ISA Clients - Part 3: The Firewall Client.
The question of “what kind of client is it?” is a relatively simple one if you ignore the associated questions of “what is it doing?” and “what does ISA provide for that request?”, but we’re not going to do that.
ISA Operating Modes:
Here is where you can make or break ISA FWC functionality. Everything you enter here determines the default settings for the FWC when it’s installed on the LAT host, as well as the data passed when the FWC asks for a refresh from ISA.
What we’re not going to do here is duplicate the efforts of the ISA documentation team. There are some really good explanations in the section labeled Configuring Firewall client settings. What I do intend to do is expand on some of the less-than-clear areas of those explanations and give you some idea how they affect real-world issues. Dig out your help files, boys and girls; we’re gonna use ‘em today.
Open your ISA help and seek out the section titled Firewall client application settings. You’ll notice the reference to the wspcfg.ini file; it and the mspclnt.ini files are essentially the same thing, since they contain the same data. The difference between them is how they’re used.
- mspclnt.ini; the help covers the purpose and uses of this quite well, except that a very useful section is missing; [Common Configuration] (we’ll get to that later when we go over the individual application settings).
Each application defined in the FWC app settings gets its own subheading as [Application_Name]. The name of the application is derived from the name it reports to the OS while it’s running. For instance, Outlook Express identifies itself to the OS as “msimn.exe” and MSN Instant Messenger appears as “msmsgs.exe”. This information is critical if you expect to see any change in FWC behavior with respect to your app based on the following settings. If you have any doubt as to how the app identifies itself, open Task Manager and watch the applications tab as you start your program. Generally, it’ll be the name of the executable as it appears in Windows Explorer.
You may have noticed while reading carefully in this section of the ISA help, that [Common Configuration] is stated as one of the places the FWC looks to for information. If you’re even more observant, you’ll also notice that it doesn’t exist in mspclnt.ini by default. When you enter an application name and that application is unknown to ISA, a new section is created in the ISA version of mspclnt.ini as [AppName]. This is also how you would create the [Common Configuration] section; by entering “Common Configuration” in the Application Name as shown below:
You may have noticed that I’ve used the NameResolution=L entry here. Why would he do that, you may ask? ..it’s OK; you can, I don’t mind… What this setting will do is cause the FWC to refer to the LAT host DNS client service for any and all FQDN resolution requests except where specified differently for a particular app or service in the mspclnt.ini file. If you have a solid DNS-based name resolution structure (NetBIOS broadcasts don’t count), then this setting will help you avoid the FWC DNS cache of death as mentioned in part one of these articles. I highly recommend using this setting (hint-hint). It can also mean the difference between an ISA event log full of 14120 errors and a peaceful ISA server (another article, RSN).
Now open your ISA help and seek the section titled Configuring Firewall client settings. This is the section that defines the basic functionality for the FWC and is presented as the first part of mspclnt.ini.
CredTool.exe; is a totally useful little app that allows you to run a service or app in the context of a particular user, but only for purposes of interacting with ISA via the Firewall Client. This means that any call made to ISA by the FWC on behalf of the application or service does so with the credentials you specify when you run the tool. It’s a nice piece of functionality to have around when you need to lock everything through the ISA to user / group permissions. Here’s how you use it…
Open a command window and “cd” to \program files\microsoft firewall client. From here, you can run “credtool /?” and be rewarded with a listing of the options and what they do for you.
D:\Program Files\Microsoft Firewall Client>credtool /?
For example, if we want the DNS service to be a firewall client-published app because our network doesn’t allow us to use SecureNAT, we would install the Firewall client on the server and copy the mspclnt.ini to the folder where dns.exe lives (%Systeroot%\system32 by default) as wspcfg.ini.
D:\Program Files\Microsoft Firewall Client>credtool -w -n dns -c UserName DomainName PassWord
The credentials are then applied to any request made to the ISA only on behalf of this service, allowing all protocols to be user-authentication controlled.
To remove or read the credentials assigned to a given app or service, you need only specify the operation (-w or –r) and the app name (-n) without the credentials. For instance:
D:\Program Files\Microsoft Firewall Client>credtool -r -n dns
..reveals the UserName and Domain used by the dns service. Notice that the password is hidden to prevent improper use.
That’s all for today. As usual, feel free to contact me.