How to Distribute Firewall Client for ISA Server
Microsoft® Internet Security and Acceleration (ISA) Server Firewall clients are computers with Firewall Client for ISA Server software installed and enabled. Requests from Firewall clients are directed to the Microsoft Firewall service on the ISA Server computer, to determine whether access to network resources and the Internet is allowed. Subsequently, requests may be filtered by application filters and other add-in programs. For more information about Firewall clients, see "Internal Client Concepts in ISA Server 2006" at the Microsoft TechNet Web site.
There are a number of versions of Firewall Client software:
- The latest version (v. 3442.654 at the time of writing) is available as a Web download.
- A version shipped with ISA Server 2006 (v.3441.633).
- A version shipped with ISA Server 2004.
- A version shipped with ISA Server 2000.
You can install Firewall Client on individual client computers from a share containing the software, or from the Web. You can also run an unattended Firewall Client installation, as follows:
- Unattended installation using the Web download and Setup.exe
- Unattended installation using ms_fwc.msi
Unattended installation from the Web download
The latest version of Firewall Client for ISA Server is available from the Microsoft Download Center. Run Setup as follows:
- Navigate to the download site and select to save the downloaded file (ISACLIENT-KB929556-ENU.EXE).
- Type the following at the command prompt:
ISACLIENT-KB929556-ENU.EXE /C:"setup.exe /Q /P ""SERVER_NAME_OR_IP= isaserver ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0"""
For more information about the parameter values, see Parameters
Unattended installation using Setup.exe
You can run an unattended installation using Setup.exe:
- To install the Firewall Client software that shipped with ISA Server 2006 or ISA Server 2004 using Setup.exe, type the following at the command prompt:
setup.exe /w /V"SERVER_NAME_OR_IP=isaserver ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0 /qb /L*v c:\fwc_inst.log"
- For the latest version of Firewall Client (3442.654), extract Setup.exe from the Web download, and then type the following at the command prompt:
setup.exe /Q /P "SERVER_NAME_OR_IP= isaserver ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0"
For more information about the parameter values, see Parameters.
Unattended installation using ms_fwc.msi
If you use a distribution method that requires a Microsoft Windows® Installer (.msi) file, note the following:
- The Firewall Client software that shipped with ISA Server 2006 or ISA Server 2004 already includes an .msi file: ms_fwc.msi.
- To deploy the latest version of Firewall Client (3442.654), extract ms_fwc.msi from the Web download by typing the following at the command prompt:
ISACLIENT-KB929556-ENU.EXE /c /t:c:\FirewallClientFolder
where FirewallClientFolder is the name of the folder to which you want to extract the file.
You can deploy ms_fwc.msi using a suitable distribution method, or install it directly by typing the following at the command prompt:
msiexec /i ms_fwc.msi SERVER_NAME_OR_IP=isaserver ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=0 /qb /L*v c:\fwc_inst.log
Parameters are used in the commands as follows:
- Path Location of the Firewall Client installation file. A value must be specified.
- SERVER_NAME_OR_IP=ISAServerName Name or IP address of the ISA Server computer to which the client computer should connect.
- ENABLE_AUTO_DETECT Specify a value of 1 to indicate that the Firewall client computer should automatically detect the ISA Server computer to which it should connect. A value of 0 indicates that automatic detection is not enabled on the client.
- REFRESH_WEB_PROXY Specify a value of 1 to indicate that the Firewall client configuration should be updated with the Web proxy configuration settings specified in ISA Server Management. A value of 0 indicates that the client is not updated.
Command options are as follows:
- /Q and /qb indicate an unattended installation. The /qb option provides a small progress dialog box. Alternatively, you can specify /qn, which provides no progress indicator.
- /L*v c:\fwc_inst.log generates an installation log that may be useful for troubleshooting.
The following Windows Installer options may also be useful:
- The REBOOT property can be used to prompt or force a restart at the end of installation. For more information, see "REBOOT Property" at Microsoft MSDN.
- When the REBOOTPROMPT property is set to S or Suppress, any restart performed happens automatically without interaction from the user. For more information, see "REBOOTPROMPT Property" at Microsoft MSDN.
- For more information, see "Command-Line Options" at Microsoft MSDN, and "Command-Line Switches for the Microsoft Installer Tool" at Microsoft Help and Support.
Creating a shared folder for Firewall Client software
Follow these procedures to create a shared folder and install Firewall Client software that shipped with ISA Server 2006 or ISA Server 2004.
To create a shared folder for Firewall Client software
On a computer in a corporate network, such as the Internal network, create a folder to host Firewall Client software. The folder should not be on an ISA Server computer.
In Microsoft Windows Explorer, right-click the folder, and select Sharing and Security. Select Share this folder, and configure the share properties. Enabling Read permissions is sufficient for this folder, and is the most secure configuration. Click OK to close the folder properties.
If you want to allow access from other corporate networks or virtual private networks (VPNs) to the share, you must create access rules in ISA Server to enable the access.
Copy the contents of the Client folder on the ISA Server CD to the shared folder. This action requires you to be a member of the Administrators group on the computer.
To install Firewall Client software from the share
At a command prompt on the Firewall client computer, type Path\Setup, where Path is the path to the shared ISA Server client installation files, in Universal Naming Convention (UNC) format or as a drive letter (mapped to the shared folder).
Follow the on-screen instructions. This action requires you to be a member of the Administrators group on the computer.
There are a number of alternatives for deploying the software:
- Logon script. A logon script is a group of commands that runs each time a user logs on to a computer. A logon script can check whether a computer has Firewall Client software installed. If the software is not installed, the logon script can install it from the Firewall Client share. For more information, see "Logon Scripts" in Windows Server® 2003 Help. Note that the user who is logged on must be a member of the Administrators group on the computer.
- Microsoft Systems Management Server (SMS). SMS is a change and configuration management solution. Using SMS, you can ensure that the appropriate computers in your organization have Firewall Client software installed. For more information, see the Microsoft Systems Management Server Web site.
- Group Policy. Group Policy is a mechanism in Windows Server 2003 and Windows® 2000 Server that enables you to manage features, including software installation, for parts of your organization. Software can be installed per user (when a user logs on) or per computer. For more information, see "Group Policy" in Windows Server 2003 Help.
In all of these methods, we recommend that you consider carefully which computers will have Firewall Client software installed, and under what circumstances, based on the design of your distribution method. Also, you should design this method to check the installed version of the software against the version available in the shared folder, so that if an update is available, it will be automatically installed.