Firewall Clients

A Firewall client is a computer with Firewall Client software installed and enabled. Windows Sockets (Winsock) applications running on Firewall clients can send requests to remote destinations transparently through the Microsoft Firewall service of Forefront TMG. Setting up Firewall Client does not configure individual Winsock applications. Instead, a dynamic-link library (FwcWsp.dll) in the Firewall Client software becomes a Winsock layered service provider (LSP) that all Winsock applications use transparently. This way, the Firewall Client LSP can intercept Winsock function calls from client applications and then route a request to the original underlying base service provider if the destination is local or to the Firewall service on a Forefront TMG computer if the destination is remote.

When you install Firewall Client on a client computer, the following files are installed in the \Program Files\Microsoft Firewall Client folder:

You can install Firewall Client software on client computers that run Windows Server 2008, Windows Vista, Windows Server 2003, Windows 2000 Server, Windows NT Server 4.0, Windows XP, Windows Millennium Edition, Windows 98, or Windows 95 operating systems. For more information about installing Firewall Client software, see the Forefront TMG product documentation.

Firewall clients are supported only if the Firewall service is running.

Settings Defined for Firewall Clients

If a network (an FPCNetwork object) is configured to support Firewall clients (its EnableFirewallClients property is set to True), Forefront TMG will accept requests from Firewall clients in that network on TCP port 1745. In addition, Forefront TMG will supply the set of IP address ranges included in the network to all Firewall clients residing in the network. These IP address ranges are stored in memory by the Firewall Client Agent service (FwcAgent) on the Firewall clients as a table of IP address ranges called the local address table (LAT). Each Firewall client recognizes all IP addresses included in the LAT and the IP addresses specified in its own routing table as being local.

A custom version of the LAT containing additional IP address ranges can also be created in a file named Locallat.txt, which may be stored locally on each Firewall client in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client folder. In this file, each IP address range is represented by a pair of IP addresses even if the range includes a single IP address. The Firewall clients will also recognize these additional IP address ranges as part of the local network.

Whenever a Winsock application running on a Firewall client attempts to send a request to a computer, the Firewall Client LSP determines whether the destination IP address can be regarded as a local destination. If the destination is local, the Firewall client sends the request directly to the destination computer. If the destination is not local, the request is sent to the Firewall service on a Forefront TMG computer. The Firewall service handles the request, forwarding it to the appropriate destination, as permitted. The Firewall Client software can transparently send user credentials to the Forefront TMG computer for authentication purposes.

The configuration settings supplied by a Forefront TMG computer to Firewall clients include settings that apply to specific client applications. These settings are defined in FPCClientSettingsSection objects. Firewall Client settings sections contain entries that are defined by a key and a value to which the key is set. The Name property of a settings section specifies the client application to which its entries apply. This property can be set to the name of the applicable binary file without the file extension or to a wildcard character, an asterisk (*). A settings section whose Name property is set to an * applies to all applications. Setting sections that apply to all applications may contain entries only for the DontRemoteOutboundTcpPorts and DontRemoteOutboundUdpPorts keys. When the Firewall Client software is installed, the Firewall client application settings are provided to the Firewall Client Agent service (FwcAgent) on Firewall clients together with the name or IP address of the Forefront TMG computer or array to use, the set of IP address ranges included in the local network (the local address table or LAT), the automatic discovery settings for Web browsers, and the name or IP address of the Web proxy that Web browsers are to use. These settings are updated each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the General tab in the Microsoft Firewall Client for Forefront TMG dialog box, and every six hours after the previous refresh. Note that whenever these settings are updated, the settings for Web browsers are applied to Internet Explorer.

Web browsers, such as Internet Explorer, running on Firewall clients that use the Microsoft Win32® Internet application programming interface (API), WinInet, can contact the Forefront TMG computer to obtain the set of IP address ranges defined in the DirectIPDestinations property of the FPCClientAutoScript object that Web browsers configured to use the default automatic configuration script are to access directly, the set of domain names of destinations defined in the DirectAddressDestinations property of the FPCClientAutoScript object that Web browsers configured to use the default automatic configuration script are to access directly (the local domain table or LDT), and the backup route that should be used to access the Internet when the primary route is unavailable.

Additional local settings that apply to all users are stored in the Application.ini, Common.ini, and Management.ini files in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client folder. The Common.ini and Management.ini files in this folder are created automatically when Firewall Client is installed. Additional user-specific local settings are stored in the Application.ini, Common.ini, and Management.ini files in the \Documents and Settings\user_name\Local Settings\Application Data\Microsoft\Firewall Client folder for the applicable user. The settings for the specific user take precedence over the settings for all users, and the local settings take precedence over the settings supplied by the Forefront TMG computer. Note that the Mspclnt.ini file created for ISA Server 2000 Firewall clients is not created for Forefront TMG Firewall clients.

Remoted Connections

When a Winsock application running on a Firewall client calls the Winsock socket and connect functions to create a socket and request a connection to a specific IP address and port on a server in the External network, the Firewall Client LSP intercepts the call and establishes a connection over the dedicated control channel to port 1745 on the Forefront TMG computer. This control channel is used for sending notifications to the Firewall service and passing information back to the Firewall client. The Firewall service calls the socket function twice, once to create a socket that will be used to establish a connection between the Forefront TMG computer and the external server for sending the connection request and once to create a socket that will listen for connection attempts in the network where the Firewall client resides (typically the Internal network). Then the Firewall service calls the Winsock bind and listen functions to instruct the latter socket to listen for connection attempts from the Firewall client. Next, the Firewall Client LSP attempts to establish a connection between the socket that was originally used by the Winsock application and the Forefront TMG computer. When this connection attempt arrives at the listening socket, the Winsock accept function is called to create a new socket that is used to establish a connection for sending and receiving data. The Firewall service then calls the connect function on the socket in the External network to establish a connection with the external server. These two connections form a transparent communication channel between the client computer and the external server.

If the Winsock application needs to send a request to the external server to return data to a specific IP address and port over an incoming secondary connection, it creates a new socket on the client computer and calls the Winsock getsockname function on this socket to query Winsock for its IP address and port. This call is intercepted by the Firewall Client LSP, which communicates with the Forefront TMG computer over the control channel and returns the IP address and port of a new socket that is created on the External network adapter of the Forefront TMG computer. The Winsock application calls the bind function to associate the local socket with the remote IP address and port returned in the call to the getsockname function or with the remote IP address returned in the call to getsockname and port 0. When port 0 is used in the call to the bind function, a random port number is assigned during the call. Ordinarily, an attempt to bind a remote IP address to a local socket would fail. However, the Firewall Client LSP intercepts the call, allows this remoted binding to succeed, and sends a notification over the control channel to the Firewall service, which calls the bind function to associate an IP address on the External network adapter of the Forefront TMG computer and a random port number with the socket on the Forefront TMG. The Winsock application calls the listen function to instruct the socket on the client computer to listen for incoming secondary conditions, and a notification is sent over the control channel to the Firewall service, which calls the Winsock listen function to instruct the socket on the Forefront TMG computer to listen for incoming secondary connections from the external server. The Winsock application calls the getsockname function on the local socket again to obtain the randomly assigned port. This call is also intercepted by the Firewall Client LSP, which returns the IP address and the randomly assigned port of the socket on the Forefront TMG computer. The Winsock application uses this IP address and port in the request that it sends to the external server to return specific data over a secondary connection.

The external server transparently returns the specific data requested to the Firewall client by creating a socket and using it to establish a connection to the IP address and port of the remoted listening socket on the Forefront TMG computer, which forwards the data to the IP address and port of the local listening socket on the client computer.


Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.