About the Microsoft Firewall Service

The Microsoft® Firewall service (fwsrv) is a generic, circuit-level proxy for Windows Sockets (Winsock) applications. The Firewall service makes Telnet, e-mail, news, Microsoft Media Player, RealNetworks RealAudio, Internet Relay Chat (IRC), and other Winsock-compatible client applications perform as though they were connected directly to the Internet. The client application makes Winsock application programming interface (API) calls to communicate with an application running on an Internet-based host. The Firewall service redirects the necessary functions to the Forefront TMG computer, thus establishing a communication path from the internal application to the Internet application through the Forefront TMG computer. This redirection eliminates the need for a specific gateway for each protocol, such as Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), Telnet, or File Transfer Protocol (FTP). The Firewall service allows applications with no built-in support for a proxy to benefit from proxy service without using the protocols.

The Firewall service runs as a stand-alone service on the Microsoft Windows Server™ 2008 operating system. It establishes gateway connections between the Windows Sockets (Winsock) applications on the client and the Internet host. The local network remains secure, because communication is channeled through the Forefront TMG computer. The Firewall service can be enhanced by using application filters.

You can determine whether the Firewall service is running through the FirewallServiceStatus property of the FPCServer object. The Firewall service can be started by calling the StartFirewallService method, and it can be stopped by calling the StopFirewallService method.

The Firewall service can be stopped manually in Forefront TMG Management, or programmatically using a script. The Firewall service can also be shut down when an event signals an alert (an FPCAlert object) that is configured to shut it down. Whenever the Firewall service shuts down, Forefront TMG enters lockdown mode. Lockdown mode combines the need for isolation with the need to stay connected.

In lockdown mode, the following functionality applies:

• The kernel-mode packet filter driver (fweng) applies the firewall policy.
• Only the following system policy rules continue to allow incoming traffic to the Local Host network:
  • Allow remote management from selected computers using MMC.
  • Allow remote management from selected computers using Terminal Server.
  • Allow DHCP replies from DHCP servers to Forefront TMG.
  • Allow ICMP (PING) requests from selected computers to Forefront TMG.
  • Allow access from trusted servers to the local Configuration Storage server (not supported in Forefront TMG Medium Business Edition).
• Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response, on the same connection.
• VPN remote access clients cannot access Forefront TMG. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.
• Any changes to the network configuration while in lockdown mode are applied only after the Firewall service restarts and Forefront TMG exits lockdown mode.
• Forefront TMG does not issue any alerts.

This section contains the following topics:

• The Microsoft Firewall Service and Firewall Clients
• About the Firewall Client
• Application Filters
• About the Web Proxy

Send comments about this topic to Microsoft

Build date: 11/30/2009