[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 6 Jul 2006 22:59:29 -0500
I know I've had it working before.
Let me check here.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Thursday, July 06, 2006 10:57 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> resolution over control channel
>
> So, rebooted both boxes. Verified the following settings on
> Firewall Client
> Configuration on the server:
>
> Application Entry Setting-
> Application: "Common Configuration"
> Key: "NameResolution" (selected from drop-down)
> Value: "L" (selected from drop-down)
>
> From the client, I disable the FWC, flush DNS, and try to ping
> "www.yahoo.com" from a command prompt. Resolution fails as it should,
> "can't find host."
>
> Enable the FWC, don't even bother flushing DNS (even given the "cached
> failed logons" crap that guy on BugTraq was talking about), ping
> "www.yahoo.com" and it resolves the IP. Of course, it can't
> ping, but the
> resolution was made.
>
> Logging this transaction, I see port 1745 from the client to
> the ISA and
> back again.
>
> What could be the problem? Can anyone else verify that this
> actually works
> for ISA2004? Jim's article was for ISA2000.
>
> Need to figga this out.
>
> Thx
> T
>
>
>
> On 7/6/06 7:39 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> spoketh to all:
>
> > Lemme know what happens.
> > Thanks!
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >> (Hammer of God)
> >> Sent: Thursday, July 06, 2006 9:31 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> >> resolution over control channel
> >>
> >> Bingo! You understand my issue perfectly.
> >>
> >> Internal clients have no business resolving external names
> via the FWC
> >> unless I explicitly allow them to.
> >>
> >> I was not aware of the default behavior of the FWC in regard to DNS
> >> resolution, but now that I am, I need to change it.
> >>
> >> This is ISA2004, and I have set the parameters exactly as
> >> specified and it
> >> does not work. I'll try restarting both the ISA server and
> >> the client just
> >> for S&G to see what happens.
> >>
> >> Thanks!
> >>
> >> t
> >>
> >>
> >> On 7/6/06 7:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> spoketh to all:
> >>
> >>> OK, so it's not name resolution in general that's hurting
> >> your feelings,
> >>> its that you don't want all applications to be able to
> have the ISA
> >>> firewall resolve names on the client's behalf. Is that correct?
> >>>
> >>> IOWs, it's OK for the ISA firewall to resolve names on
> >> behalf of the Web
> >>> proxy client, but its NOT OK to have the ISA firewall
> >> resolve names on
> >>> behalf of the Firewall client, because the Web proxy client is the
> >>> browser (and other applications that use the WinInet or WinHTTP
> >>> interfaces, I think), but its NOT OK for all Winsock
> applications to
> >>> have names resolved on their behalf.
> >>>
> >>> All I can say is that it *should* work, at least for ISA
> >> Server 2000 and
> >>> ISA 2004. Haven't tested it yet on ISA Server 2006 and I
> >> notice that in
> >>> the RC, they've removed all documentation of FWC settings,
> >> which doesn't
> >>> forbode well. But here's what it says in the ISA 2004 HF:
> >>>
> >>> NameResolution Possible values: L or R. By default, dotted decimal
> >>> notation or Internet domain names are redirected to the ISA Server
> >>> computer for name resolution and all other names are
> resolved on the
> >>> local computer. When the value is set to R, all names are
> >> redirected to
> >>> the ISA Server computer for resolution. When the value is
> >> set to L, all
> >>> names are resolved on the local computer.
> >>>
> >>> Thomas W Shinder, M.D.
> >>> Site: www.isaserver.org
> >>> Blog: http://blogs.isaserver.org/shinder/
> >>> Book: http://tinyurl.com/3xqb7
> >>> MVP -- ISA Firewalls
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >>>> (Hammer of God)
> >>>> Sent: Thursday, July 06, 2006 9:05 PM
> >>>> To: isapros@xxxxxxxxxxxxx
> >>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> >>>> resolution over control channel
> >>>>
> >>>>
> >>>> Whatchu talkin 'bout Willis?
> >>>>
> >>>> All the clients have internal DNS set. Internal DNS has root
> >>>> zones. From a
> >>>> command prompt (or some exploit) they cannot resolve external
> >>>> addresses.
> >>>> But when you set them as Web Proxy clients, they can, of
> >>>> course, use IE as
> >>>> the ISA server *does* have DNS configured, and has rules that
> >>>> allow it to
> >>>> query my external name server and my ISP's server cache (and
> >>>> *only* that
> >>>> server cache). That works just fine, and always has.
> >>>>
> >>>> There are a few special cases where I've needed the firewall
> >>>> client (those
> >>>> are not important to the subject.)
> >>>>
> >>>> As I have seen in the linked article (and others) a FWC
> >>>> machine will use the
> >>>> control channel (1745) to query DNS, and the ISA server will
> >>>> proxy that
> >>>> request even in a shell. I added the "L" parameter to the
> >>>> NameResolution
> >>>> tag, applied settings, refreshed the client, and it can
> >> still resolve
> >>>> external host names via the ISA server. There is no reason
> >>>> for the client
> >>>> to be able to do that, and I want to disable that.
> >>>>
> >>>> t
> >>>>
> >>>> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >>>> spoketh to all:
> >>>>
> >>>>> Wait a minute. How do the Firewall clients reach external
> >>>> resources if
> >>>>> the ISA firewall cannot perform name resolution on their
> >>>> behalf and the
> >>>>> clients don't have a DNS server configured on them to
> >> resolve names?
> >>>>>
> >>>>> For that matter, how do the Web proxy clients resolve
> >>>> external names?
> >>>>> The mechanism is the same.
> >>>>>
> >>>>> Tom
> >>>>>
> >>>>> Thomas W Shinder, M.D.
> >>>>> Site: www.isaserver.org
> >>>>> Blog: http://blogs.isaserver.org/shinder/
> >>>>> Book: http://tinyurl.com/3xqb7
> >>>>> MVP -- ISA Firewalls
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >>>>>> (Hammer of God)
> >>>>>> Sent: Thursday, July 06, 2006 8:43 PM
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> >>>>>> resolution over control channel
> >>>>>>
> >>>>>> Yep.
> >>>>>>
> >>>>>>
> >>>>>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >>>>>> spoketh to all:
> >>>>>>
> >>>>>>> Did you refresh the Firewall client configuration?
> >>>>>>>
> >>>>>>> Thomas W Shinder, M.D.
> >>>>>>> Site: www.isaserver.org
> >>>>>>> Blog: http://blogs.isaserver.org/shinder/
> >>>>>>> Book: http://tinyurl.com/3xqb7
> >>>>>>> MVP -- ISA Firewalls
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> -----Original Message-----
> >>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >>>>>>>> (Hammer of God)
> >>>>>>>> Sent: Thursday, July 06, 2006 7:17 PM
> >>>>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> >>>>>>>> resolution over control channel
> >>>>>>>>
> >>>>>>>> OK- I added the config option with "L" as described, and it
> >>>>>>>> still doesn't
> >>>>>>>> stop it. What exactly is the option?
> >>>>>>>>
> >>>>>>>> t
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >>>>>>>> spoketh to all:
> >>>>>>>>
> >>>>>>>>> Tim,
> >>>>>>>>>
> >>>>>>>>> You can change this behavior in the FWC configuration
> >> settings.
> >>>>>>>>>
> >>>>>>>>> Jim will be sad that you didn't read his semenal
> >> article on this
> >>>>>>>>> subject:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
> >>>>>>>> ewall_Clie
> >>>>>>>>> nt.html
> >>>>>>>>>
> >>>>>>>>> BTW -- post to the big boys list first ;)
> >>>>>>>>>
> >>>>>>>>> Thanks!
> >>>>>>>>> Tom
> >>>>>>>>>
> >>>>>>>>> Thomas W Shinder, M.D.
> >>>>>>>>> Site: www.isaserver.org
> >>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
> >>>>>>>>> Book: http://tinyurl.com/3xqb7
> >>>>>>>>> MVP -- ISA Firewalls
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>> -----Original Message-----
> >>>>>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >>>>>>>>>> Sent: Thursday, July 06, 2006 4:03 PM
> >>>>>>>>>> To: ISA-MVP
> >>>>>>>>>> Subject: [ISAServer] Firewall client DNS resolution over
> >>>>>>>>>> control channel
> >>>>>>>>>>
> >>>>>>>>>> Greetings:
> >>>>>>>>>>
> >>>>>>>>>> As some of you may know, I practice least
> privilege whenever
> >>>>>>>>>> possible for
> >>>>>>>>>> all client access. Part of this strategy includes
> >>>>>>>>>> configuring internal AD
> >>>>>>>>>> DNS as root zones (with no possible forwarders.) In this
> >>>>>>>>>> way, internal
> >>>>>>>>>> clients can never have non proxy-aware applications resolve
> >>>>>>>>>> external hosts.
> >>>>>>>>>> Almost all of my clients are exclusively Web Proxy clients,
> >>>>>>>>>> which means that
> >>>>>>>>>> only services available via IE settings can have the DNS
> >>>>>>>>>> resolution proxied
> >>>>>>>>>> for them.
> >>>>>>>>>>
> >>>>>>>>>> However, in testing access with the Firewall Client, I have
> >>>>>>>>>> found that no
> >>>>>>>>>> matter what I do, I cannot restrict a client
> running the FWC
> >>>>>>>>>> from resolving
> >>>>>>>>>> external hosts via the FWC control channel. I
> have no rules
> >>>>>>>>>> allowing DNS
> >>>>>>>>>> access from the internal network, have ensured that the
> >>>>>>>>>> system policy only
> >>>>>>>>>> resolves to Domain Controllers for DNS, ensured that only
> >>>>>>>>>> Local Host can
> >>>>>>>>>> look up DNS, and have even explicitly denied Internal hosts
> >>>>>>>>>> from resolving
> >>>>>>>>>> DNS. Yet, if a system has the FWC on it (and enabled) then
> >>>>>>>>>> they can resolve
> >>>>>>>>>> external hosts.
> >>>>>>>>>>
> >>>>>>>>>> How do I stop this? An more importantly, are there
> >>>> any other FWC
> >>>>>>>>>> control-channel policy exclusions that I should know about?
> >>>>>>>>>>
> >>>>>>>>>> Thnx
> >>>>>>>>>> T
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> ---
> >>>>>>>>>> To subscribe to the list - send an email to
> >>>> list@xxxxxxxxxxxxxxx
> >>>>>>>>>> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
> >>>>>>>>>> youremailaddress
> >>>>>>>>>>
> >>>>>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> >>>>>>>>>> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
> >>>>>>>>>> youremailaddress
> >>>>>>>>>>
> >>>>>>>>>> Don't forget the comma!
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>
>
Other related posts:
