Microsoft KB Archive/323457

= Firewall Client Program Settings for Configuration Files Like Wspcfg.ini =

Article ID: 323457

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



This article was previously published under Q323457



SUMMARY
When you configure Microsoft Internet Security and Acceleration (ISA) Server, you configure the array to which firewall client computers connect when they send requests to the Internet. You can specify the array by DNS name or by Internet protocol (IP) address.

After you install the client software, you can use either of the following methods to modify the server name to which the client connects:
 * Specify a different name on the ISA Server computer to which the client currently connects.
 * Specify a different name in the Firewall Client software.

The configuration changes take effect after the firewall configuration is refreshed. For more information, see the Firewall Client online help.



Advanced Client Configuration
For most WinSock programs, you do not have to change the default Firewall Client configuration. However, in some situations, you may have to add client configuration information. You can store the client configuration information in one of the following locations:
 * Mspclnt.ini: This file is the global client configuration file that is located in the Firewall Client installation folder. The Mspclnt.ini file is periodically downloaded by the client from the ISA Server computer and it overwrites previous versions. As a result, if you make configuration changes at the ISA Server computer, the setting is automatically downloaded to the client.
 * Wspcfg.ini: This file is located in a specific client program folder. The ISA Server computer does not overwrite this file. As a result, if you make configuration changes in this file, these changes apply only to the specific client.

The Firewall Client software looks for a Wspcfg.ini file in the folder in which the client WinSock program is installed. If this file is found, Firewall Client looks for a [ ] section, where  is the name of the WinSock program without the .exe file name extension. If this section does not exist, Firewall Client looks for the [Common Configuration] section. If this section also does not exist, Firewall Client looks for the same sections in the Mspclnt.ini file. Firewall Client uses only the first section that it finds during this search to apply the program-specific configuration settings.

Sample Wspcfg.ini file
The following text is an example of the [ ] section in a client configuration file:

[ ]

Disable=0

NameResolution=R

LocalBindTcpPorts=7777

LocalBindUdpPorts=7000 7022, 7100 7170

RemoteBindTcpPorts=30

RemoteBindUdpPorts=3000 3050

ServerBindTcpPorts=100 300

ProxyBindIp=80:110.52.144.103, 82:110.51.0.0

KillOldSession=1

Persistent=1

ForceProxy=i:172.23.23.23

ForceCredentials=1

NameResolutionForLocalHost=L

The following list describes the possible entries that you can put in a configuration file for a WinSock program:  Entry name:Disable

Possible values: 0 or 1.

Description: When you set the value to 1, the Firewall service is disabled for the specific client program. Entry name: NameResolution

Possible values: L or R.

Description: By default, dotted decimal notation or Internet domain names are redirected to the ISA Server computer for name resolution. All other names are resolved on the local computer. When you set the value to R, all names are redirected to the ISA Server computer for resolution. When you set the value to L, all names are resolved on the local computer. Entry name: LocalBindTcpPorts

Description: This entry specifies a Transmission Control Protocol (TCP) port, list, or range that is bound locally. Entry name: LocalBindUdpPorts

Description: This entry specifies a User Datagram Protocol (UDP) port, list, or range that is bound locally. Entry name:RemoteBindTcpPorts

Description: This entry specifies a TCP port, list, or range that is bound remotely. Entry name: RemoteBindUdpPorts

Description: This entry specifies a UDP port, list, or range that is bound remotely. Entry name: ServerBindTcpPorts

Description: This entry specifies a TCP port, list, or range for all ports that accept more than one connection.</li> Entry name: ProxyBindIp

Description: This entry specifies an IP address or list that is used when the server binds with a corresponding port. Use this entry when multiple servers that use the same port have to bind to the same port on different IP addresses on the ISA Server computer. The entry uses the following syntax:

ProxyBindIp=[ ]:[ ], [ ]:[ ]

The port numbers apply to both TCP and UDP ports.</li> Entry name: KillOldSession

Possible values: 0 or 1.

Description: When you set the value 1, it specifies that if the ISA Server computer holds a session from an old instance of a program, that session is ended before the program is granted a new session. For example, you can use this setting if a program stops responding (hangs) or does not close the socket on which it was listening. By closing the old session, ISA Server immediately discovers that the program was ended and can release the port used by the old session immediately.</li> Entry name: Persistent

Possible values: 0 or 1.

Description: When you set the value to 1, a specific server state can be maintained on the ISA Server computer if a service is stopped and restarted and if the server is not responding. The client sends a keep-alive message to the server periodically during an active session. If the server is not responding, the client tries to restore the state of the bound and listening sockets when the server restarts.</li> Entry name: ForceProxy

Description: Use this entry to force a specific ISA Server computer for a specific WinSock program. This entry uses the following syntax, where  is either i for an IP address or n for a name, and   is the address of the name:

ForceProxy=[ ]:[ ]

If you use the n tag, the Firewall service only works over IP.</li> Entry name: ForceCredentials

Description: Use this entry when you are running a Microsoft Windows NT or Microsoft Windows 2000 service or server program as a Firewall client program. When you set the value to 1, it forces the use of different user authentication credentials that are stored locally on the computer that is running the service. You store the user credentials on the client computer using the Credtool.exe program that is provided with the Firewall Client software. User credentials must reference a user account that can be authenticated by ISA Server, either local to ISA Server or in a domain trusted by ISA Server. The user account is typically set not to expire; otherwise, you must renew user credentials each time the account expires.</li> Entry name: NameResolutionForLocalHost

Possible values: L (default), P, or E.

Description: Use this entry to specify how the local (client) computer name is resolved and when the gethostbyname function is called. The LocalHost computer name is resolved by calling the WinSock gethostbyname function by using the LocalHost string, an empty string, or a NULL string pointer. WinSock programs call gethostbyname(LocalHost) to find their local IP address and send it to an Internet server.

When you set this entry to L, gethostbyname returns the IP addresses of the local host computer. When you set this entry to P, gethostbyname returns the IP addresses of the ISA Server computer. When you set this entry to E, gethostbyname returns only the external IP addresses of the ISA Server computer (the IP addresses that are not in the local address table).</li> Entry name: ControlChannel

Possible Values: Wsp.udp (default) or Wsp.tcp.

Description: This entry specifies the type of the control-channel that is used. Communication between the ISA Firewall client and the Firewall service is always on port 1745 (TCP or UDP, as configured).</li></ul>

Keywords: kbenv kbinfo KB323457

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.