Forefront TMG Client Computers

Windows Sockets (Winsock) applications running on computers with Forefront TMG Client installed and enabled can send requests to remote destinations transparently through the Microsoft Firewall service of Forefront TMG. Setting up Forefront TMG Client, which supersedes Firewall Client, does not configure individual Winsock applications. Instead, a dynamic-link library (FwcWsp.dll) in the Forefront TMG Client software becomes a Winsock layered service provider (LSP) that all Winsock applications use transparently. This way, the Forefront TMG Client LSP can intercept Winsock function calls from client applications and then route a request to the original underlying base service provider if the destination is local or to the Firewall service on a Forefront TMG server if the destination is remote.

When you install Forefront TMG Client on a client computer, the following files are installed in the \Program Files\Forefront TMG Client folder:

  • FwcAgent.exe
  • FwcCreds.exe
  • FwcMgmt.exe
  • FwcRes.dll
  • FwcWsp.dll
  • ISAClient.htm

You can install Forefront TMG Client software on client computers that run the Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista with Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2003 with Service Pack 2 (SP2), or Windows XP with Service Pack 3 (SP3) operating system. operating systems. For more information about installing Forefront TMG Client, see the Forefront TMG product documentation.

Forefront TMG Client computers are supported only if the Firewall service is running.

Settings Defined for Forefront TMG Clients

If a network (an FPCNetwork object) is configured to support Forefront TMG Client computers (its EnableFirewallClients property is set to True), Forefront TMG will accept requests from Forefront TMG Client computers and Firewall clients in that network on TCP port 1745. In addition, Forefront TMG will supply the set of IP address ranges included in the network to all Forefront TMG Client computers residing in the network. These IP address ranges are stored in memory by the Forefront TMG Client Agent service (FwcAgent) on the Forefront TMG Client computers as a table of IP address ranges called the local address table (LAT). Each Forefront TMG Client computer recognizes all IP addresses included in the LAT and the IP addresses specified in its own routing table as being local.

A custom version of the LAT containing additional IP address ranges can also be created in a file named Locallat.txt, which may be stored locally on each Forefront TMG Client computer in the \Documents and Settings\All Users\Application Data\Microsoft\Forefront TMG Client folder. In this file, each IP address range is represented by a pair of IP addresses even if the range includes a single IP address. The Forefront TMG Client computers will also recognize these additional IP address ranges as part of the local network.

Whenever a Winsock application running on a Forefront TMG Client computer attempts to send a request to a computer, the Forefront TMG Client LSP determines whether the destination IP address can be regarded as a local destination. If the destination is local, the Forefront TMG Client computer sends the request directly to the destination computer. If the destination is not local, the request is sent to the Firewall service on a Forefront TMG server. The Firewall service handles the request, forwarding it to the appropriate destination, as permitted. Forefront TMG Client can transparently send user credentials to the Forefront TMG server for authentication purposes.

The configuration settings supplied by a Forefront TMG server to Forefront TMG Client computers include settings that apply to specific client applications. These settings are defined in FPCClientSettingsSection objects. Forefront TMG Client settings sections contain entries that are defined by a key and a value to which the key is set. The Name property of a settings section specifies the client application to which its entries apply. This property can be set to the name of the applicable binary file without the file extension or to a wildcard character, an asterisk (*). A settings section whose Name property is set to an * applies to all applications. Setting sections that apply to all applications may contain entries only for the DontRemoteOutboundTcpPorts and DontRemoteOutboundUdpPorts keys. When Forefront TMG Client is installed, the Forefront TMG Client application settings are provided to the Forefront TMG Client Agent service (FwcAgent) on Forefront TMG Client computers together with the name or IP address of the Forefront TMG server or array to use, the set of IP address ranges included in the local network (the local address table or LAT), the automatic discovery settings for Web browsers, and the name or IP address of the Web proxy that Web browsers are to use. These settings are updated each time that Forefront TMG Client is restarted, each time that Detect Now or Test Server is clicked on the General tab in the Forefront TMG Client dialog box, and every six hours after the previous refresh. Note that whenever these settings are updated, the settings for Web browsers are applied to Internet Explorer.

Web browsers, such as Internet Explorer, running on Forefront TMG Client computers that use the Microsoft Win32® Internet application programming interface (API), WinInet, can contact the Forefront TMG server to obtain the set of IP address ranges defined in the DirectIPDestinations property of the FPCClientAutoScript object that Web browsers configured to use the default automatic configuration script are to access directly, the set of domain names of destinations defined in the DirectAddressDestinations property of the FPCClientAutoScript object that Web browsers configured to use the default automatic configuration script are to access directly (the local domain table or LDT), and the backup route that should be used to access the Internet when the primary route is unavailable.

Additional local settings that apply to all users are stored in the Application.ini, Common.ini, and Management.ini files in the \Documents and Settings\All Users\Application Data\Microsoft\Forefront TMG Client folder. The Common.ini and Management.ini files in this folder are created automatically when Forefront TMG Client is installed. Additional user-specific local settings are stored in the Application.ini, Common.ini, and Management.ini files in the \Documents and Settings\user_name\Local Settings\Application Data\Microsoft\Firewall Client folder for the applicable user. The settings for a specific user take precedence over the settings for all users, and the local settings take precedence over the settings supplied by the Forefront TMG server. Note that the Mspclnt.ini file created for ISA Server 2000 Firewall clients is not created for Forefront TMG Client computers.

Remoted Connections

When a Winsock application running on a Forefront TMG Client computer calls the Winsock socket and connect functions to create a socket and request a connection to a specific IP address and port on a server in the External network, the Forefront TMG Client LSP intercepts the call and establishes a connection over the dedicated control channel to port 1745 on the Forefront TMG server. This control channel is used for sending notifications to the Firewall service and passing information back to the Forefront TMG Client computer. The Firewall service calls the socket function twice, once to create a socket that will be used to establish a connection between the Forefront TMG server and the external server for sending the connection request and once to create a socket that will listen for connection attempts in the network where the Forefront TMG Client computer resides (typically the Internal network). Then the Firewall service calls the Winsock bind and listen functions to instruct the latter socket to listen for connection attempts from the Forefront TMG Client computer. Next, the Forefront TMG Client LSP attempts to establish a connection between the socket that was originally used by the Winsock application and the Forefront TMG server. When this connection attempt arrives at the listening socket, the Winsock accept function is called to create a new socket that is used to establish a connection for sending and receiving data. The Firewall service then calls the connect function on the socket in the External network to establish a connection with the external server. These two connections form a transparent communication channel between the client computer and the external server.

If the Winsock application needs to send a request to the external server to return data to a specific IP address and port over an incoming secondary connection, it creates a new socket on the client computer and calls the Winsock getsockname function on this socket to query Winsock for its IP address and port. This call is intercepted by the Forefront TMG Client LSP, which communicates with the Forefront TMG server over the control channel and returns the IP address and port of a new socket that is created on the External network adapter of the Forefront TMG server. The Winsock application calls the bind function to associate the local socket with the remote IP address and port returned in the call to the getsockname function or with the remote IP address returned in the call to getsockname and port 0. When port 0 is used in the call to the bind function, a random port number is assigned during the call. Ordinarily, an attempt to bind a remote IP address to a local socket would fail. However, the Forefront TMG Client LSP intercepts the call, allows this remoted binding to succeed, and sends a notification over the control channel to the Firewall service, which calls the bind function to associate an IP address on the External network adapter of the Forefront TMG server and a random port number with the socket on the Forefront TMG. The Winsock application calls the listen function to instruct the socket on the client computer to listen for incoming secondary conditions, and a notification is sent over the control channel to the Firewall service, which calls the Winsock listen function to instruct the socket on the Forefront TMG server to listen for incoming secondary connections from the external server. The Winsock application calls the getsockname function on the local socket again to obtain the randomly assigned port. This call is also intercepted by the Forefront TMG Client LSP, which returns the IP address and the randomly assigned port of the socket on the Forefront TMG server. The Winsock application uses this IP address and port in the request that it sends to the external server to return specific data over a secondary connection.

The external server transparently returns the specific data requested to the Forefront TMG Client computer by creating a socket and using it to establish a connection to the IP address and port of the remoted listening socket on the Forefront TMG server, which forwards the data to the IP address and port of the local listening socket on the client computer.

 

 

Build date: 7/12/2010

Show: