Firewall client computers are internal computers that communicate with the Forefront TMG server, via one of the following clients:
- Forefront TMG Client or Firewall
client—Client software released with Forefront TMG or previous
versions of Internet Security and Acceleration (ISA) Server. Client
software is installed and enabled on the client computer.
- Web proxy client—Any application that
complies with the following:
- Is CERN-compatible. That is, it understands
the correct method for making a Web proxy request.
- Provides a means for clients to specify a
name (or IP address) and port to be used for Web proxy
requests.
- Is CERN-compatible. That is, it understands
the correct method for making a Web proxy request.
- Secure network address translation
(SecureNAT) client—No special client or application is
installed on the client computer. The client computer’s default
gateway is configured with the internal IP address of the Forefront
TMG server, so that all Internet traffic is routed through
Forefront TMG, as follows:
- In a simple network scenario, with no routers
between the client computer and the Forefront TMG server, the
client computer's default gateway is set to the IP address of the
Forefront TMG network in which the client computer is located
(usually the internal network).
- In a complex network, with routers bridging
subnets between the client computer and the Forefront TMG server,
the default gateway settings on the last router in the chain should
point to Forefront TMG. Optimally, the router should use a default
gateway that routes along the shortest path to Forefront TMG. The
router should not be configured to discard packets destined for
addresses outside the corporate network. Forefront TMG determines
how to route the packets.
- In a simple network scenario, with no routers
between the client computer and the Forefront TMG server, the
client computer's default gateway is set to the IP address of the
Forefront TMG network in which the client computer is located
(usually the internal network).
The following table details the client requirements that will help you choose which clients to deploy in your environment, depending on your deployment scenario and existing network infrastructure.
| Feature | Forefront TMG Client/Firewall client | Web proxy client | SecureNAT client |
|---|---|---|---|
|
Installation details |
Forefront TMG Client or other Firewall client software must be installed on the client computer. For deployment and configuration instructions, see Deploying Forefront TMG Client. |
No installation required. For configuration instructions, see Configuring Web proxy clients. |
No installation required. For configuration instructions, see Configuring SecureNAT clients. |
|
Operating system support |
Windows operating systems. For a detailed list of supported operating systems, see Operating system support and client/server compatibility for Forefront TMG Client and Firewall clients. |
Any platform running a CERN-compatible application. SecureNAT and Firewall clients making requests from such applications also act as Web proxy clients. |
Any operating system that supports TCP/IP can be used. |
|
Protocol support |
All Winsock applications are supported. |
Supports HTTP, HTTPS, and FTP for download requests. |
Supports all simple protocols. Complex protocols requiring multiple primary or secondary connections require a Forefront TMG application filter. |
|
User-level authentication |
Automatically sends client credentials to the Forefront TMG server and authenticates if requested. |
Can authenticate if Forefront TMG requests credentials. No credentials are supplied if anonymous access is enabled. |
Cannot present credentials and cannot be authenticated by Forefront TMG. |
|
Recommendations |
Use when authentication rules in Forefront TMG are required, to improve automatic discovery of Forefront TMG, for user name logging, and for support for secondary protocols. |
Use for user-based Web access through a proxy and for chaining Web requests to upstream proxies. Good performance because Web requests are forwarded directly to Web proxy filter. |
Use for non-Windows clients. Use if support for non-TPC or UDP protocols (such as ICMP or GRE) is required. Configure published non-Web servers as SecureNAT clients if you want to forward the original source IP address of the client to the published server. |
Operating system support and client/server compatibility for Forefront TMG Client and Firewall clients
The following tables summarize the operating system support and client/server compatibility for the Forefront TMG Client, and for Firewall client software that was released with previous ISA Server versions.
Operating system support
The following table summarizes the operating system support for Forefront TMG Client and Firewall client software.
| Operating system | Forefront TMG Client | Firewall Client 2006 (including Vista hotfix) | Firewall Client 2004 |
|---|---|---|---|
|
Windows® 7/Windows Server 2008 R2 |
Supported |
Supported |
Not supported |
|
Windows Vista Service Pack 2 |
Supported |
Supported |
Not supported |
|
Windows Server 2003 with Service Pack 2 |
Supported |
Supported |
Supported |
|
Windows XP Service Pack 3 |
Supported |
Supported |
Supported |
Client/server compatibility
The following table summarizes compatibility between Forefront TMG and ISA servers, and Forefront TMG and ISA clients.
| Forefront TMG server | ISA Server 2006 | ISA Server 2004 | ISA Server 2000 | |
|---|---|---|---|---|
|
Forefront TMG Client |
Supported |
Supported |
Supported |
Not supported |
|
Firewall Client 2006 |
Supported |
Supported |
Supported |
Supported |
|
Firewall Client 2004 |
Supported |
Supported |
Supported |
Supported |
|
Firewall Client 2000 |
Not supported |
Supported |
Supported |
Supported |