Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type
ISA, Security, Windows January 27th, 2008Introduction
After completed part III, you have done basic configurations on ISA Server. In this part, you’re going to configure on client computer to be one of these types: SecureNAT Client, Firewall Client or Web Proxy Client. You can see more detail in topic below.
The series are divided into 5 parts:
- Getting started with Microsoft ISA Server 2006, Part I: Installation
- Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology
- Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule
- Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type
- Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter
Client Types
The table below compares the ISA Server clients.
| Feature\ Client types | SecureNAT client | Firewall client | Web Proxy client |
|---|---|---|---|
| Installation required | Some network configuration changes may be required | Yes | No, Web browser configuration required |
| Operating system support | Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) | Only Windows platforms | All platforms, but by way of Web application |
| Protocol support | Application filters for multiple connection protocols required | All Winsock applications | Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), File Transfer Protocol (FTP), and Gopher |
| User-level authentication | Some network configuration changes required | Yes | Yes |
| Server applications | No configuration or installation required | Configuration file required | Not applicable |
Configurations
On this section, I will how to configure each client type on a client computer. You only select one of these three client types configurations.
- SecureNAT client
To configure SecureNAT client, only change gateway in network properties to ISA Server - Firewall client
- Download Firewall Client for ISA Server at Microsoft or at here – Microsoft Firewall Client.
- Run setup program, set the ISA Server DNS name or IP Address on ISA Server Computer Selection page.

- After install, you’ll see icon as the figure below in task icon. The green color means the client has successfully connected to ISA Server. If the red shows, the client can’t connect to ISA Server. You can double-click on icon to see more detail.

- If you have double-clicked on previous step, select Settings tab and you can verify that ISA Server Selection is type correctly or not. Also, click on Apply Default Settings Now for other users on this computer can use this configuration,too.

- Web Proxy client
- Open Web browser. In this example, I demonstate on Internet Explorer.
- On menu bar, select Tools -> Internet Options.

- On Internet Options, select Connections tab and click on LAN Settings.

- On Local Area Network (LAN) Settings, set Address and Port to your ISA Server configuration.
Note: By default, Web proxy port is 8080.

Reference
http://technet2.microsoft.com
Related post
- Getting started with Microsoft ISA Server 2006, Part 9: Client Configuration This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
- Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology Network Topology From Part I, you have finished install ISA Server 2006. Before using the server, you need to do...
- Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
- Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter Have you ever need to block users using MSN or Yahoo Messenger? Or block them to using free email services?...
- Getting started with Microsoft Windows Server Update Services, Part V: Configure Client After 4 parts have passed, you have finished basic configuration on WSUS server. Next, you need to configure client computers...
Related posts:







June 15th, 2008 at 9:30 am
this is very helpful blog ,
i m sure, that blog banifit to all
tnks
July 29th, 2008 at 3:14 pm
Dear Linglom.com Team,
your web site is so nice and informatics that i never seen before it. Keep it up it really nice work you people have done.
thanks
Qazzafi,
System and Network Administrator,
Govt. of Punjab, Pakistan.
August 1st, 2008 at 10:28 am
Dear Luangaroon,
After configure ISA 2006 enterprise edition according to your instructions. I cann’t ping and access internet from ISA server from any computer from network. So plz help.
August 4th, 2008 at 9:39 pm
Hello, Qazzafi
Have you configured gateway and DNS of the external network connection on the ISA Server to point to your ISP?
I may have missed in the article.
October 22nd, 2008 at 1:06 pm
Dear,
Let me know how to enable External Pop3 in ISA 2006 Servers.
Note: When I select the All Outbound traffic From Internal To External – All Users —- This Rule the Pop3 is Working fine.
2) When I select the Protocol HTTP, HTTPS, FTP – From Internal to External – Full Access User (I Created)the internal Users cannot access their External Pop3 Emails.
What is the diffrent between the Protocols. Common Protocol, Infracture, mail, Remote terminal, All Protocols, Server Protocols — http is resides in all the Options. is it any Different.
October 24th, 2008 at 10:59 pm
1. Why don’t you just add POP3 protocol to the rule? ISA Server has a predefined POP3 protocol.
2. There is no different about protocols which are shown in many category. It makes you find them easily. You can click Edit on the selected protocol to see more detail and to compare on each category by yourself.
December 24th, 2008 at 11:33 am
Hi Linglom,
I have setup ISA 2006 Standard according to your guideline and it works fine. My ISA is on Domain and it has been installed as member server. I want all users of Active Directory to autheticate when they want to connect to online services. Is it possible to ask them to authenticate by web form so that I can monitor every users. I have Mac users who are not part of the AD but will use Internet and I want them to authenticate as well.
I really appreciate if you can help. Cheers.
December 24th, 2008 at 5:08 pm
Hi, Naweed Qadir
It is inferred that users in active directory are already authenticated when they’re logged in the domain so it is unnecessary to make them authenticate again when they want to use the Internet. And ISA Server has logging system to log every traffic pass in/out. So you can view users who are using the Internet and which website they surf.
For about Mac, I’m not a Mac user so my advice may not work. I think you can configure the browser in Mac to use web proxy of your ISA Server. So when the user surf the Internet, it should ask for credential to authenticate on ISA Server. Then, let the user enter the account in active directory. It should works.
December 24th, 2008 at 10:04 pm
Hi guys,
I’m having the following error when I’ve installed ISA 2006 – Error Code 11001: Host not found.
Any idea?
Thanks
December 30th, 2008 at 3:47 am
Thanks Linglom. I really appreciate your feedback. I will be checking with Macs next week and will let you know whether it worked or not.
January 3rd, 2009 at 7:27 am
Hi, Marco Ziku
There are many forums talk about this problem. Most say that it’s about DNS related issue. Verify that you have configured DNS to query external properly. Second, try to update ISA Server 2006 SP1. It may solve the problem.
To Naweed Qadir,
You’re welcome.
January 17th, 2009 at 5:44 pm
hi,
in our company we are planing to install isa 2006 enterprise, i have some book knowledge about isa 2006, i need one basic thing by defualt if i am right ISA using 8080 port for http, where i can edit this port, if anybody can show with graphic i will be really thankful.
January 17th, 2009 at 6:39 pm
Hi linglom,
Below link may be very useful for those who are facing problem with DNS.
http://www.elmajdal.net/ISAServer/Internal_DNS_Forwarding.aspx
January 19th, 2009 at 9:10 pm
Hi, Sana
You can change ISA Server’s Web Proxy port by
Microsoft ISA Server Management -> Expand Server Name -> Configuration -> Network -> Select Network tab -> Double-click on the network you want to configure. By default, it is Internal -> Select Web Proxy tab -> Change HTTP port as you want.
January 22nd, 2009 at 11:11 am
Hi,Linglon,
Thanks a lot, for your good help. if you don’t maind i have one more quetion, if i want balock one particular site e.g http://www.rediffmail.com, how i can do this,can you please tell the steps.
Regards,
sana
February 1st, 2009 at 8:03 pm
Hi, Sana
You simply create a new Access Rule with rule action to Deny to that website.
February 7th, 2009 at 9:02 pm
Hi,
it is a great site keep it up
I have some different problem.I have configuration like this .Now my ISA is authenticating with DC and isa has one nic configured.Isa has configured with internal dns server which has a forwarder for ISP dns
Now i have to configure one more card to external means to sonicwall
pls help me out
Sudhir
India
February 8th, 2009 at 8:57 pm
Hi, Sudhir
On external, the IP should be in the same network with the sonicwall and gateway is the sonicwall’s IP. The DNS should be the DNS of the ISP (Your Internet provider).
February 9th, 2009 at 2:13 pm
Hi,
Is it required to give internal dns server addresses for the internal card of isa server,if i give the isp dns server addresses to the external card
February 10th, 2009 at 9:04 pm
Hi, Sudhir
I recommend you to set it. You can think as if ISA Server is a router which can route traffic between a separate network. It may help you to configure the server easier.
March 3rd, 2009 at 7:35 pm
Hi,
Once again i am disturbing you,now i want to configure two nic in my isa2006 ,and isa is acting as a web proxy authentication is domain ,so how i configure the internal nic card .I am waiting for your solution
Sudhir
March 6th, 2009 at 9:47 pm
Below is the one configuration of mine that is working. You don’t have to follow exactly.
On internal NIC,
-IP Address and subnet mask as you want.
-Gateway, leave as blank (only set gateway on external NIC).
-DNS point to internal DNS server
On external NIC,
-IP Address and subnet mask as you want.
-Gateway point to a router that connected to the external NIC.
-DNS point to DNS server of the ISP (Internet Service Provider).
July 21st, 2009 at 1:48 pm
Hi Linglom
I have a severe problem in ISA 2006 SE firewall.
I am using Edge-Firewall template, following is the error comes up thrice in a second in event viewer.
ISA Server detected a proxy server loop. There may be a problem in the configuration of the ISA Server Web chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and there are intermittent interruptions of intra-array connectivity, array member A may forward a request to array member B according to the CARP algorithm, and array member B may forward the request to array member A in an endless loop.
what could be the reason?
July 21st, 2009 at 3:26 pm
Hi, Fahad Afzal
Have you installed any anti-virus software or another proxy software on the ISA Server? Sometimes it may conflict each other. If yes, try to uninstall them and see if the problem is cleared or not.
Other solution, try to change these registry keys below, it might help. (Don’t forget to backup the registry first.)
Reference:
ISA2006 – Problem Presents As Proxy Server Loop
July 21st, 2009 at 4:09 pm
Thanks for your prompt reply.
I am running GFI web monitor along ISA 2006, does that making problem?
I have checked all the specific registry keys, all of them are set to 0 which is fine.
One thing I noticed is that I defined two default gateways for both NICs, but now I have removed my internal default gateway and kept default gateway on external Nic. Now i will observe if that works.
July 22nd, 2009 at 3:17 pm
Hey Linglom
I hope you doing well. That error has been resolved by eliminating internal default gateway.
I have a very important question to ask about ISA server 2006
Currently i have been using ISA Server using NAT rule, Now I want to use Route rule in ISA and want to route all my subnets through ISA firewall which are then be NATed by my router. I have configured Policy Based Routing, that means router will check the source ip and will route packets to the next-hop accordingly. For this reason, I need to keep source IP as original.
Moreover I am using Edge-Firewall template in ISA having two NICs in it.
Please tell me is that possible to keep source IP as it is while passing through ISA firewall?
July 27th, 2009 at 3:46 pm
I have choosen Route rule at my ISA, now original source IPs are being gone through ISA 2006.
But the biggest issue is, I can not filter out traffic, means now ISA see if it is HTTP traffic, it does not apply the defined policy on the packets and let them go through the firewall without filtering.
Please help me to sort out the issue!
July 27th, 2009 at 4:29 pm
Hi, Fahad Afzal
I suggest you observe log on ISA Server to see if the traffic is passed ISA Server with the corrected rule.
August 4th, 2009 at 11:49 am
Dear Sir ,
Your site is very helpful.I have question:1- I have ISA2006
How I must know the configuration is?Securenat,firewall clinet or web proxy client??
2- I have problem When add some IP in Isa that can use internet must set on that client Proxy otherwise does not work,How can solve this matter that my ISA work as securenat??
Best Regards
Ardalan
August 5th, 2009 at 11:38 am
Hi, Ardalan
1. I have shown how to configure these client types on this post.
2. I’m not quite get about the question. If you want to configure client as secureNAT, you simply set the default gateway on your client computer point to the ISA Server. No need to configure web proxy or install firewall client.
August 5th, 2009 at 7:42 pm
Hi linglom,
Thanks for your replay,I mean now we must set proxy on our clients that can visit sites but I don’t want this and wants that cliens goes to the internet without any setting.
How I can set this??
August 6th, 2009 at 1:12 pm
Hi Ardalan
I do not exactly know about your infrastructure but let me tell you the concept.
Your all internet traffic should pass through firewall, means the default gateway must be set to ISA firewall. If you have defined a switch or router as a default gateway in your network then put default route to ISA firewall on the switch or router.
In my network, I am not using any proxy, packets from clients reach to my core switch where I have defined a default route point to my ISA firewall.
Its all about Routing the traffic! once you achieve this, then everything must go smooth.
Hope it helps you
Regards
October 7th, 2009 at 7:49 pm
Hi , this post is very helpful , but im asking about
- How can i block secureNAT clients to use internet connection ( browsing ) ,
thanks
October 17th, 2009 at 12:49 pm
Dear linglom,
After I created the deny rules for some websites, now i cant get to any website from my ISA Sever , but the rules work fine for the clients.
regards,
October 19th, 2009 at 8:05 am
Hi, Najib
Check Logging on ISA Server to see if the rule has also block traffic from your ISA Server or not.
October 25th, 2009 at 1:26 pm
Dear linglom,
I was setup ISA2006 and have just one rule any protocol from Internal to External Allow,Sfter this I have Ping but I can not visit any site then I must config my browser and set Internal ISA IP and port-no:8080 otherwise I can not visit any site,I remove check mark from check box in web-proxy but doesn’t work properly.
Could you help me about this problem ASAP??
BR
Ardalan
October 26th, 2009 at 10:28 am
Hi, Ardalan
Did you install firewall client on client’s computer? Does it work properly?
What client type you decide to use?
October 26th, 2009 at 11:26 am
Hi,linglom
I want use securenat I mean all the users just set Default Gateway ISA server then canuse internet, but it does not work properly, could you guide me how I can run it? and tell me anything that I must check??
October 27th, 2009 at 10:07 am
Hi, Ardalan
The drawback of SecureNAT client is that it cannot send credential to the ISA Server. So you have to check on the rule if it is allow anonymous access or not. But allow anonymous access may affect other rules which based on user credentials.
Since secureNAT clients are not able to send credentials, all requests that require authentication will be dropped. The only solution for a secure environment that requires outbound access controls for HTTP is to configure the SecureNAT clients as Web Proxy clients.
November 4th, 2009 at 1:43 pm
thanks for sharing valuable data,, i am infant in isa server .. i am installed isa 2006 ,want to install firewall client in each pcs in the network ????
November 9th, 2009 at 11:22 am
Hi, Faisu
You can deploy firewall client to multiple computers using group policy. See How to deploy the ISA Server 2004 Firewall Client program for more information.
November 25th, 2009 at 3:44 am
Hello Linglom,
can you please advise , how i can give access to only one particular site for specific users or computers.
Appriciate your advise
November 25th, 2009 at 3:15 pm
Hi, Azeez
You need to create an access rule to allow that. See Getting started with Microsoft ISA Server 2006, Part 8: Create Web Access Rule for an example of how to create an access rule for a specific user.
January 24th, 2010 at 6:27 pm
hi,
can anyone help me regarding the configuration of HTTP filter, when i configure the http filter content to block online streaming it works fine, but iam not able to open some website, like hotmail email, yahoo email, etc.
Regards
January 25th, 2010 at 11:04 am
Hi, Najam
I suggest you check on Logging on ISA Server to see if the connection is blocked by the HTTP rule the you have just configured or not.
March 14th, 2010 at 11:20 am
plz help me Block software
and configuration vpn isa
March 22nd, 2010 at 3:15 pm
See Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter for some examples about blocking application through ISA Server.
July 27th, 2010 at 5:06 pm
i used ISA Server 2006 but i want control on IP address
Ex. IP: 192.168.11.10 can access internet.
July 27th, 2010 at 5:10 pm
i used ISA Server but i want control by IP address.
Ex:
IP: 192.168.11.5 can access internet
IP: 192.168.11.10 can not access internet
i dont want control by user
could u help me?
thank
July 27th, 2010 at 5:10 pm
reply soon thank!!!
July 27th, 2010 at 5:11 pm
or you have some e-book or document about this pls attach for me
thank
July 30th, 2010 at 10:52 am
Hi, Chetra
I recommend you to read the update version of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction, see part 8 about how to create an access rule. You can create an access rule to allow or deny access by modify source to the specific IP address.
August 20th, 2010 at 5:17 pm
Hi
Im having a issue,everytime i access any microsoft website going through the firewale(isa 2006 sp1)i get this error message Error Code 11001: Host not found..
But if i point a computer directly through the router it access this site successfully…I uninstalled and re-installed isa nothing helps..
August 23rd, 2010 at 9:10 am
Hi, Sylvester
Host not found could be some DNS problem. Can you describe your network configuration? Did you created rule to allow DNS query to DNS server?