About Firewall clients

A Firewall client is a computer with Firewall Client software installed and enabled, residing in a network protected by Microsoft Forefront Threat Management Gateway. Firewall Client enables Windows Socket (Winsock) applications to send requests to remote destinations transparently through the Microsoft Firewall service. Setting up Firewall Client does not configure individual Winsock applications. Instead, a dynamic-link library (FwcWsp.dll) in the Firewall Client software becomes a Winsock layered service provider (LSP) that all Winsock applications use transparently. The Firewall Client LSP intercepts Winsock function calls from client applications and routes requests to the original underlying base service provider for local destinations or transparently to the Firewall service on the Forefront TMG server for remote destinations. When you install Firewall Client, the following files are installed in the \Program Files\Microsoft Firewall Client 2004 folder:

• FwcAgent.exe
• FwcCreds.exe
• FwcMgmt.exe
• FwcRes.dll
• FwcWsp.dll
• ISAClient.htm

Firewall Client versions

The following are versions of Firewall client:

• Firewall Client 2000. Released with ISA Server 2000
• Firewall Client 2004. Released with ISA Server 2004
• Firewall Client 2006. Released with ISA Server 2006
• Firewall Client for ISA Server. Provided as a Web download with 32-bit and 64-bit support

The following table summarizes operating system support for Firewall Client software.

Encryption control channel

The Firewall Client software provided with ISA Server 2004, ISA Server 2006, and the Web download includes support for an encrypted TCP control channel that encrypts Firewall client credentials sent transparently with each request. This default setting blocks the following client connections to Forefront TMG:

• Any version of Firewall Client software that was released before Firewall Client for ISA Server 2004.
• Any version of Firewall client software installed on computers running any Windows NT Server 4.0, Windows Millennium Edition, or Windows 98.

This default encryption setting can be turned off to support connections from these older clients.

Handling Firewall Client requests

Requests from clients running Firewall Client software are handled as follows:

1. When a Winsock application on the client computer tries to resolve a host name, the Firewall client examines the local domain table (LDT).
2. If the host name suffix is found in the LDT, the client completes name resolution using the Winsock name resolution mechanism. Otherwise, the client requests that Forefront TMG resolve the name.
3. When Forefront TMG resolves a name on behalf of the client, it uses the DNS settings configured on the adapter associated with the network that receives the client request.
4. The resolved IP address is returned to the client. If the address is found in the local address table (LAT) or in the Locallat.txt file, the client connects directly. If the address is not found, the Firewall service handles the request on the Forefront TMG computer in accordance with access rules. If the Winsock service has the IP address and no name resolution is required, the above steps are not necessary.
5. Web requests are handled as follows:
   • Requests from Web proxy applications on Firewall client computers are sent directly to the Web proxy listener.
   • If no Web proxy settings are configured, Web requests from Firewall clienst are handled as described above in steps 1 to 4. Traffic is passed to the Web proxy listener on the Forefront TMG server for transparent handling. This is known as transparent network address translation (NAT).

Resolving names

Computers with Firewall Client software installed have settings for each application that specify whether Forefront TMG does name resolution on behalf of the client. By default, name resolution for Winsock application requests running on a Firewall client computer is handled as follows:

• Dotted decimal notation or Internet domain names are redirected to the Forefront TMG computer for name resolution.
• Unqualified names are resolved on the local computer.

You can change this default behavior by modifying the NameResolution configuration setting with the following values:

• NameResolution=L. Use this setting to specify that an application request should be resolved on the local computer.
• NameResolution=R. Use this setting to specify that an application request should be resolved by the Forefront TMG server.

It may be useful to modify this setting if you want to be sure where name resolution for an application is taking place. You can specify that settings apply to all applications by modifying the setting in the Common.ini file, or for a specific application in the Application.ini file. For more information, see About Firewall client configuration settings.

When domains and computers are configured for direct access, Firewall client computers attempt to resolve the name without going through Forefront TMG. Client computers need a DNS server specified in the TCP/IP parameters so that they can resolve names correctly. In particular, they must be able to resolve the name of published resources to an internal IP address.

If applications have the NameResolution setting specified to L or R, this setting overrides any direct access settings. For example, if you specify that the NameResolution setting for FWC_Application.exe = R, FQDN resolution requests are always handled by Forefront TMG for that application, regardless of any entries in the Common.ini or Application.ini files.

Authentication

The Firewall client sends user information to the Forefront TMG server with each request. You can use these credentials when creating access rules that apply to specific users and groups. Users must be logged on with an Active Directory® directory service user account. In a workgroup scenario, users must use an account that is mirrored on the Forefront TMG server. When the credentials are sent to the Forefront TMG computer, the user name is logged in the Forefront TMG Firewall logs. This makes tracking easy for Firewall client traffic.