[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 6 Jul 2006 16:13:17 -0500
Tim,
You can change this behavior in the FWC configuration settings.
Jim will be sad that you didn't read his semenal article on this
subject:
http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Firewall_Clie
nt.html
BTW -- post to the big boys list first ;)
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Thursday, July 06, 2006 4:03 PM
> To: ISA-MVP
> Subject: [ISAServer] Firewall client DNS resolution over
> control channel
>
> Greetings:
>
> As some of you may know, I practice least privilege whenever
> possible for
> all client access. Part of this strategy includes
> configuring internal AD
> DNS as root zones (with no possible forwarders.) In this
> way, internal
> clients can never have non proxy-aware applications resolve
> external hosts.
> Almost all of my clients are exclusively Web Proxy clients,
> which means that
> only services available via IE settings can have the DNS
> resolution proxied
> for them.
>
> However, in testing access with the Firewall Client, I have
> found that no
> matter what I do, I cannot restrict a client running the FWC
> from resolving
> external hosts via the FWC control channel. I have no rules
> allowing DNS
> access from the internal network, have ensured that the
> system policy only
> resolves to Domain Controllers for DNS, ensured that only
> Local Host can
> look up DNS, and have even explicitly denied Internal hosts
> from resolving
> DNS. Yet, if a system has the FWC on it (and enabled) then
> they can resolve
> external hosts.
>
> How do I stop this? An more importantly, are there any other FWC
> control-channel policy exclusions that I should know about?
>
> Thnx
> T
>
>
> ---
> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
> youremailaddress
>
> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
> youremailaddress
>
> Don't forget the comma!
>
>
Other related posts:
