ISA clients

[joefromjersey300]

I currently have Microsoft Proxy 2.0 as a proxy and content filter with a hardware firewall. I am upgrading to ISA 2004 on a Windows 2000 Server ( I am going to completely uninstall Proxy and then install ISA 2004) as both a proxy server and as a firewall (and get rid of my hardware firewall). While I currently have the time to do the install of ISA, I don’t want to have to make changes to my clients. If I use the same address as my Proxy I can avoid making changes to my client computers (correct? using web proxy), but will ISA only allow clients to access HTTP, HTTPS, and FTP. What about Real Player, Quicktime, and other protocols I may need? As I understand it to allow for these other protocols I would need ISA client. Am I correct? Do I have to have all the computers either connect via the Web Proxy or using a client? I was thinking of going with the Web Proxy to start with, if particular users need more access than installing the client for them temporairy and then as I reimage workstations just add the ISA client to all the Images. The workstations are Win 2000 Pro majority, some Win 98, a few Win XP, What is the best and most simple solution?

 

[Knutern]

The major difference between web proxy and ISA firewall client is that applications which uses a hole lot of secondary connections/ports, will most not work without the ISA Firewall client.

Example: To be able to use the Video/Audio part of MSN Messenger, a bunch of ports need to be opened. Also, and this is where the Firewall Client comes in, MSN Messenger at some point will ask for your IP which the other part needs to know for this video/audio session to take place. In this case it will return the IP of your machine. And thereby, you will not be able to do video/audio. Using the Firewall Client however, you are able to tell what IP to be used: your machine's, your ISA server's internal or your ISA server's external.

Another major difference is, that the proxy 2.0 listens for incoming web proxy client connections on port 80. ISA does NOT! ISA Server listens per default on 8080, but it's possible to change so it fit your needs (ie. 80).

So, simple communication, HTTP, HTTPS, DNS etc. will work. FTP however might be a problem without the client, because it uses more ports than just 21 tcp out (What's the difference between active and passive FTP - faq802-4977).

Another issues that might be of interesst: if you are going to setup ISA rules on a per user/group basis, you will either need firewall client or set up as web proxy client. A secure NAT client does not support authentication of any sort.

As you say, start with web proxy client and if need arises to be able to use more complex internet applications, install the ISA Client.

Cheers
Knutern

 

[MISMCSEJERSEY]

So I should set up ISA to do web proxy client and then if a particular user needs more access, I can use the ISA client.
I could therefore have some workstations using the ISA client and others still can use web proxy on the same ISA server. Do I have to change ISA to listen on port 80 for web proxy to work?

 

[Knutern]

You don't need to set up any thing special on the ISA 2004 to make it act as a proxy. It is providing this out-of the box.

The thing you need to change on the ISA, is that it should listen on port 80 instead of - default - 8080 for web proxy client connections.

To determine if you need the ISA client, try the application without first, and if it does not work, then try with ISA client. If the internet application needs to send user information and does not support web proxy configuration for example, you need the ISA client.

Cheers
Knutern