ISA Server and Client , a brief functional overview :)

Now a days Cable Network setup is getting common in Pakistan.Normally a Lan network require a proxy server to communicates its internal request to the outside world. Most of the corporate network and residential cable network installments, usually deploy Microsoft ISA Server , which not only works as Internet Proxy Server for the LAN inhabitants, but also providing firewall capabilites, alongwith user authentication and authorization.

Normally an ISA server does not need the ISA firewall client to be running on the client pc,But in controlled setups, where user authentication and authorization is a must , then client pc need to install ISA Firewall client to access the resource of the server.

lets take a look what goes underneath,

the main task of the firewall client is to provide the tunneling functioanality, whenver a winsock based application access network resource, through winsock API, these call are intercepted by the firewall cleint, the client performs a quick chk that whether the address requested is on the same network or its outside the network , if the address is of the same network ,then firewall client allow the winsock api to function normally, but if an outside address is detected then , client makes a conection to ISA server and tunnel the request over to server,then server acting as proxy works out the conection request on behalf of the client. Client only use one conection, to the server and tunnel all the requst over this connection, its like broadcasting over a channel :),

the client also authenticate the user on the server, and validates what services  a user is eligible to use, how, does it do it,plus the address chking thing, which address to catch, which to not. It is quite simple, when the client connects to server, it retreives the setting that have set by the admin on the server , this information, isa client keep in plain txt files, and refresh them regularly. isa client uses two files, MSPCLNT.INI and  MSPLAT.TXT  mspclnt.ini stores proxy information, blocked /accessible ports, etc, while MSPLAT.txt is my center of discussion:) , msplat.txt is fo Local address translation , it contains address that are considered to be part of same netowrk, thus are not tunneld to the ISA server, the address are present as a range, and while 2 pairs are adjacent, but the ip address in a pair are separated by a space or tab, like 192.168.0.0 192.168.0.255 , if u want to specify just one address , write it two  times , 🙂 ,

here is sample

10.0.0.0 10.255.255.255
169.254.0.0 169.254.255.255
172.16.0.0 172.31.255.255
192.168.0.0 192.168.255.255
192.168.0.0 192.168.0.255
224.0.0.0 255.255.255.254
127.0.0.0 127.255.255.255

it is a normal configuration of isa server,

when a application uses winsock API to conect to a remote machine, the client comes into action , it intercepts the call , consult the LAT file , and if its outside the network, then it tunnels it to the ISA server.

there is one catch about the file, as i mentioned, this file is refreshed regularly so any update to the file will be lost after some times, so what to do, well,when there is a will ,there is a way , ms suggest that all custom defined address range can be placed in a file named locallat.txt in the same directory, this file is also consulted when chking for local address.

this helped me conecting my xbox to my pc, as my isa client was restircted to use only one netowrk as local address i.e. 192.168.10.0-192.168.10.255 the problem was rectified by maintaing a separate locallat.txt and adding the desire address range

ok

tata

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s