RE: Deploying ISA 2004 firewall client - how to enforce?
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 13 May 2004 08:53:25 -0500
Hi Jason,
The answers to all your questions and future questions on Firewall and
Web Proxy provisioning are in that article. Promise.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
<http://www.microsoft.com/isaserver/beta/default.asp>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jason Merrique [mailto:j.merrique@xxxxxxxxxxxxxxx]
Sent: Thursday, May 13, 2004 8:16 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Deploying ISA 2004 firewall client - how
to enforce?
http://www.ISAserver.org
Actually - I've just noticed that there are periodic requests
for http://<ISAserver>/wspad.dat:8080 ..... But as this doesn't actually
return anything - might this be the issue here?
_____
From: Jason Merrique [mailto:j.merrique@xxxxxxxxxxxxxxx]
Sent: 13 May 2004 13:53
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Deploying ISA 2004 firewall
client - how to enforce?
http://www.ISAserver.org
Hi Tom,
Well thats what I thought....
I've added the WPAD entries to the DHCP scope options
(not sure what you mean by DNS though....) but the firewall clients
still aren't automatically detecting the server. They can if I
*manually* set it to do that, or to "Detect now". It just isn't Enabled
by default.
It's driving me nuts :\
Cheers,
Jason
_____
From: Thomas W Shinder
[mailto:tshinder@xxxxxxxxxxx]
Sent: 13 May 2004 13:30
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Deploying ISA 2004
firewall client - how to enforce?
http://www.ISAserver.org
Hi Jason,
OK, I think I understand now :-)
The best practice for provisioning the Firewall
client is by using autodiscovery via DHCP and DNS WPAD entries. Also,
the Firewall client share should be placed in an alternate location, so
that you can block NetBIOS and Direct Access (TCP 445) to the ISA
firewall itself.
The WPAD entries will point the Firewall clients
to the ISA firewall's internal interface and the Firewall clients will
automatically detect their settings. The default configuration of the
Firewall client is enabled and to use autodiscovery for
autoconfiguration.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
<http://www.microsoft.com/isaserver/beta/default.asp>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jason Merrique
[mailto:j.merrique@xxxxxxxxxxxxxxx]
Sent: Thursday, May 13, 2004 7:17 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Deploying ISA
2004 firewall client - how to enforce?
http://www.ISAserver.org
Hi Tom,
The ISA Firewall is configured properly,
and it properly services users with properly configured Firewall
Clients. It looks like I didn't phrase that sentence properly:
"But my point is that the firewall isn't
used by default. i.e. It's not active and needs to be configured before
use."
should be
"But my point is that the firewall isn't
used by default. i.e. On client machines the Firewall Client not active
and needs to be configured before use."
:)
Jason
_____
From: Thomas W Shinder
[mailto:tshinder@xxxxxxxxxxx]
Sent: 13 May 2004 12:47
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Deploying ISA
2004 firewall client - how to enforce?
http://www.ISAserver.org
Hi Jason,
If the ISA firewall isn't configured,
the Firewall client isn't going to be much help. Right?
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
<http://www.microsoft.com/isaserver/beta/default.asp>
ISA Server and Beyond:
http://tinyurl.com/1jq1
Configuring ISA Server:
http://tinyurl.com/1llp
-----Original Message-----
From: Jason Merrique
[mailto:j.merrique@xxxxxxxxxxxxxxx]
Sent: Thursday, May 13, 2004 6:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Deploying ISA
2004 firewall client - how to enforce?
http://www.ISAserver.org
Hi Tom,
I can set the access rules to only allow
access through the firewall client. But my point is that the firewall
isn't used by default. i.e. It's not active and needs to be configured
before use.
Cheers,
Jason
_____
From: Thomas W Shinder
[mailto:tshinder@xxxxxxxxxxx]
Sent: 13 May 2004 12:25
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Deploying ISA
2004 firewall client - how to enforce?
http://www.ISAserver.org
Hi Jason,
If you configure your access rules
correctly, it'll enforce the use of the Firewall client :-)
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
<http://www.microsoft.com/isaserver/beta/default.asp>
ISA Server and Beyond:
http://tinyurl.com/1jq1
Configuring ISA Server:
http://tinyurl.com/1llp
-----Original Message-----
From: Jason Merrique
[mailto:j.merrique@xxxxxxxxxxxxxxx]
Sent: Thursday, May 13, 2004 5:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Deploying ISA 2004
firewall client - how to enforce?
http://www.ISAserver.org
Hi Chaps,
Is there a best practice for deploying
the ISA 2004 firewall client? I haven't found much on the net about
this...
Environment: Windows 2003 Servers,
Native mode, Domain, Windows XP clients. MSFWC.msi assigned to the
relevant machines through GPO (it installs fine but the use of the FWC
isn't enforced!)
From what I've gathered so far, it
appears that you just can't configure and enforce the use of of the
Firewall Client using group policy. This can't be the case, surely? I
can't see how the users can be prevented from just disabling or
reconfiguring the firewall client themselves. Am I missing something
here?
Please help!
Cheers,
Jason
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this
ISAserver.org Discussion List as: j.merrique@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: j.merrique@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
