Understanding the ISA Firewall Client (Part 1)

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real Time Article Update newsletter.

The Firewall client software is an optional client piece that can be installed on any supported Windows operating system to provide enhanced security and accessibility. The Firewall client software provides the following enhancements to Windows clients:

  • Allows strong user/group-based authentication for all Winsock applications using the TCP and UDP protocols
  • Allows user and application information to be recorded in the ISA firewall’s log files
  • Provides enhanced support for network applications, including complex protocols that require secondary connections
  • Provides “proxy” DNS support for Firewall client machines
  • Allows you to publish servers requiring complex protocols without the aid of an application filter
  • The network routing infrastructure is transparent to the Firewall client
  • Allows Strong User/Group-Based Authentication for All Winsock Applications Using TCP and UDP Protocols

Discuss this article

The Firewall client software transparently sends user information to the ISA firewall. This allows you to create Access Rules that apply to users and groups and allow or deny access to any protocol, site, or content, based on a user account or group membership. This strong user/group-based outbound access control is extremely important. Not all users require the same level of access, and users should only be allowed access to protocols, sites, and content they require to do their jobs.

Note:
The concept of allowing users access to only the protocols, sites, and content they require is based on the principle of least privilege. The principle of least privilege applies to both inbound and outbound access. For inbound access scenarios, Server and Web Publishing rules allow traffic from external hosts to Internal network resources in a highly controlled and monitored fashion. The same should be true for outbound access. In traditional network environments, inbound access is highly limited while users are allowed outbound access to virtually any resource they desire. This weak approach to outbound access control can put not only the corporate network at risk, but other networks as well, as Internet worms can easily traverse firewalls that do not restrict outbound access.

The Firewall client automatically sends user credentials (user name and password) to the ISA firewall. The user must be logged on with a user account that is either in the Windows Active Directory or NT domain, or the user account must be mirrored on the ISA firewall. For example, if you have an Active Directory domain, users should log on to the domain, and the ISA firewall must be a member of the domain. The ISA firewall is able to authenticate the user and allows or denies access based on the user’s domain credentials.

If you do not have a Windows domain, you can still use the Firewall client software to control outbound access based on user/group. In this case, you must mirror the accounts that users log on to on their workstations to user accounts stored in the local Security Account Manager (SAM) on the ISA firewall computer.

For example, a small business does not use the Active Directory, but they do want strong outbound access control based on user/group membership. Users log on to their machines with local user accounts. You can enter the same user names and passwords on the ISA firewall, and the ISA firewall will be able to authenticate the users based on the same account information uses when users log on to their local machines.

Windows 9x clients can be configured to forward domain credentials if they have the Active Directory client software installed.

Allows User and Application Information to be Recorded in the ISA 2004 Firewall’s Log Files

A major benefit of using the Firewall client is that when the user name is sent to the ISA firewall, that user name is included in the ISA firewall’s log files. This allows you to easily query the log files for user names and obtain precise information on that user’s Internet activity.

In this context, the Firewall client provides not only a high level of security by allowing you to control outbound access based on user/group accounts, but also provides a high level of accountability. Users will be less enthusiastic about sharing their account information with other users when they know that their Internet activity is being tracked based on their account name, and they are held responsible for that activity.

Provides Enhanced Support for Network Applications, Including Complex Protocols Requiring Secondary Connections

Unlike the SecureNAT client, which requires an application filter to support complex protocols requiring secondary connections, the Firewall client can support virtually any Winsock application using TCP or UDP protocols, regardless of the number of primary or secondary connections, without requiring an application filter.

The ISA firewall makes it easy for you to configure Protocol Definitions reflecting multiple primary or secondary connections and then create Access Rules based on these Protocol Definitions. This provides a significant advantage in terms of Total Cost of Ownership (TCO) because you do not need to purchase applications that are SOCKS proxy aware, and you do not need to incur the time and cost overhead involved with creating custom application filters to support “off-label” Internet applications.

Provides “Proxy” DNS Support for Firewall Client Machines

In contrast to the SecureNAT client, the Firewall client does not need to be configured with a DNS server that can resolve Internet host names. The ISA firewall can perform a “proxy” DNS function for Firewall clients.

For example, when a Firewall client sends a connection request for ftp://ftp.microsoft.com, the request is sent directly to the ISA firewall. The ISA firewall resolves the name for the Firewall client based on the DNS settings on the ISA firewall’s network interface cards. The ISA firewall returns the IP address to the Firewall client machine, and the Firewall client machine sends the FTP request to the IP address for the ftp.microsoft.com FTP site.

The ISA firewall also caches the results of the DNS queries it makes for Firewall clients. Unlike ISA Server 2000, which cached this information for a default period of 6 hours, the ISA firewall caches the entries for a period determined by the TTL on the DNS record. This speeds up name resolution for subsequent Firewall client connections to the same sites. Figure 1 shows the name resolution sequence for the Firewall client.


Figure 1: Firewall Name Resolution Sequence

  1. The Firewall client sends a request for ftp.microsoft.com.
  2. The ISA firewall sends a DNS query to an Internal DNS server.
  3. The DNS server resolves the name ftp.microsoft.com to its IP address and returns the result to the ISA firewall.
  4. The ISA firewall returns the IP address of ftp.microsoft.com to the Firewall client that made the request.
  5. The Firewall client sends a request to the IP address for ftp.microsoft.com and the connection is complete.
  6. The Internet server returns requested information to the Firewall client via the Firewall client connection made to the ISA firewall.

Discuss this article

The Network Routing Infrastructure Is Transparent to the Firewall Client

The final major benefit conferred by the Firewall client is that the routing infrastructure is virtually transparent to the Firewall client machine. In contrast to the SecureNAT client, which depends on its default gateway and the default gateway settings on routers throughout the corporate network, the Firewall client machine only needs to know the route to the IP address on the Internal interface of the ISA 2004 firewall.

The Firewall client machine “remotes” or sends requests directly to the IP address of the ISA firewall. Since corporate routers are typically aware of all routes on the corporate network, there is no need to make changes to the routing infrastructure to support Firewall client connections to the Internet. Figure 2 depicts the “remoting” of these connections directly to the ISA firewall. Table 1 summarizes the advantages of the Firewall client application.


Figure 2: Firewall Client Connections to the ISA 2004 Firewall are Independent of the Default Gateway Configurations on Interposed Routers

Firewall Client Advantage

Implication

Strong user/group based authentication for Winsock TCP and UDP protocols

Strong user/group based authentication for Winsock applications using TCP and UDP allows you fine-tuned granular control over outbound access and makes it possible for you to implement the principle of least privilege, which protects not only your own network, but other corporations’ networks as well.

User name and application information is saved in the ISA 2004 firewall’s logs

While strong user/group-based access controls increase the security the firewall provides for your network, user name and application name information saved in the ISA 2004 firewall’s logs increases accountability and enables you to easily research what sites, protocols, and applications any user running the Firewall client software has accessed.

Enhanced support for network applications and protocols

The Firewall client can access virtually any TCP or UDP-based protocol, even those used by complex protocols that require multiple primary and/or secondary connections. In contrast, the SecureNAT client requires an application filter on the ISA 2004 firewall to support complex protocols. The overall effect is that the Firewall client reduces the TCO of the ISA 2004 firewall solution.

Proxy DNS support for Firewall clients

The ISA 2004 firewall can resolve names on behalf of Firewall clients. This offloads Internet host name resolution responsibility from the Firewall client computer and allows the ISA 2004 firewall to keep a DNS cache of recent name resolution requests. This DNS proxy feature also enhances the security configuration for Firewall clients because it eliminates the requirement that the Firewall client be configured to use a public DNS server to resolve Internet host names.

Enables publishing servers that require a complex networking protocol

Web and Server Publishing Rules support simple protocols, with the exception of those that have an application installed on the ISA 2004 firewall, such as the FTP Access application filter. You can install Firewall client software on a published server to support complex protocols, such as those that might be required if you wished to run a game server on your network. It is important to note the Microsoft no longer officially supports this configuration and they recommend that you have a C++ programmer code an application filter to support your application.

The network routing infrastructure is virtually transparent to the firewall client

Unlike the SecureNAT client, which relies on the organization’s routing infrastructure to use the ISA 2004 firewall as its Internet access firewall, the Firewall client only needs to know the route to the IP address on the Internal interface of the ISA 2004 firewall. This significantly reduces the administrative overhead required to support the Firewall client versus the SecureNAT client.

Table 1: Advantages of the Firewall Client Configuration

How the Firewall Client Works

The details of how the Firewall client software actually works are not fully documented in the Microsoft literature. In fact, if you do a network trace of Firewall client communications using the Microsoft Network Monitor, you’ll see that the Network Monitoring is unable to decode the Firewall client communications; however, Ethereal does have a rudimentary Firewall client filter you can use.

What we do know is that the ISA 2004/6 Firewall client, unlike previous versions, uses only TCP 1745 for the Firewall client Control Channel. Over this control channel, the Firewall client communicates directly with the ISA firewall service to perform name resolution and network application-specific commands (such as those used by FTP and Telnet). The firewall service uses the information gained through the control channel and sets up a connection between the Firewall client and the destination server on the Internet. The ISA firewall proxies the connection between the Firewall client and the destination server.

Note:
The Firewall client only establishes a control channel connection when connecting to resources not located on the Internal network.

In ISA Server 2000, the Internal network was defined by the Local Address Table (LAT). The ISA 2004/6 firewall does not use a LAT because of its enhanced multinetworking capabilities. Nevertheless, the Firewall client must have some mechanism in place to determine which communications should be sent to the firewall service on the ISA firewall and which should be sent directly to the destination host with which the Firewall client wants to communicate.

The Firewall client solves this problem using addresses defined by the ISA Firewall Network on which the client resides. The ISA Firewall Network for any specific Firewall client consists of all the addresses reachable from the network interface that is connected to the Firewall client’s own ISA Firewall Network. This situation gets interesting on a multihomed ISA firewall that has multiple ISA Firewall Networks associated with different network adapters. In general, all hosts located behind the same network adapter (regardless of network ID) are considered part of the same ISA Firewall Network and all communications between hosts on the same ISA Firewall Network should bypass the Firewall client.

Addresses for ISA Firewall Networks are defined during installation of the ISA firewall software, but you can create other networks as required after installation is complete. Typically, after installation, only the default Internal ISA Firewall Network is created for you and you will need to manually create other ISA Firewall Networks if there are more than two NICs installed on your ISA Firewall.

ISA FIREWALL SECURITY ALERT:
You may have multiple interfaces on the same ISA firewall. However, only a single network may have the name Internal. The Internal network consists of a group of machines that have an implicit trust in each other (at least enough trust to not require a network firewall to control communications between them). You can have multiple internal networks, but additional internal networks cannot be included in the Internal address range of another internal network. Closely review ISA Firewall System Policy after installation is complete to limit communications between the ISA Firewall and the default Internal Network to only those required for your scenario.

This means you cannot use the centrally-configured network address range configured for the Internal network and additional Internal networks to bypass the Firewall client when communicating between Internal networks connected to the ISA firewall via different network interfaces.

However, the centralized configuration of the Firewall client can be done per ISA Firewall Network, so you can control the Firewall client settings on a per Network basis. This allows you a measure of control over how the Firewall client configuration settings are managed on each network. However, this solution does not help in the network within a network scenario, where there are multiple network IDs located behind the same network interface card.

In the network within the network scenario, you can use a Local LAT (locallat.txt) file to override the centralized Internal network settings if you find that is required. In general, the network within a Network scenario doesn’t create any significant problems for the Firewall client.

The most significant improvement the ISA 2004/6 Firewall client has over previous versions of the Firewall client (Winsock Proxy Client 2.0 and ISA Server 2000 Firewall Client) is that you now have the option to use an encrypted channel between the Firewall client and the ISA firewall.

Remember, the Firewall client sends user credentials transparently to the ISA firewall. The ISA Firewall client now encrypts the channel so that someone who may be “sniffing” the network with a network analyzer (such as Microsoft Network Monitor or Ethereal) will not intercept user credentials. Note that you do have the option of configuring the ISA firewall to allow both secure encrypted and non-encrypted control channel communications.

For a very thorough empirical study on how the Firewall client application works with the firewall service in ISA Server 2000, check out Stefaan Pouseele’s article Understanding the Firewall Client Control Channel.

Note:
If Internet Protocol security (IPSec) transport mode is enabled for a network so that the Firewall client machine uses IPSec transport mode to connect to the ISA firewall, you may experience unusual and unpredictable connectivity issues. If Firewall clients in the network do not behave as expected, disable IP routing at the ISA firewall console. In the ISA Firewall console, expand the server, and then expand the Configuration node; click the General node. In the details pane, click Define IP Preferences. On the IP Routing tab, verify that the Enable IP Routing check box is not selected. Note that disabling IP Routing can significantly degrade the performance of your SecureNAT clients that require access to secondary connections.

Discuss this article

Summary

In this article we discussed the ISA firewall’s Firewall client software. The Firewall client acts as a Winsock proxy client application that remotes networked Winsock application calls to the ISA Firewall. The ISA Firewall’s firewall service then proxies these connections to the destination requested by the client. The Firewall client supports all protocols, including multiple primary and secondary connections and does not require specific Protocol Definitions to be created if an “all open” Access Rule is created. Most importantly, the Firewall client is able to send use and computer name information to the ISA Firewall and this information is available in log files and reports, so that you can get very detailed information about what users are doing with the Internet connection, for almost all applications and all protocols, something that can’t be done with the machine that is configured as only a Web proxy or SecureNET client. In addition, the Firewall client sends the application image name to the ISA Firewall, so that you can easily determine if forbidden applications are being used by corporate users.

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real Time Article Update newsletter.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top