Deploying Firewall Client software

Microsoft Forefront Threat Management Gateway Firewall clients are computers located in networks protected by Forefront TMG with Firewall Client software installed and enabled. For more information about Firewall clients, see About Firewall clients.

You can install Firewall Client software as follows:

• Install using an attended or unattended installation on individual client computers.
• Deploy software to clients from a network share. There are a number of options for centralized deployment:
  • Logon script—A logon script can check whether a computer has Firewall Client software installed. If not, the logon script can install it from a Firewall Client share. Note that the logged on user must be a member of the Administrators group on the computer.
  • Group Policy—Use Group Policy to install the Firewall client software per user (when a user logs on) or per computer. 
  • Microsoft Systems Management Server (SMS)—Use SMS to ensure that the appropriate computers in your organization have Firewall Client software installed. For more information, see System Center Configuration Manager 2007 (https://go.microsoft.com/fwlink/?LinkId=69032).

Consider carefully which computers require Firewall Client software to be installed, based on your distribution method. The distribution method should check any installed version of the software against the software version on the network share, so that software updates are automatically installed.

Creating a Firewall client share

There are a number of versions of Firewall Client software:

• A version shipped with Microsoft Internet Security and Acceleration (ISA) Server 2000
• A version shipped with Microsoft Internet Security and Acceleration (ISA) Server 2004
• A version shipped with Microsoft Internet Security and Acceleration (ISA) Server 2006 (v.3441.633)
• The latest version (v. 3442.654 at the time of writing) is available as a Web download from Firewall Client for ISA Server (https://go.microsoft.com/fwlink/?LinkID=82087).

ISA Server 2000 and ISA Server 2004 included the option to install a Firewall Client share during Setup. For more information, see How to install ISA Serve r hotfixes and updates (https://support.microsoft.com/kb/885957). For later versions, create a share folder manually.

To create a Firewall Client software share manually

1. On a computer in a corporate network, such as the Internal network, create a folder to host Firewall Client software. The folder should not be on a computer running Forefront TMG.

2. In Windows Explorer, right-click the folder, and then click Sharing and Security. Select Share this folder, and then configure the share properties. Enabling read permissions is sufficient for this folder and is the most secure configuration. Click OK.

3. If you want to allow access from other corporate networks or virtual private networks to the share, you must create access rules in Forefront TMG in order to enable the access.

4. Copy the contents of the Client folder on Forefront TMG to the shared folder. This action requires you to be a member of the Administrators group on the computer.

To install Firewall Client software from the share

1. On the Firewall client computer, at a command prompt, type Path**\**Setup, where Path is the path to the shared folder to which you copied the client installation files, in Universal Naming Convention format or as a drive letter (mapped to the shared folder).

2. Follow the instructions. This action requires you to be a member of the Administrators group on the computer.

Running an unattended installation

Unattended installation from the Web download

Run Setup from the latest Firewall Client Web download as follows:

To run an unattended installation from the Web download

1. Navigate to the download site, and then select to save the downloaded file (ISACLIENT-KB929556-ENU.EXE).

2. At a command prompt, type the following:

   ISACLIENT-KB929556-ENU.EXE /C:"setup.exe /Q /P "SERVER_NAME_OR_IP=tmgserver ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0"""

You can run an unattended installation by using Setup.exe:

To run an unattended installation by using Setup.exe

1. At a command prompt, type the following:

   setup.exe /w /V"SERVER_NAME_OR_IP=tmgserver ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0 /qb /L*v c:\fwc_inst.log"

2. For the latest version of Firewall Client (3442.654), extract Setup.exe from the Web download, and then at a command prompt, type the following:

   setup.exe /Q /P "SERVER_NAME_OR_IP= tmgserver ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0"

Unattended installation using ms_fwc.msi

If you use a distribution method that requires a Windows Installer (.msi) file, note that the Firewall Client software that shipped with ISA Server 2006 or ISA Server 2004 already includes the following .msi file: ms_fwc.msi.

To deploy the latest version of Firewall Client by using ms_fwc.msi

1. To extract the ms_fwc.msi file from the Web download, at a command prompt, type the following:

   ISACLIENT-KB929556-ENU.EXE /c /t:c:\ FirewallClientFolder

   Where FirewallClientFolder is the name of the folder to which you want to extract the file.

2. At a command prompt, type the following:

   msiexec /i ms_fwc.msi SERVER_NAME_OR_IP=tmgserver ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0 /qb /L*v c:\fwc_inst.log

Parameters and command options

The following parameters are used in the commands:

• Path—Location of the Firewall Client installation file. A value must be specified.
• SERVER_NAME_OR_IP =tmgserver—Name or IP address of the Forefront TMG computer to which the client computer should connect.
• ENABLE_AUTO_DETECT—Specify a value of 1 to indicate that the Firewall client computer should automatically detect the Forefront TMG computer to which it should connect. A value of 0 indicates that automatic detection is not enabled on the client.
• REFRESH_WEB_PROXY—Specify a value of 1 to indicate that the Firewall client configuration should be updated with the Web proxy configuration settings specified in Forefront TMG Management. A value of 0 indicates that the client is not updated.

Command options are as follows:

• /Q and /qb—Indicate an unattended installation. The /qb option provides a small progress dialog box. Alternatively, you can specify /qn, which provides no progress indicator.
• /L*v c:\fwc_inst.log—Generates an installation log that may be useful for troubleshooting.

The following Windows Installer options may also be useful:

• The REBOOT property can be used to prompt or force a restart at the end of installation. For more information, see REBOOT Property (https://go.microsoft.com/fwlink/?LinkId=93330).
• When the REBOOTPROMPT property is set to S or Suppress, any restart performed happens automatically without interaction from the user. For more information, see REBOOTPROMPT Property (https://go.microsoft.com/fwlink/?LinkId=93331).

For more information, see Command-Line Options (https://go.microsoft.com/fwlink/?LinkId=92823) and Command-Line Switches for the Microsoft Windows Installer T ool (https://go.microsoft.com/fwlink/?LinkId=92824).