Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Firewall Client Program Settings for Configuration Files Like Wspcfg.ini


View products that this article applies to.

Summary

When you configure Microsoft Internet Security and Acceleration (ISA) Server, you configure the array to which firewall client computers connect when they send requests to the Internet. You can specify the array by DNS name or by Internet protocol (IP) address.

After you install the client software, you can use either of the following methods to modify the server name to which the client connects:
  • Specify a different name on the ISA Server computer to which the client currently connects.
  • Specify a different name in the Firewall Client software.
The configuration changes take effect after the firewall configuration is refreshed. For more information, see the Firewall Client online help.

↑ Back to the top


More information

Advanced Client Configuration

For most WinSock programs, you do not have to change the default Firewall Client configuration. However, in some situations, you may have to add client configuration information. You can store the client configuration information in one of the following locations:
  • Mspclnt.ini: This file is the global client configuration file that is located in the Firewall Client installation folder. The Mspclnt.ini file is periodically downloaded by the client from the ISA Server computer and it overwrites previous versions. As a result, if you make configuration changes at the ISA Server computer, the setting is automatically downloaded to the client.
  • Wspcfg.ini: This file is located in a specific client program folder. The ISA Server computer does not overwrite this file. As a result, if you make configuration changes in this file, these changes apply only to the specific client.
The Firewall Client software looks for a Wspcfg.ini file in the folder in which the client WinSock program is installed. If this file is found, Firewall Client looks for a [WSP_Client_App] section, where WSP_Client_App is the name of the WinSock program without the .exe file name extension. If this section does not exist, Firewall Client looks for the [Common Configuration] section. If this section also does not exist, Firewall Client looks for the same sections in the Mspclnt.ini file. Firewall Client uses only the first section that it finds during this search to apply the program-specific configuration settings.

Sample Wspcfg.ini file

The following text is an example of the [WSP_Client_App] section in a client configuration file:
[WSP_Client_App]
Disable=0
NameResolution=R
LocalBindTcpPorts=7777
LocalBindUdpPorts=7000 7022, 7100 7170
RemoteBindTcpPorts=30
RemoteBindUdpPorts=3000 3050
ServerBindTcpPorts=100 300
ProxyBindIp=80:110.52.144.103, 82:110.51.0.0
KillOldSession=1
Persistent=1
ForceProxy=i:172.23.23.23
ForceCredentials=1
NameResolutionForLocalHost=L
The following list describes the possible entries that you can put in a configuration file for a WinSock program:
  • Entry name:Disable
    Possible values: 0 or 1.
    Description: When you set the value to 1, the Firewall service is disabled for the specific client program.
  • Entry name: NameResolution
    Possible values: L or R.
    Description: By default, dotted decimal notation or Internet domain names are redirected to the ISA Server computer for name resolution. All other names are resolved on the local computer. When you set the value to R, all names are redirected to the ISA Server computer for resolution. When you set the value to L, all names are resolved on the local computer.
  • Entry name: LocalBindTcpPorts
    Description: This entry specifies a Transmission Control Protocol (TCP) port, list, or range that is bound locally.
  • Entry name: LocalBindUdpPorts
    Description: This entry specifies a User Datagram Protocol (UDP) port, list, or range that is bound locally.
  • Entry name:RemoteBindTcpPorts
    Description: This entry specifies a TCP port, list, or range that is bound remotely.
  • Entry name: RemoteBindUdpPorts
    Description: This entry specifies a UDP port, list, or range that is bound remotely.
  • Entry name: ServerBindTcpPorts
    Description: This entry specifies a TCP port, list, or range for all ports that accept more than one connection.
  • Entry name: ProxyBindIp
    Description: This entry specifies an IP address or list that is used when the server binds with a corresponding port. Use this entry when multiple servers that use the same port have to bind to the same port on different IP addresses on the ISA Server computer. The entry uses the following syntax:
    ProxyBindIp=[port]:[IP address], [port]:[IP address]
    The port numbers apply to both TCP and UDP ports.
  • Entry name: KillOldSession
    Possible values: 0 or 1.
    Description: When you set the value 1, it specifies that if the ISA Server computer holds a session from an old instance of a program, that session is ended before the program is granted a new session. For example, you can use this setting if a program stops responding (hangs) or does not close the socket on which it was listening. By closing the old session, ISA Server immediately discovers that the program was ended and can release the port used by the old session immediately.
  • Entry name: Persistent
    Possible values: 0 or 1.
    Description: When you set the value to 1, a specific server state can be maintained on the ISA Server computer if a service is stopped and restarted and if the server is not responding. The client sends a keep-alive message to the server periodically during an active session. If the server is not responding, the client tries to restore the state of the bound and listening sockets when the server restarts.
  • Entry name: ForceProxy
    Description: Use this entry to force a specific ISA Server computer for a specific WinSock program. This entry uses the following syntax, where Tag is either i for an IP address or n for a name, and Entry is the address of the name:
    ForceProxy=[Tag]:[Entry]
    If you use the n tag, the Firewall service only works over IP.
  • Entry name: ForceCredentials
    Description: Use this entry when you are running a Microsoft Windows NT or Microsoft Windows 2000 service or server program as a Firewall client program. When you set the value to 1, it forces the use of different user authentication credentials that are stored locally on the computer that is running the service. You store the user credentials on the client computer using the Credtool.exe program that is provided with the Firewall Client software. User credentials must reference a user account that can be authenticated by ISA Server, either local to ISA Server or in a domain trusted by ISA Server. The user account is typically set not to expire; otherwise, you must renew user credentials each time the account expires.
  • Entry name: NameResolutionForLocalHost
    Possible values: L (default), P, or E.
    Description: Use this entry to specify how the local (client) computer name is resolved and when the gethostbyname function is called. The LocalHost computer name is resolved by calling the WinSock gethostbyname() function by using the LocalHost string, an empty string, or a NULL string pointer. WinSock programs call gethostbyname(LocalHost) to find their local IP address and send it to an Internet server.

    When you set this entry to L, gethostbyname() returns the IP addresses of the local host computer. When you set this entry to P, gethostbyname() returns the IP addresses of the ISA Server computer. When you set this entry to E, gethostbyname() returns only the external IP addresses of the ISA Server computer (the IP addresses that are not in the local address table).
  • Entry name: ControlChannel
    Possible Values: Wsp.udp (default) or Wsp.tcp.
    Description: This entry specifies the type of the control-channel that is used. Communication between the ISA Firewall client and the Firewall service is always on port 1745 (TCP or UDP, as configured).

↑ Back to the top


Keywords: KB323457, kbinfo, kbenv

↑ Back to the top

Article Info
Article ID : 323457
Revision : 2
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 314