Firewall client application settings

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

When you set up Microsoft Internet Security and Acceleration (ISA) Server, you configure the array to which Firewall clients should connect when sending requests to the Internet. You can specify the array by DNS name or by Internet protocol (IP) address. For more information, see Configure the application settings of Firewall Client.

After installing the client software, you can modify the server name to which the client connects by specifying a different name either on the ISA Server computer to which the client currently connects or by changing the name in the Firewall client software. The configuration changes take effect after the firewall configuration is refreshed. For more information, see the Firewall Client help.

Advanced client configuration

For most Winsock applications, the default Firewall Client configuration works with no need for further modification. However, in some cases, you will need to add client configuration information as described below. You can store the client configuration information in one of the following locations:

  • Mspclnt.ini, which is the global client configuration file, located in the Firewall Client installation folder. The Mspclnt.ini file is periodically downloaded by the client from the ISA Server computer and overwrites previous versions. Consequently, you can make configuration changes at the ISA Server computer and the setting will automatically be downloaded to the client computers.

  • Wspcfg.ini, located in a specific client application folder. The ISA Server computer does not overwrite this file. Consequently, if you can make configuration changes in this file, they will apply only to the specific client.

The Firewall Client application looks for a Wspcfg.ini file in the directory where the client Winsock application is installed. If this file is found, it looks for a [WSP_Client_App] section, where WSP_Client_App is the name of the Winsock application without the .exe extension. If this section does not exist, the Firewall Client application next looks for the [Common Configuration] section. If this section also does not exist, it looks for the same sections in the Mspclnt.ini file. The first section found by this search, and only that section, is used to apply the application-specific configuration settings.

Sample Wspcfg.ini file

A sample [WSP_Client_App] section in a client configuration file is listed below for the WSP Client App.exe section.

[WSP_Client_App]
Disable=0
NameResolution=R
LocalBindTcpPorts=7777
LocalBindUdpPorts=70007022, 71007170
RemoteBindTcpPorts=30
RemoteBindUdpPorts=30003050
ServerBindTcpPorts=100300
ProxyBindIp=80:110.52.144.103, 82:110.51.0.0
KillOldSession=1
Persistent=1
ForceProxy=i:172.23.23.23
ForceCredentials=1
NameResolutionForLocalHost=L

The following table describes the possible entries that can be placed in a configuration file for a Winsock application.

Entry

Description

Disable

Possible values: 0 or 1. When the value is set to 1, the Firewall service is disabled for the specific client application.

NameResolution

Possible values: L or R. By default, dotted decimal notation or Internet domain names are redirected to the ISA Server computer for name resolution and all other names are resolved on the local computer. When the value is set to R, all names are redirected to the ISA Server computer for resolution. When the value is set to L, all names are resolved on the local computer.

LocalBindTcpPorts

Specifies a Transmission Control Protocol (TCP) port, list, or range that is bound locally.

LocalBindUdpPorts

Specifies a User Datagram Protocol (UDP) port, list, or range that is bound locally.

RemoteBindTcpPorts

Specifies a TCP port, list, or range that is bound remotely.

RemoteBindUdpPorts

Specifies a UDP port, list, or range that is bound remotely.

ServerBindTcpPorts

Specifies a TCP port, list, or range for all ports that should accept more than one connection.

ProxyBindIp

Specifies an IP address or list that is used when binding with a corresponding port. Use this entry when multiple servers that use the same port need to bind to the same port on different IP addresses on the ISA Server computer. The syntax of the entry is:

ProxyBindIp=[port]:[IP address], [port]:[IP address

The port numbers apply to both TCP and UDP ports.

KillOldSession

Possible values: 0 or 1. When the value is set to 1, it specifies that, if the ISA Server computer holds a session from an old instance of an application, that session is terminated before the application is granted a new session. This option is useful, for example, if an application crashed or did not close the socket on which it was listening. By closing the old session, ISA Server immediately discovers that the application was terminated and can release the port used by the old session immediately.

Persistent

Possible values: 0 or 1. When the value is set to 1, a specific server state can be maintained on the ISA Server computer if a service is stopped and restarted and if the server is not responding. The client sends a keep-alive message to the server periodically during an active session. If the server is not responding, the client tries to restore the state of the bound and listening sockets upon server restart.

ForceProxy

Used to force a specific ISA Server computer for a specific Winsock application. The syntax of the entry is:

ForceProxy=[Tag]:[Entry

where Tag equals i for an IP address or n for a name. Entry equals the address of the name. If the n tag is used, the Firewall service only works over IP.

ForceCredentials

Used when running a Windows NT or Windows 2000 service or server application as a Firewall client application. When the value is set to 1, it forces the use of alternate user authentication credentials that are stored locally on the computer that is running the service. The user credentials are stored on the client computer using the Credtool.exe application that is provided with the Firewall Client software. User credentials must reference a user account that can be authenticated by ISA Server, either local to ISA Server or in a domain trusted by ISA Server. The user account is normally set not to expire; otherwise, user credentials need to be renewed each time the account expires.

NameResolutionForLocalHost

Possible values are L (default), P, or E. Used to specify how the local (client) computer name is resolved, when the gethostbyname API is called.
The LocalHost computer name is resolved by calling the Winsock API function gethostbyname() using the LocalHost string, an empty string, or a NULL string pointer. Winsock applications call gethostbyname(LocalHost) to find their local IP address and send it to an Internet server.

When this option is set to L, gethostbyname() returns the IP addresses of the local host computer. When this option is set to P, gethostbyname() returns the IP addresses of the ISA Server computer. When this option is set to E, gethostbyname() returns only the external IP addresses of the ISA Server computer—those IP addresses that are not in the local address table.

ControlChannel

Possible Values: Wsp.udp (default) or Wsp.tcp. Specifies the type of the control-channel used.