Using Systems Management Server 2003 :
Organizations that have deployed SMS 2003 can use the software distribution feature of SMS to distribute the ISA Firewall Client. Software distribution in SMS 2003 provides the ability to deploy Microsoft Windows Installer (.msi) or Package Definition Format (.pdf, .sms) files to any computer that is assigned to the SMS environment. To deploy the ISA Firewall Client using SMS, perform the following procedure:
1. Create a collection that includes any computer that is to receive the ISA Firewall Client software. A collection is a logical group of resources such as computers or users that are gathered together to be managed within SMS. You can set specific requirements such as IP address, hardware configuration, or add clients directly by name to group all resources that are to have the ISA Firewall Client installed.
2. Create an SMS package by importing the ISA Firewall Client Windows Installer file (MS_FWC.msi). The Windows Installer file automatically creates attended and unattended installation program options that can be deployed on a per-system or per-user basis. Programs are also created to uninstall the client if the need arises. The per-system programs are configured to install the client with administrative rights regardless of whether the user is logged on. The per-user programs install the client using the credentials of the logged-on user.
3. Create an SMS advertisement, which specifies the target collection and program to install. To control deployment, you can schedule a time for the program to be advertised to collection members.
How to Configure ISA Server for Firewall Clients :
When you first install the Firewall Client on a client computer, it will connect to the ISA Server computer configured during the installation to complete the Firewall Client configuration. After installation, each time a computer running the Firewall Client restarts, the Firewall Client checks for any new client configuration settings on the server. This means that you can modify the Firewall Client by configuring the settings using ISA Server Management. The settings are then applied to the client when the client connects, or updated every six hours on the client computer if the client computer remains connected.
Firewall Client Configuration Options
Almost all Firewall Client settings can be modified using ISA Server Management.
How to Configure Firewall Client Settings
The Firewall Client settings are configured in two different locations within ISA Server Management. To configure which versions of the Firewall Client are supported and to configure the application settings, use the following procedure:
1. Open ISA Server Management, expand the Configuration folder, and click General.
2. Click Define Firewall Client Settings.
3. On the Connection tab, configure whether or not earlier versions of the Firewall Client software are supported. Because older Firewall clients do not support encryption, you must enable the Allow Non-Encrypted Firewall Client Connections option.
4. On the Application Settings, configure the settings for applications that run on Firewall Clients. To configure a specific application, click the application name and then click Edit.
The application settings are used to configure how the Firewall Client will respond when specific Winsock applications are started on the client computer. Some applications require specific port number assignments. For example, the RealPlayer application from RealNetworks requires that the Firewall client use Port 7070 when connecting to RealServer streaming media servers. The streaming media server will respond on anyport between 6970 and 7170. the application settings for the
RealPlayer application (the application name in the interface is Realplay) configure the LocalBindTcpPorts key with a value of 7070 and the RemoteBindUdpPorts key with a value of 6970-7170. Other applications are disabled in the application settings. For example, the Exchng32 application, the Mapisp32 application, and the Outlook application are all disabled by default, which means that the Firewall Client cannot establish the RPC and MAPI connections required for Microsoft Outlook e-mail clients through the ISA Server computer.
Organizations that have deployed SMS 2003 can use the software distribution feature of SMS to distribute the ISA Firewall Client. Software distribution in SMS 2003 provides the ability to deploy Microsoft Windows Installer (.msi) or Package Definition Format (.pdf, .sms) files to any computer that is assigned to the SMS environment. To deploy the ISA Firewall Client using SMS, perform the following procedure:
1. Create a collection that includes any computer that is to receive the ISA Firewall Client software. A collection is a logical group of resources such as computers or users that are gathered together to be managed within SMS. You can set specific requirements such as IP address, hardware configuration, or add clients directly by name to group all resources that are to have the ISA Firewall Client installed.
2. Create an SMS package by importing the ISA Firewall Client Windows Installer file (MS_FWC.msi). The Windows Installer file automatically creates attended and unattended installation program options that can be deployed on a per-system or per-user basis. Programs are also created to uninstall the client if the need arises. The per-system programs are configured to install the client with administrative rights regardless of whether the user is logged on. The per-user programs install the client using the credentials of the logged-on user.
3. Create an SMS advertisement, which specifies the target collection and program to install. To control deployment, you can schedule a time for the program to be advertised to collection members.
How to Configure ISA Server for Firewall Clients :
When you first install the Firewall Client on a client computer, it will connect to the ISA Server computer configured during the installation to complete the Firewall Client configuration. After installation, each time a computer running the Firewall Client restarts, the Firewall Client checks for any new client configuration settings on the server. This means that you can modify the Firewall Client by configuring the settings using ISA Server Management. The settings are then applied to the client when the client connects, or updated every six hours on the client computer if the client computer remains connected.
Firewall Client Configuration Options
Almost all Firewall Client settings can be modified using ISA Server Management.
How to Configure Firewall Client Settings
The Firewall Client settings are configured in two different locations within ISA Server Management. To configure which versions of the Firewall Client are supported and to configure the application settings, use the following procedure:
1. Open ISA Server Management, expand the Configuration folder, and click General.
2. Click Define Firewall Client Settings.
3. On the Connection tab, configure whether or not earlier versions of the Firewall Client software are supported. Because older Firewall clients do not support encryption, you must enable the Allow Non-Encrypted Firewall Client Connections option.
4. On the Application Settings, configure the settings for applications that run on Firewall Clients. To configure a specific application, click the application name and then click Edit.
The application settings are used to configure how the Firewall Client will respond when specific Winsock applications are started on the client computer. Some applications require specific port number assignments. For example, the RealPlayer application from RealNetworks requires that the Firewall client use Port 7070 when connecting to RealServer streaming media servers. The streaming media server will respond on anyport between 6970 and 7170. the application settings for the
RealPlayer application (the application name in the interface is Realplay) configure the LocalBindTcpPorts key with a value of 7070 and the RemoteBindUdpPorts key with a value of 6970-7170. Other applications are disabled in the application settings. For example, the Exchng32 application, the Mapisp32 application, and the Outlook application are all disabled by default, which means that the Firewall Client cannot establish the RPC and MAPI connections required for Microsoft Outlook e-mail clients through the ISA Server computer.
