Bypassing the Firewall Client using Locallat.txt File

ISA Server Firewall Client and Firewall Client Configuration

If you have ISA 2004 Firewall client software installed on a machine, internal and external traffic will always go through the ISA Server unless you specify something different. You can bypass traffic without going through the ISA firewall by using a “LocalLAT.txt” file on the client machine. We are all familiar with Local LAT on ISA Server 2000 but this “LAT” file is a client file and resides only on the client machine. In this scenario, my goal is to bypass all traffic to 10.10.5.X without going through the ISA Server.

  1. Logon to a machine where the Firewall client software is installed
  2. Navigate to C:\Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder. Create a new text file called LocalLAT.txt.


Figure 1

  1. Double click the file or open it in Notepad. Add the following IP address range: 10.10.5.1 <TAB> 10.10.5.255. Save the file and close it.


Figure 2

  1. Open the Computer Management or Services MMC and restart the Firewall Client Agent.


Figure 3

After this configuration you will see traffic to 10.10.5.X subnet is no longer going through the ISA firewall. The Firewall client will look for LocalLAT.txt, read the IP address pair and treat them as local network connections (i.e., on the source and destination are perceived by the Firewall client to be on the same ISA firewall Network). Even if you need to bypass a single IP address, it has to be specified in pairs. You can use the Group Policy or any of the existing software deployment methods to push this file over to the client machine.

There is also a server side component for firewall client installed machines to bypass ISA Server when trying to access a particular domain name. The following section will explain the procedure of enabling this:

  1. Open ISA firewall console.
  2. On the right pane, select Toolbox and expand Networks.
  3. Right click on the Internal network and go to Properties.
  4. Select the Domain tab and click Add.
  5. Enter the name of the domain in the Enter a domain name to include: box and click OK.


Figure 4

  1. Click OK on the Internal Properties page to close the window.


Figure 5

This configuration will enable the Firewall client configured machine to not use ISA Server when contacting the Domain name listed in the Domain Names box.

Enabling Direct Access and Bypassing the Proxy

Even if you added your intranet IP address to the LocalLAT.txt file, it won’t bypass the ISA firewall when you are using Internet Explorer and the Automatic Configuration is enabled (the Web proxy client configuration). There are a few settings on the ISA firewall to enable Direct Access and bypass proxy when accessing the intranet sites and servers, as you can see my lab configuration in the following screen shot. Automatic configuration script is enabled and I am using proxy for all IE communications.


Figure 6

You can enable direct access to a set of IP addresses or to a Domain using the following method:

  1. Open the ISA firewall Console.
  2. On the right pane, select Toolbox and expand Networks.
  3. Right click on the Internal network and go to Properties.
  4. Select the Web Browser tab.
  5. Select Bypass proxy for the servers in this network option. This will tell the client machine to bypass the ISA server when accessing the local server.
  6. Select Directly access computers specified in the Domain tab option.
  7. Click Add button.


Figure 7

  1. Enter the IP address range or the Domain name. Click OK.


Figure 8

  1. Click OK on the Internal Properties page to close the window.

Summary

In this article I explained different techniques to bypass the ISA firewall when trying to access local servers. I hope this article will help you become familiar with different options available in ISA Server 2004. As always, I would like to hear your comments and suggestions after reading this article. If you have any questions regarding this article, feel free to email me or post a comment on the newsgroup.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top