Hi Jason, Here's a chapter from the ISA EDU kit. There a golden nuggets dispersed through this kit. http://www.tacteam.net/isaserverorg/isaedukit/5automate/5automate.htm HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp <http://www.microsoft.com/isaserver/beta/default.asp> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jason Merrique [mailto:j.merrique@xxxxxxxxxxxxxxx] Sent: Thursday, May 13, 2004 7:53 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Deploying ISA 2004 firewall client - how to enforce? http://www.ISAserver.org Hi Tom, Well thats what I thought.... I've added the WPAD entries to the DHCP scope options (not sure what you mean by DNS though....) but the firewall clients still aren't automatically detecting the server. They can if I *manually* set it to do that, or to "Detect now". It just isn't Enabled by default. It's driving me nuts :\ Cheers, Jason _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: 13 May 2004 13:30 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Deploying ISA 2004 firewall client - how to enforce? http://www.ISAserver.org Hi Jason, OK, I think I understand now :-) The best practice for provisioning the Firewall client is by using autodiscovery via DHCP and DNS WPAD entries. Also, the Firewall client share should be placed in an alternate location, so that you can block NetBIOS and Direct Access (TCP 445) to the ISA firewall itself. The WPAD entries will point the Firewall clients to the ISA firewall's internal interface and the Firewall clients will automatically detect their settings. The default configuration of the Firewall client is enabled and to use autodiscovery for autoconfiguration. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp <http://www.microsoft.com/isaserver/beta/default.asp> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jason Merrique [mailto:j.merrique@xxxxxxxxxxxxxxx] Sent: Thursday, May 13, 2004 7:17 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Deploying ISA 2004 firewall client - how to enforce? http://www.ISAserver.org Hi Tom, The ISA Firewall is configured properly, and it properly services users with properly configured Firewall Clients. It looks like I didn't phrase that sentence properly: "But my point is that the firewall isn't used by default. i.e. It's not active and needs to be configured before use." should be "But my point is that the firewall isn't used by default. i.e. On client machines the Firewall Client not active and needs to be configured before use." :) Jason _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: 13 May 2004 12:47 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Deploying ISA 2004 firewall client - how to enforce? http://www.ISAserver.org Hi Jason, If the ISA firewall isn't configured, the Firewall client isn't going to be much help. Right? Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp <http://www.microsoft.com/isaserver/beta/default.asp> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jason Merrique [mailto:j.merrique@xxxxxxxxxxxxxxx] Sent: Thursday, May 13, 2004 6:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Deploying ISA 2004 firewall client - how to enforce? http://www.ISAserver.org Hi Tom, I can set the access rules to only allow access through the firewall client. But my point is that the firewall isn't used by default. i.e. It's not active and needs to be configured before use. Cheers, Jason _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: 13 May 2004 12:25 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Deploying ISA 2004 firewall client - how to enforce? http://www.ISAserver.org Hi Jason, If you configure your access rules correctly, it'll enforce the use of the Firewall client :-) HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp <http://www.microsoft.com/isaserver/beta/default.asp> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jason Merrique [mailto:j.merrique@xxxxxxxxxxxxxxx] Sent: Thursday, May 13, 2004 5:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] Deploying ISA 2004 firewall client - how to enforce? http://www.ISAserver.org Hi Chaps, Is there a best practice for deploying the ISA 2004 firewall client? I haven't found much on the net about this... Environment: Windows 2003 Servers, Native mode, Domain, Windows XP clients. MSFWC.msi assigned to the relevant machines through GPO (it installs fine but the use of the FWC isn't enforced!) From what I've gathered so far, it appears that you just can't configure and enforce the use of of the Firewall Client using group policy. This can't be the case, surely? I can't see how the users can be prevented from just disabling or reconfiguring the firewall client themselves. Am I missing something here? Please help! Cheers, Jason ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: j.merrique@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')