About Forefront TMG Client

When Forefront TMG Client, which supersedes Firewall Client, is installed and enabled on client computers in a protected network that send requests through Forefront TMG servers, Windows Sockets (Winsock) applications running on these client computers can send requests to remote destinations transparently through the Microsoft Firewall service.

Forefront TMG Client includes a dynamic-link library (FwcWsp.dll) that works as a layered service provider (LSP) on top of the original underlying base service provider. All Winsock applications running on a Forefront TMG Client computer use this LSP transparently. When a client application calls a Winsock function, the Forefront TMG Client LSP intercepts the call and determines, based on the arguments specified in the call and the configuration settings provided by the Firewall service, whether the call is local or remote. Local calls are passed to the original base service provider. Remote calls are redirected to the Firewall service.

The Forefront TMG Client LSP communicates with the Firewall service by using a dedicated connection to TCP port 1745, called the Forefront TMG Client control channel. The control channel connection is established the first time that it is needed.

When a Winsock function call is redirected to the proxy, the Forefront TMG Client LSP sends a request through the control channel to the Firewall service and waits for a response. The Firewall service checks the request against the Forefront TMG policy, processes the request on behalf of the client, and returns a reply through the control channel. The reply is then processed by the Forefront TMG Client LSP, and translated to a Winsock error code in case of failure.

The remote Forefront TMG Client software supports basic Winsock 2.0 functionality. However, the following limitations should be noted:

  • Overlapped I/O on WSARecvFrom. The Winsock API will work, but for a remote socket, the from address that the application will receive is the address of the Firewall service internal socket. However, using a blocking or non-blocking call to recvfrom, the application will see the actual from address of the Internet host that originally sent the packet.
  • Winsock QoS. Forefront TMG installs an LSP that supports Quality of Service (QoS) requests. However, for connections made through the Firewall service, Resource Reservation Protocol (RSVP) reservations will not pass through the service.
  • Winsock Name Service Functions. WSALookupServiceBegin, WSALookupServiceNext, and WSALookupServiceEnd are implemented, but only resolve queries that would translate into queries by using the gethostbyname, gethostbyaddr, getservbyport, or getservbyname functions.

You can install Forefront TMG Client software on on client computers that run the Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista with Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2003 with Service Pack 2 (SP2), or Windows XP with Service Pack 3 (SP3) operating system. For more information about installing Forefront TMG Client, see the Forefront TMG product documentation.

For more information about how Forefront TMG Client computers send requests to remote destinations, see Forefront TMG Client Computers.



Build date: 7/12/2010