About the Firewall Client

When Microsoft® Firewall Client is installed and enabled on client computers that send requests through Forefront TMG computers, Windows Sockets (Winsock) applications running on these client computers, called Firewall clients, can send requests to remote destinations transparently through the Microsoft Firewall service.

The Firewall Client software includes a dynamic-link library (FwcWsp.dll) that works as a layered service provider (LSP) on top of the original underlying base service provider. All Winsock applications running on a Firewall client use this LSP transparently. When a client application calls a Winsock function, the Firewall Client LSP intercepts the call and determines, based on the arguments specified in the call and the configuration settings provided by the Firewall service, whether the call is local or remote. Local calls are passed to the original base service provider. Remote calls are redirected to the Firewall service.

The Firewall Client LSP communicates with the Firewall service by using a dedicated connection to TCP port 1745, called the Firewall Client control channel. The control channel connection is established the first time that it is needed.

When a Winsock function call is redirected to the proxy, the Firewall Client LSP sends a request through the control channel to the Firewall service and waits for a response. The Firewall service checks the request against the Forefront TMG policy, processes the request on behalf of the client, and returns a reply through the control channel. The reply is then processed by the Firewall Client LSP, and translated to a Winsock error code in case of failure.

The remote Firewall Client software supports basic Winsock 2.0 functionality. However, the following limitations should be noted:

• Overlapped I/O on WSARecvFrom. The Winsock API will work, but for a remote socket, the from address that the application will receive is the address of the Firewall service internal socket. However, using a blocking or non-blocking recvfrom, the application will see the actual from address of the Internet host that originally sent the packet.
• Winsock QoS. Forefront TMG installs an LSP that supports Quality of Service (QoS) requests. However, for connections made through the Firewall service, Resource Reservation Protocol (RSVP) reservations will not pass through the service.
• Winsock Name Service Functions. WSALookupService{Begin/Next/End} are implemented, but only resolve queries that would translate into queries by using the gethostbyname, gethostbyaddr, getservbyport, or getservbyname functions.

You can install Firewall Client software on on client computers that run Microsoft Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP, Windows 2000, Windows NT® 4.0, Windows Millennium Edition (Me), Windows 98, or Windows 95. For more information about installing Firewall Client software, see the Forefront TMG product documentation.

For more information about how Firewall clients send requests to remote destinations, see Firewall Clients.

Send comments about this topic to Microsoft

Build date: 11/30/2009