Fighting with ISA Server 2006, as I have been for the last few days, has given me an opportunity to refresh my knowledge of the various ISA Server clients. Actually, calling them clients is far more grandiose than is strictly necessary (only one of them involves the installation of client software), but the terminology that Microsoft uses is:
- SecureNAT client. Any computer, with a working TCP/IP stack, pointing to the ISA Server for it’s default gateway (router) – or where the router (or series of routers) end with a router that uses the ISA server as its default gateway. This client operates at the network layer in the OSI model and therefore has no user-based access controls.
- Web proxy client. A CERN-compliant web browser, with proxy server settings configured to point to the web proxy service on the ISA Server. This client operates at the application layer in the network stack and user-level authentication is optional.
- Firewall client (formerly known as the WinSock proxy client). A computer running the ISA Server firewall client software to provide socket-based communications with the firewall service on the ISA Server. Operating at the transport layer, this client replaces the DLL for Windows socket (WinSock) connections so that communications between applications and their server components are routed via the the ISA Server (exceptions are configured in the local address table). It is possible to configure user-based access policy rules for firewall clients but the main advantage is that applications do not need to be firewall-aware; however there is a trade-off against the requirement to install the client software on each PC that requires access.