Richard Hicks notes in his blog an interesting case of strange client behavior for machines with the Firewall client installed. As you might know, many organizations try to improve their overall security posture by configuring client systems as Web proxy and Firewall clients only, when located behind an ISA or TMG firewall. The Web proxy and Firewall client configuration allows you to force authentication for all outbound connections, and when you remove the default gateway settings from the client, you completely remove the ability of the client to obtain unauthenticated access to the Internet (or anywhere else though the ISA or TMG firewall).
However, a strange thing happens when a Vista client is configured as a Firewall and Web proxy client, but without a default gateway configured on its NIC. When the Vista client tries to connect to other Networks through the ISA or TMG firewall using a FQDN for non-Web Proxy client mediated connections, the connection attempt will fail.
Obviously, this shouldn’t happen, since the Firewall client is supposed to forward the connection request to the Firewall service on the ISA or TMG firewall. Indeed, that’s one of the major advantages of the Firewall and Web proxy client configuration — to make your routing infrastructure independent of client Internet access (i.e., network routers don’t need to be configured to use the ISA or TMG firewall as their gateway of last resort).
The problem is that Vista breaks this scenario. Apparently, when the Vista DNS client detects that that the destination is unreachable to the basic TCP/IP stack, the client “filters” out the request and prevents the application from connecting to the remote resource (yes, I know that’s a hand waving explanation, but I haven’t found any documentation yet regarding the Vista DNS client behavior). This is in spite of the fact that the machine can reach the Internet via the Firewall client.
An interesting this is that Web proxy client behavior continues working fine. I suppose the reason for this is that all connections requests are forwarded to the Web proxy listener, which the Vista DNS client considers reachable. I assume that this is the case only because we’re speaking of simple networks here, where the ISA or TMG firewall is located on the same network ID as the clients. If not, then the client would need a default gateway configured to reach the firewall, or have a static route configured on it. In both cases, the DNS client would consider the Web proxy listener reachable and Web proxy client connections would continue to work.
This is sad and redolent of the horkage that took place with Windows XP SP2 and subsequent releases of XP and Vista and L2TP/IPsec and NAT Traversal. At least with the NAT-T debacle there was a registry fix. With the current problem of the Firewall client machine without a default gateway, there is no fix. For Internet access, you will need to configure a default gateway, and for access to any other remote networks reachable through the ISA or TMG firewall that are not Internet based, then you’ll need to configure static routes on each client.
Hat’s off to Richard Hicks for following up on this issue!
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer