing does and exactly how it does it,...so all I can do is guess.

If the Apps has connection settings it must us the Netbios Name of the target,...it should not use a FQDN or an IP#.   If that is not possible to adjust then you need to config the Firewall Client to ignore that App's Executable.  So if the Apps Executable is called PHONEDUDE.EXE then the config would look like this (you just drop the ".EXE" from the file name)

[phonedude]
Disabled=1

This is added to the Config on the ISA/TMG in the MMC on the Configuration Node--->General  then select Define Firewall Client Settings in the right-side Window Pane.  Then choose the Application Settings Tab and pick New.   You can easily see how other Apps are already configured within it this way.   For example Microsoft Outlook (outlook.exe) is exempted from using the Firewall Client in this manner:

[outlook]
disabled=1

Just make sure you use the correct executable name. If you use the wrong one, or mis-spell it, then it will not work.  You can see the executable name as ISA interprets it by looking in the ISA logs before you begin doing this if you enable the Client Agent Column in the logs.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36567031
Note:  It may take 30 minutes or more for the settings to take effect.  The ISA/TMG Server must send the new config out to all the Firewall Client installations and that only happens on a timed cycle.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36572891
I have set that up

The process is called PhoneManager in task manager, so i created that as disabled, but it is still being blocked by the firewall client service.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36573743
Nothing is being blocked by the firewall service.  It may be being sent to the firewall service when it should not be and then failing,....but it is not being blocked.  That is an important distinction.  The Firewall Service would see the source network and the destination network are the same thing and just ignore the traffic,..which is what it is supposed to do.  The phone manager then fails because the packets were sent to the ISA IP# instead of the IP# of the PC it was supposed to go to.

You need to watch the ISA logs with the Client Agent column displayed.  Watch for this particular traffic.  The log will show you the name of the executable initiating the connection.  There is no room for guess work here,..we have to investigate the hard facts.  If the logs are not showing these things then what you think is happening is not what is really happening and it would require further investigation.

The Firewall Client software is a simple concept.  It is just a Winsock Layered Service Provider (a Winsock LSP).  Anything that is passed to the Winsock Stack get passed to the ISA/TMG over a secure channel, but if the executable responsible for the traffic is exempted then the LSP ignores it and the traffic goes directly to the local Winsock Stack and is processes normally.  The LSP will also ignore the traffic if the traffic is correctly determined to be internal LAN traffic that should not cross the ISA/TMG.

Personally,...I think there is a lot more to this story than what we know so far,...but I am not there,...I cannot see your stuff with my own eyes.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36574198
I have sat and watched the logs from my IP address every time i try to run the software etc, and nothing is logged on the isa server. It only cant connect to the server when the service is enabled.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36574293
If it isn't logged then it is not being send to the ISA/TMG,...which is correct because it is not supposed to be sent to the ISA/TMG in the first place.  I don't know what to tell you then.  I guess there isn't anything else I can do with this.  Maybe that phone application has a flawed way in which it tries to communicate over Winsock.

You may just have to uninstall the Firewall Client from that particular machine and run it as only a Web Proxy Client and a SecureNAT Client.  But you will loose some functionality doing that.
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 36574320
Yes we have tried doing that on other machines, but it randomly prompts the machine when they try to steam music / videos and access ftp sites.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 36574362
Yep,..exactly.

You're going to have to decide what is more important to have.  It may also require a more planned and and detailed Access Rule scheme.  SecureNAT Clients can use almost any protocol but can only use anonymous Rules.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question