How to deploy the ISA Server 2004 Firewall Client program (838122)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

SUMMARY

You can install the Microsoft Firewall Client program on your client computers by using an unattended command-line installation, by using Group Policy, or both. You have access to these procedures in the mspclnt share where the Firewall Client program files are installed. If you configure the Firewall Client installation to automatically detect the ISA Server computer, you must configure auto discovery on the client computers. You must also configure Microsoft Internet Security and Acceleration Server 2004 to publish auto discovery information.

IN THIS TASK

INTRODUCTION

This article describes how to install the Microsoft Internet Security and Acceleration (ISA) Server 2004 Microsoft Firewall Client program on client computers by using a command-line or by using Group Policy.

back to the top

Modify the Microsoft Firewall Client installation share

By default, when you install ISA Server 2004 the Firewall Client program installation files are stored in the following folder location:

C:\Program Files\Microsoft ISA Server\clients

In some scenarios, you may want the Firewall Client program installation files to be located on another computer. To do so, you must perform a custom ISA Server installation. To perform a custom ISA Server installation, follow these steps:
  1. On the computer where you want to store the Firewall Client program installation files, start ISA Server 2004 Setup.
  2. In the Microsoft ISA Server 2004 Installation Wizard, click Next.
  3. Click I accept the terms in the license agreement, and then click Next.
  4. Type your user name and organization in the corresponding boxes, type your product serial number in the Product Serial Number box if applicable, and then click Next.
  5. Click Custom, and then click Next.
  6. Click Firewall Services, click This feature will not be available, click ISA Server Management, click This feature will not be available, click Firewall Client Installation Share, click This feature will be installed on local hard drive, and then click Next.
  7. Click Install, and then click Finish when the installation is completed successfully.
back to the top

Perform an unattended Firewall Client installation

To install the Firewall Client program from a command line, type the following command:

Path\Setup.exe /v" [SERVER_NAME_OR_IP=NameOfTheIsaServerComputer] [ENABLE_AUTO_DETECT={1 or 0}] [REFRESH_WEB_PROXY={1 or 0}] /qn"

Where:
  • Path is the path of the Firewall Client program installation files, such as:

    \\Servername\mspclnt

  • NameOfTheIsaServerComputer is the name of the ISA Server computer where you want the Firewall client to connect.
  • ENABLE_AUTO_DETECT=1 specifies that the Firewall client automatically detects the ISA Server computer to connect to.
  • REFRESH_WEB_PROXY=1 specifies that the Firewall Client program configuration is updated by the Web Proxy configuration from the ISA Server computer.
For example, you have a scenario where all the following conditions are true:
  • The Firewall Client installation files are located on a server named Computer1 and are shared by using the default share name.
  • You want to specify an ISA Server computer that is named Firewall01.
  • You do not want to use the Web Proxy configuration from the ISA Server computer.
In this scenario, to install the Firewall Client program, type the following command from the client computer, and then press ENTER:

\\computer1\mspclnt\setup /v" SERVER_NAME_OR_IP=Firewall01 ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0 /qn"

Note There is no space between /v and the initial double quotation marks ("). Additionally, you must include a space before /qn at the end of the command line.

If you want to configure the Firewall Client program to automatically detect the ISA Server computer, you must configure Firewall client and Web Proxy client auto discovery in Windows. For additional information about how to do this, see the "Configure auto discovery" section.

back to the top

Install Firewall Client by using Group Policy

To deploy the Firewall Client program by using Group Policy, follow these steps:
  1. Configure the network share for the Firewall Client program installation files. To do this, see the "To modify the Microsoft Firewall Client installation share" section.
  2. Start the Active Directory Users and Computers tool.
  3. Right-click the organizational unit that contains the computers where you want to install the Firewall Client program, and then click Properties.
  4. Click the Group Policy tab, and then click New.
  5. Type a descriptive name for the Group Policy object, and then press ENTER.
  6. If you do not want this policy applied to certain computers, follow these steps:
    1. Click Properties, and then click the Security tab.
    2. Click Add, type the name of the group that contains the computers where you do not want the Firewall Client program installed, and then click Check Names.
    3. When the name is resolved, click OK.
    4. Click the group name that you added, and then click to clear the following two check boxes in the Allow column, and then click OK:

      Read
      Apply Group Policy

  7. Click Edit, expand Computer Configuration, expand Software Settings, right-click Software installation, point to New, and then click Package.
  8. In the File name box, type the Universal Naming Convention (UNC) path of the MS_FWC.msi file, and then click Open. For example, type \\Servername\mspclnt\ms_fwc.msi, and then click Open.

    Note Specify the location of the MS_FWC.msi file by using a UNC path even if this file is stored on the local computer.
  9. Click Assigned, and then click OK.
  10. Quit the Group Policy Object Editor tool, and then click Close.
To configure the Firewall Client program to automatically detect the ISA Server computer, you must configure Firewall client and Web Proxy client auto discovery in Windows. For additional information about how to do this, see the "Configure auto discovery" section.

back to the top

Configure auto discovery

To configure the Firewall Client program to automatically detect the ISA Server computer, you must configure Firewall client and Web Proxy client auto discovery in Windows. For additional information about how to configure Firewall Client and Web Proxy client auto discovery in Windows, click the following article numbers to view the articles in the Microsoft Knowledge Base:

309814 How to configure Firewall and Web Proxy client autodiscovery in Windows 2000

252898 How to enable Proxy Autodiscovery in Windows 2000

296591 A description of the Automatic Discovery feature

Additionally, you must configure ISA Server 2004 to provide automatic discovery information to Firewall clients and to Web Proxy clients. To do this, follow these steps:
  1. Start the ISA Server Management tool.
  2. Expand ServerName, where ServerName is the name of your ISA Server computer.
  3. Expand Configuration, and then click Networks.
  4. Right-click the network that you want ISA Server to publish auto discovery information about, and then click Properties. For example, right-click Internal, and then click Properties.
  5. Click the Auto Discovery tab, click to select the Publish automatic discovery information check box, and then click OK.
  6. Click Apply to update the firewall policy, and then click OK.


back to the top

Troubleshooting

  • You cannot assign a different ISA server to each organizational unit.

    You cannot assign a different ISA server to each organizational unit by using the Mspclnt.ini file. This was possible in Microsoft Internet Security and Acceleration Server 2000. If you want to assign a different ISA server to each organization unit, you must create a Group Policy object for that organizational unit that runs the Setup.exe command from the Mspclnt share. Configure the Setup.exe command to specify the ISA server where you want the Firewall Client program to connect.

    For additional information about the command-line structure to use, see the "To perform an unattended Firewall Client installation" section.
  • The Firewall Client program does not automatically detect the ISA Server computer.

    After you deploy the Firewall Client program, the Firewall Client program may not automatically detect the ISA Server computer if another service listens on the port that ISA Server uses to publish auto discovery information. By default, ISA Server publishes auto discovery information on port 80. If another service such as Microsoft Internet Information Services (IIS) is running on the ISA Server computer, Firewall clients may not be able to obtain auto discovery information. To troubleshoot this issue, temporarily stop other services that listen on port 80.


back to the top

REFERENCES

For additional information about Group Policy in Microsoft Windows 2000, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/grpolwt.mspx

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322143 How to administer GPOs in Windows 2000

For additional information about the Firewall Client program, search on "Advanced Firewall Client settings" in ISA Server 2004 Help.

back to the top
Modification Type:MajorLast Reviewed:2/17/2006
Keywords:kbHOWTOmaster kbDeployment kbFirewall kbinfo kbhowto KB838122 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.