About Firewall client configuration settings
Microsoft Forefront Threat Management Gateway Firewall clients are computers with Firewall Client software installed and enabled that reside in networks protected by Forefront TMG. Firewall Client software intercepts Winsock calls from client applications and sends requests that are not considered local to the Firewall service on Forefront TMG. On the Forefront TMG server, the Firewall service handles these requests in accordance with firewall policy and authentication requirements.
The following configuration settings can be specified on the Forefront TMG server and applied to Firewall client computers:
- Global settings that apply to all Firewall clients. Settings include allowing non-encrypted connections to support legacy versions of Firewall Client software and application settings that specify how Firewall Client software behaves with specific applications.
- Network-specific settings that apply to Firewall clients located in a specific network. Settings include configuring the network to listen for Firewall client requests, specifying Web proxy settings for Firewall clients on the network, and configuring a local domain table (LDT) with a list of local addresses that Firewall clients access without going through Forefront TMG.
Firewall client global configuration settings
The following table summarizes settings that are specified in the Forefront TMG Management console and applied to all Firewall clients.
| Setting | Details |
|---|---|
Allow non-encrypted Firewall client connections |
Allows non-encrypted connections to support Firewall Client versions earlier than Firewall Client for ISA Server 2004 or to enable Firewall clients running on Windows NT 4.0, Windows Me, or Windows 98 to connect. When you select this option, non-encrypted traffic from authenticated users will not be blocked. Note that users are only authenticated if firewall policy rules specifically require authentication. For configuration instructions, see Allowing an unencrypted channel for legacy Firewall clients. |
Application Settings |
Application settings consist of {key, value} pairs that specify how the Firewall Client software behaves with a specific application. For configuration instructions, see Configuring application settings for firewall client requests. |
Firewall client network settings
The following table summarizes settings that are specified for a Forefront TMG network and applied to all Firewall clients located in that network.
| Setting | Details |
|---|---|
Enable Firewall client support for this network |
Enables a specific network to listen for requests from Firewall clients on port 1745. For configuration instructions, see Enabling a network to receive firewall client requests. |
Name |
For a specific network, specifies the fully qualified domain name (FQDN) of the Forefront TMG computer for Firewall clients. Ensure that there is a DNS entry available for clients to resolve this name. If there is no DNS server available, an IP address is required. |
Use a Web proxy server |
Indicates that Firewall clients in the network should use the specified server as a Web proxy if Web browser automatic configuration is enabled. |
Automatically detect settings |
Indicates that the Web browser on Firewall client should automatically detect Web proxy settings. |
Use automatic configuration script |
Specifies that the Web browser on Firewall client computers in the network should obtain settings from a configuration file. The Forefront TMG default configuration file holds information about the proxy server that should be used for the URL request and for the settings specified on the Web Browser tab and the Domains tab. For configuration instructions, see Enabling a network to receive firewall client requests. |
Configuration files
Firewall Client settings are located in the following files on the Firewall client computer:
- Management.ini.
- Common.ini.
- Application.ini.
Common.ini
The Common.ini file specifies configuration settings that apply to all applications. The following is an example of a typical Common.ini file:
[Common]
ServerName=ISA_1
Disable=0
Autodetection=0
Management.ini
This file contains Firewall Client configuration settings. The following is an example of a typical Management.ini file:
[WebBrowser]
EnableWebProxyAutoConfig=1
Application.ini
This file can be created on the client computer with configuration settings for specific Winsock application. The following is an example of an Application.ini file for an application Fw_Client_app.exe:
[fw_Client_App]
Disable=0
NameResolution=R
LocalBindTcpPorts=7777
LocalBindUdpPorts=7000-7022, 7100-7170
RemoteBindTcpPorts=30
RemoteBindUdpPorts=3000-3050
ServerBindTcpPorts=100-300
ProxyBindIp=80:100.52.144.103, 82:110.51.0.0
Persistent=1
ForceCredentials=1
NameResolutionForLocalHost=L
Configuration files location
The location of the configuration files on the client computer is dependent on the operating system. For example, on Windows XP computers, the files are copied to two locations:
- \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004
- \Documents and Settings\username\Local Settings\Application ata\Microsoft\Firewall Client 2004
On Windows Vista computers, the files are copied to the following locations:
- \Users\All Users\Microsoft\Firewall Client 2004
- \Users\username\AppData\Local\Microsoft\Firewall Client 2004
Configuring Firewall client settings
Configuration settings specified in the Forefront TMG Management console are delivered to the client configuration files as follows:
- During Firewall client installation.
- Each time a client computer is restarted.
- When a manual refresh is triggered on the client computer.
- Every six hours after an initial refresh is made.
In addition, you can manually modify configuration files on the client computer. When modifications are made, the following order of preference is applied:
- The .ini files in the folder of a specific user take precedence.
- Firewall Client looks next in the All Users folder. If a configuration setting is specified that contradicts the user-specific settings, it is ignored.
- Firewall Client then detects the Forefront TMG to which it should connect, in accordance with the settings specified in the Firewall Client Management dialog box.
- Firewall Client examines the server-level settings. Any configuration settings specified in Forefront TMG are applied. If a configuration setting is specified that contradicts the user-specific or computer-specific settings, it is ignored.
Modifying application settings
Application settings can be modified in Forefront TMG Management to apply to all Firewall clients, on a specific client computer. On client computers, you either modify the Common.ini file to apply a setting to all applications, or you can create the Application.ini files to apply configuration settings for a specific application. The following table lists the entries that you can include when configuring application settings.
| Keys | Value |
|---|---|
ServerName |
Specifies the name of the Forefront TMG computer to which the Firewall client should connect. (Can only be set on a Firewall client computer.) |
Disable |
Possible values: 0 or 1. When the value is set to 1, the Firewall Client application is disabled for the specific client application, except when the Firewall Client configuration explicitly exempts the process initiating traffic. |
DisableEx |
Possible values: 0 or 1. When the value is set to 1, the Firewall Client application is disabled for the specific client application. Applies to Firewall Client for Forefront TMG. When set, overrides the Disable setting. For example, for svchost, DisableEx is enabled by default. |
Autodetection |
Possible values: 0 or 1. When the value is set to 1, the Firewall Client application automatically finds the Forefront TMG computer to which it should connect. (Can only be set on a Firewall client computer.) |
NameResolution |
Possible values: L or R. By default, dotted domain names are redirected to the Forefront TMG computer for name resolution, and all other names are resolved on the local computer. When the value is set to R, all names are redirected to the Forefront TMG computer for resolution. When the value is set to L, all names are resolved on the local computer. |
LocalBindTcpPorts |
Specifies a TCP port, list, or range that is bound locally. |
LocalBindUdpPorts |
Specifies a UDP port, list, or range that is bound locally. |
DontRemoteOutboundTcpPorts |
Specifies an outbound TCP port, list, or range that will not be connected through Forefront TMG (connect requests that will not be sent to Forefront TMG). Use this entry to specify the ports on which clients should not communicate with Forefront TMG. This is useful when protecting the firewall from attacks on the Internal network, which are spread by accessing a fixed port at random locations. |
DontRemoteOutboundUdpPorts |
Specifies an outbound UDP port, list, or range that is bound locally. |
RemoteBindTcpPorts |
Specifies a TCP port, list, or range that is bound remotely. |
RemoteBindUdpPorts |
Specifies a UDP port, list, or range that is bound remotely. |
ProxyBindIP |
Specifies an IP address or list that is used when binding with a corresponding port. Use this entry when multiple servers that use the same port need to bind to the same port on different IP addresses on the Forefront TMG computer. The syntax of the entry is: ProxyBindIp=[port]:[IP address], [port]:[IP address] The port numbers apply to both TCP and UDP ports. |
ServerBindTcpPorts |
Specifies a TCP port, list, or range for all ports that should accept more than one connection. |
Persistent |
Possible values: 0 or 1. When the value is set to 1, a specific server state can be maintained on the Forefront TMG computer if a service is stopped and restarted and if the server is not responding. The client sends a keep-alive message to the server periodically during an active session. If the server is not responding, the client tries to restore the state of the bound and listening sockets upon server restart. |
ForceCredentials |
Used when running a Windows service or server application, such as a Firewall Client application. When the value is set to 1, it forces the use of alternate user authentication credentials that are stored locally on the computer that is running the service. The user credentials are stored on the client computer using the FwcCreds.exe application that is provided with the Firewall Client software. User credentials must reference a user account that can be authenticated by Forefront TMG, either local to Forefront TMG or in a domain trusted by Forefront TMG. The user account is normally set not to expire. Otherwise, user credentials need to be renewed each time the account expires. (Can only be set on a Firewall client computer.) |
NameResolutionForLocalHost |
Possible values: L (default), P, or E. Used to specify how the local (client) computer name is resolved when the gethostbyname API is called. The LocalHost computer name is resolved by calling the Winsock API function gethostbyname() using the LocalHost string, an empty string, or a NULL string pointer. Winsock applications call gethostbyname(LocalHost) to find their local IP address and send it to an Internet server. When this option is set to L, gethostbyname() returns the IP addresses of the local host computer. When this option is set to P, gethostbyname() returns the IP addresses of the Forefront TMG computer. When this option is set to E, gethostbyname() returns only the external IP addresses of the Forefront TMG computer—those IP addresses that are not in the local address table. |
ControlChannel |
Possible values: Wsp.udp or Wsp.tcp (default). Specifies the type of control channel used. |
EnableRouteMode |
Possible values: 0 or 1 (default). When EnableRouteMode is set to 1 and a route relationship is configured between the Firewall client computer and the requested destination, the IP address of the Firewall client is used as the source address. When the value is set to 0, the IP address of the Forefront TMG computer is used. This flag does not apply to older versions of Firewall Client. |