The Microsoft Firewall Service and Forefront TMG Client

Forefront TMG Client and Firewall Client computers capture a Windows Sockets (Winsock) API call in a client application and redirect it to the Microsoft® Firewall service, which makes the actual call. There are two connections: one on the private network from the client computer to the Forefront TMG server and one over the Internet from the Internet host to the Forefront TMG server.

The Firewall service consists of two parts: a dynamic-link library (DLL) running on the Forefront TMG Client and Firewall Client computer and a service running on the Forefront TMG server.

When Forefront TMG Client or Firewall Client is installed on the client computer, it installs two .dll files. The files intercept Winsock API calls from applications on the client and forward them to the Forefront TMG server by using a control channel.

The control channel manages remote Winsock messages, and is designed to do the following:

  • Deliver the set of IP address ranges included in a Forefront TMG network to Forefront TMG Client and Firewall Client computer residing in the network if support for Forefront TMG Client and Firewall Client computers is enabled for that network. These IP address ranges are stored on the Forefront TMG Client and Firewall Client computers as a table of IP address pairs called the local address table (LAT). Forefront TMG Client and Firewall Client computers will recognize the IP address ranges received as local destinations, for which no Forefront TMG server is required.
  • Establish TCP connections from the client computer to the Forefront TMG server. This channel is used to build the virtual connection while attempting to connect with a remote application.
  • Furnish UDP communications to and from the Forefront TMG Client or Firewall Client computer and with the Forefront TMG server.

The Forefront TMG Client or Firewall Client DLL is initialized when the first Winsock connection is attempted. A control channel with the Firewall service is established, and then designated as active through the channel. If support for Forefront TMG Client and Firewall Client computers is enabled for the Internal network, the set of IP address ranges included in the Internal network is copied from the server to the Forefront TMG Client or Firewall Client computer's LAT for determining which destinations are on the Internet and which are local.

Note  The Firewall service makes use of the Windows Sockets 2.0 service provider interface (SPI) to implement a layered service provider (LSP). For more information about LSPs, see MSDN.

 

 

Build date: 7/12/2010

Community Additions

ADD
Show: