Advanced Firewall Client Configuration
In addition to the Firewall Client settings that you can configure on the ISA Server computer for distribution to all clients, there are also advanced settings that you can configure on the client computer running the Firewall Client. As much as possible, use the ISA Server settings to configure the Firewall Client settings, but in some cases, you may need a unique configuration for one or more clients.
Configuring Local Addresses
One of the advanced options that you can configure is the local address table. By default, Firewall Client considers all addresses on its local network, as well as the addresses specified in the local routing table on the Firewall client computer, as local. Each time a Winsock application on that client attempts to establish a connection to an IP address, the Firewall Client uses this information plus the Internal network information on ISA Server to determine whether the IP address is on the local network. If the server IP address is local, the Firewall Client will connect to the server directly; if the
address is not local, the Firewall Client will go through the ISA Server computer to access the server.
You can modify this client behavior by creating a client computer–specific file that defines local addresses for that client. Using a text editor, you can create a custom client local address table (LAT) file named Locallat.txt and place it in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder on the Firewall client computer. You can add additional IP address ranges to the file so that the client will recognize these addresses as part of the local network. If this file exists, the client uses its own routing table, the server-specific settings, and the Locallat.txt file to determine the IP addresses that are part of the local network.
When you create the Locallat.txt file, enter IP address pairs in the file. Each address pair defines either a range of IP addresses or a single IP address. The following example shows a Locallat.txt file that has two entries. The first entry is an IP address range and the second entry is a single IP address. Note that the second entry on each line is an IP address and not a subnet mask.
10.51.0.0 10.51.255.255
10.52.144.103 10.52.144.103
Advanced Firewall Client Settings
For most Winsock applications, the default Firewall Client configuration that is downloaded from the ISA Server computer works with no further modification needed. However, in some cases, you will need to add specific client configuration information.For example, if one Firewall client computer requires an application setting that is different from all other clients, you will need to configure the application settings on that particular computer. The configuration is done by making changes to Firewall Client .ini files.
The Firewall Client configuration information is stored in a set of files, which are installed on the Firewall client computer. The following files are used to configure the local Firewall client settings:
1-Common.ini Specifies the common configuration for all applications
2-Management.ini Specifies Firewall Client Management configuration settings
3-Application.ini Specifies application-specific configurations settings The Common.ini file and the Management.ini file are created for all users logged on to the computer and can also be created manually for each specific user on the computer. By default, the Application.ini file is not created, so you must create it manually. The per-user settings override the general configuration settings. These files are created in different locations, depending on the operating system. For example, on Windows XP computers, the files may be located in one of two places:
In addition to the Firewall Client settings that you can configure on the ISA Server computer for distribution to all clients, there are also advanced settings that you can configure on the client computer running the Firewall Client. As much as possible, use the ISA Server settings to configure the Firewall Client settings, but in some cases, you may need a unique configuration for one or more clients.
Configuring Local Addresses
One of the advanced options that you can configure is the local address table. By default, Firewall Client considers all addresses on its local network, as well as the addresses specified in the local routing table on the Firewall client computer, as local. Each time a Winsock application on that client attempts to establish a connection to an IP address, the Firewall Client uses this information plus the Internal network information on ISA Server to determine whether the IP address is on the local network. If the server IP address is local, the Firewall Client will connect to the server directly; if the
address is not local, the Firewall Client will go through the ISA Server computer to access the server.
You can modify this client behavior by creating a client computer–specific file that defines local addresses for that client. Using a text editor, you can create a custom client local address table (LAT) file named Locallat.txt and place it in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder on the Firewall client computer. You can add additional IP address ranges to the file so that the client will recognize these addresses as part of the local network. If this file exists, the client uses its own routing table, the server-specific settings, and the Locallat.txt file to determine the IP addresses that are part of the local network.
When you create the Locallat.txt file, enter IP address pairs in the file. Each address pair defines either a range of IP addresses or a single IP address. The following example shows a Locallat.txt file that has two entries. The first entry is an IP address range and the second entry is a single IP address. Note that the second entry on each line is an IP address and not a subnet mask.
10.51.0.0 10.51.255.255
10.52.144.103 10.52.144.103
Advanced Firewall Client Settings
For most Winsock applications, the default Firewall Client configuration that is downloaded from the ISA Server computer works with no further modification needed. However, in some cases, you will need to add specific client configuration information.For example, if one Firewall client computer requires an application setting that is different from all other clients, you will need to configure the application settings on that particular computer. The configuration is done by making changes to Firewall Client .ini files.
The Firewall Client configuration information is stored in a set of files, which are installed on the Firewall client computer. The following files are used to configure the local Firewall client settings:
1-Common.ini Specifies the common configuration for all applications
2-Management.ini Specifies Firewall Client Management configuration settings
3-Application.ini Specifies application-specific configurations settings The Common.ini file and the Management.ini file are created for all users logged on to the computer and can also be created manually for each specific user on the computer. By default, the Application.ini file is not created, so you must create it manually. The per-user settings override the general configuration settings. These files are created in different locations, depending on the operating system. For example, on Windows XP computers, the files may be located in one of two places:
1- \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder
2- \Documents and Settings\user_name\Local Settings\Application Data\Microsoft\ Firewall Client 2004 folder
The ServerName value is used to configure the ISA Server computer from which the Firewall Client should download its configuration. The Disable option specifies whether the Firewall Client is disabled, with a value of 1 indicating that it is disabled. And the Autodetection value specifies whether the Firewall Client is configured to detect ISA Servers automatically.
By default, the Management.ini file contains only a setting that specifies whether the Firewall Client is enabled to modify the Web Proxy settings on the client. The Application.ini file specifies configuration settings for specific applications and also the file that is most often modified. For example, you may have several users on your network running a Winsock application, but only a subset of those users should be able to use that application to access Internet resources. One way to enable this is to configure the Application.ini files on the client computers used by the users that should use the application to gain access to Internet resources.
2- \Documents and Settings\user_name\Local Settings\Application Data\Microsoft\ Firewall Client 2004 folder
The ServerName value is used to configure the ISA Server computer from which the Firewall Client should download its configuration. The Disable option specifies whether the Firewall Client is disabled, with a value of 1 indicating that it is disabled. And the Autodetection value specifies whether the Firewall Client is configured to detect ISA Servers automatically.
By default, the Management.ini file contains only a setting that specifies whether the Firewall Client is enabled to modify the Web Proxy settings on the client. The Application.ini file specifies configuration settings for specific applications and also the file that is most often modified. For example, you may have several users on your network running a Winsock application, but only a subset of those users should be able to use that application to access Internet resources. One way to enable this is to configure the Application.ini files on the client computers used by the users that should use the application to gain access to Internet resources.
