About firewall client computers
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
Firewall client computers are internal computers that communicate with the Forefront TMG server, via one of the following clients:
Forefront TMG Client or Firewall client—Client software released with Forefront TMG or previous versions of Internet Security and Acceleration (ISA) Server. Client software is installed and enabled on the client computer.
Tip
To download the Forefront TMG Client from the Microsoft Download Center, go to Forefront Threat Management Gateway (TMG) Client (https://go.microsoft.com/fwlink/?LinkId=186449).
Web proxy client—Any application that complies with the following:
Is CERN-compatible. That is, it understands the correct method for making a Web proxy request.
Provides a means for clients to specify a name (or IP address) and port to be used for Web proxy requests.
For example, a Web browser such as Microsoft Internet Explorer or Mozilla Firefox.
Secure network address translation (SecureNAT) client—No special client or application is installed on the client computer. The client computer’s default gateway is configured with the internal IP address of the Forefront TMG server, so that all Internet traffic is routed through Forefront TMG, as follows:
In a simple network scenario, with no routers between the client computer and the Forefront TMG server, the client computer's default gateway is set to the IP address of the Forefront TMG network in which the client computer is located (usually the internal network).
In a complex network, with routers bridging subnets between the client computer and the Forefront TMG server, the default gateway settings on the last router in the chain should point to Forefront TMG. Optimally, the router should use a default gateway that routes along the shortest path to Forefront TMG. The router should not be configured to discard packets destined for addresses outside the corporate network. Forefront TMG determines how to route the packets.
The following table details the client requirements that will help you choose which clients to deploy in your environment, depending on your deployment scenario and existing network infrastructure.
Feature | Forefront TMG Client/Firewall client | Web proxy client | SecureNAT client |
---|---|---|---|
Installation details |
Forefront TMG Client or other Firewall client software must be installed on the client computer. For deployment and configuration instructions, see Deploying Forefront TMG Client. |
No installation required. For configuration instructions, see Configuring Web proxy clients. |
No installation required. For configuration instructions, see Configuring SecureNAT clients. |
Operating system support |
Windows operating systems. For a detailed list of supported operating systems, see Operating system support and client/server compatibility for Forefront TMG Client and Firewall clients. |
Any platform running a CERN-compatible application. SecureNAT and Firewall clients making requests from such applications also act as Web proxy clients. |
Any operating system that supports TCP/IP can be used. |
Protocol support |
All Winsock applications are supported. |
Supports HTTP, HTTPS, and FTP for download requests. |
Supports all simple protocols. Complex protocols requiring multiple primary or secondary connections require a Forefront TMG application filter. |
User-level authentication |
Automatically sends client credentials to the Forefront TMG server and authenticates if requested. |
Can authenticate if Forefront TMG requests credentials. No credentials are supplied if anonymous access is enabled. |
Cannot present credentials and cannot be authenticated by Forefront TMG. |
Recommendations |
Use when authentication rules in Forefront TMG are required, to improve automatic discovery of Forefront TMG, for user name logging, and for support for secondary protocols. |
Use for user-based Web access through a proxy and for chaining Web requests to upstream proxies. Good performance because Web requests are forwarded directly to Web proxy filter. |
Use for non-Windows clients. Use if support for non-TPC or UDP protocols (such as ICMP or GRE) is required. Configure published non-Web servers as SecureNAT clients if you want to forward the original source IP address of the client to the published server. |
Operating system support and client/server compatibility for Forefront TMG Client and Firewall clients
The following tables summarize the operating system support and client/server compatibility for the Forefront TMG Client, and for Firewall client software that was released with previous ISA Server versions.
Operating system support
The following table summarizes the operating system support for Forefront TMG Client and Firewall client software.
Operating system | Forefront TMG Client | Firewall Client 2006 (including Vista hotfix) | Firewall Client 2004 |
---|---|---|---|
Windows® 7/Windows Server 2008 R2 |
Supported |
Supported |
Not supported |
Windows Vista Service Pack 2 |
Supported |
Supported |
Not supported |
Windows Server 2003 R2 |
Supported |
Not supported |
Not supported |
Windows Server 2003 with Service Pack 2 |
Supported |
Supported |
Supported |
Windows XP Service Pack 3 |
Supported |
Supported |
Supported |
Client/server compatibility
The following table summarizes compatibility between Forefront TMG and ISA servers, and Forefront TMG and ISA clients.
Forefront TMG server | ISA Server 2006 | ISA Server 2004 | ISA Server 2000 | |
---|---|---|---|---|
Forefront TMG Client |
Supported |
Supported |
Supported |
Not supported |
Firewall Client 2006 |
Supported |
Supported |
Supported |
Supported |
Firewall Client 2004 |
Supported |
Supported |
Supported |
Supported |
Firewall Client 2000 |
Not supported |
Supported |
Supported |
Supported |
Note
Using the Forefront TMG Client on a computer connected to ISA Server via Virtual Private Network (VPN) may lead to connectivity problems. Specifically, the client will not be able to establish IPsec connectivity with computers on the internal network. To solve this problem, do one of the following:
- Disable Firewall Client for ISA Server on client computers.
- Connect the client to an alternative ISA Server computer that is not acting as the VPN gateway for remote client connections.
Related Topics
Concepts
Configuring client computers
Installation design guide for Forefront TMG