Well, poke me in the eye with a stick. It doesn't work, and I tried every trick in the book. I must have had a trick to make it work in the past, but I certainly don't have it working now. Maybe that's why they left out all the FWC settings documentation out of ISA Server 2006? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Thursday, July 06, 2006 10:59 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: [ISAServer] Firewall client DNS > resolution over control channel > > I know I've had it working before. > > Let me check here. > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > (Hammer of God) > > Sent: Thursday, July 06, 2006 10:57 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: [ISAServer] Firewall client DNS > > resolution over control channel > > > > So, rebooted both boxes. Verified the following settings on > > Firewall Client > > Configuration on the server: > > > > Application Entry Setting- > > Application: "Common Configuration" > > Key: "NameResolution" (selected from drop-down) > > Value: "L" (selected from drop-down) > > > > From the client, I disable the FWC, flush DNS, and try to ping > > "www.yahoo.com" from a command prompt. Resolution fails as > it should, > > "can't find host." > > > > Enable the FWC, don't even bother flushing DNS (even given > the "cached > > failed logons" crap that guy on BugTraq was talking about), ping > > "www.yahoo.com" and it resolves the IP. Of course, it can't > > ping, but the > > resolution was made. > > > > Logging this transaction, I see port 1745 from the client to > > the ISA and > > back again. > > > > What could be the problem? Can anyone else verify that this > > actually works > > for ISA2004? Jim's article was for ISA2000. > > > > Need to figga this out. > > > > Thx > > T > > > > > > > > On 7/6/06 7:39 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > spoketh to all: > > > > > Lemme know what happens. > > > Thanks! > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > > > > > > > > > >> -----Original Message----- > > >> From: isapros-bounce@xxxxxxxxxxxxx > > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > >> (Hammer of God) > > >> Sent: Thursday, July 06, 2006 9:31 PM > > >> To: isapros@xxxxxxxxxxxxx > > >> Subject: [isapros] Re: [ISAServer] Firewall client DNS > > >> resolution over control channel > > >> > > >> Bingo! You understand my issue perfectly. > > >> > > >> Internal clients have no business resolving external names > > via the FWC > > >> unless I explicitly allow them to. > > >> > > >> I was not aware of the default behavior of the FWC in > regard to DNS > > >> resolution, but now that I am, I need to change it. > > >> > > >> This is ISA2004, and I have set the parameters exactly as > > >> specified and it > > >> does not work. I'll try restarting both the ISA server and > > >> the client just > > >> for S&G to see what happens. > > >> > > >> Thanks! > > >> > > >> t > > >> > > >> > > >> On 7/6/06 7:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > >> spoketh to all: > > >> > > >>> OK, so it's not name resolution in general that's hurting > > >> your feelings, > > >>> its that you don't want all applications to be able to > > have the ISA > > >>> firewall resolve names on the client's behalf. Is that correct? > > >>> > > >>> IOWs, it's OK for the ISA firewall to resolve names on > > >> behalf of the Web > > >>> proxy client, but its NOT OK to have the ISA firewall > > >> resolve names on > > >>> behalf of the Firewall client, because the Web proxy > client is the > > >>> browser (and other applications that use the WinInet or WinHTTP > > >>> interfaces, I think), but its NOT OK for all Winsock > > applications to > > >>> have names resolved on their behalf. > > >>> > > >>> All I can say is that it *should* work, at least for ISA > > >> Server 2000 and > > >>> ISA 2004. Haven't tested it yet on ISA Server 2006 and I > > >> notice that in > > >>> the RC, they've removed all documentation of FWC settings, > > >> which doesn't > > >>> forbode well. But here's what it says in the ISA 2004 HF: > > >>> > > >>> NameResolution Possible values: L or R. By default, > dotted decimal > > >>> notation or Internet domain names are redirected to the > ISA Server > > >>> computer for name resolution and all other names are > > resolved on the > > >>> local computer. When the value is set to R, all names are > > >> redirected to > > >>> the ISA Server computer for resolution. When the value is > > >> set to L, all > > >>> names are resolved on the local computer. > > >>> > > >>> Thomas W Shinder, M.D. > > >>> Site: www.isaserver.org > > >>> Blog: http://blogs.isaserver.org/shinder/ > > >>> Book: http://tinyurl.com/3xqb7 > > >>> MVP -- ISA Firewalls > > >>> > > >>> > > >>> > > >>>> -----Original Message----- > > >>>> From: isapros-bounce@xxxxxxxxxxxxx > > >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > >>>> (Hammer of God) > > >>>> Sent: Thursday, July 06, 2006 9:05 PM > > >>>> To: isapros@xxxxxxxxxxxxx > > >>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS > > >>>> resolution over control channel > > >>>> > > >>>> > > >>>> Whatchu talkin 'bout Willis? > > >>>> > > >>>> All the clients have internal DNS set. Internal DNS has root > > >>>> zones. From a > > >>>> command prompt (or some exploit) they cannot resolve external > > >>>> addresses. > > >>>> But when you set them as Web Proxy clients, they can, of > > >>>> course, use IE as > > >>>> the ISA server *does* have DNS configured, and has rules that > > >>>> allow it to > > >>>> query my external name server and my ISP's server cache (and > > >>>> *only* that > > >>>> server cache). That works just fine, and always has. > > >>>> > > >>>> There are a few special cases where I've needed the firewall > > >>>> client (those > > >>>> are not important to the subject.) > > >>>> > > >>>> As I have seen in the linked article (and others) a FWC > > >>>> machine will use the > > >>>> control channel (1745) to query DNS, and the ISA server will > > >>>> proxy that > > >>>> request even in a shell. I added the "L" parameter to the > > >>>> NameResolution > > >>>> tag, applied settings, refreshed the client, and it can > > >> still resolve > > >>>> external host names via the ISA server. There is no reason > > >>>> for the client > > >>>> to be able to do that, and I want to disable that. > > >>>> > > >>>> t > > >>>> > > >>>> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > >>>> spoketh to all: > > >>>> > > >>>>> Wait a minute. How do the Firewall clients reach external > > >>>> resources if > > >>>>> the ISA firewall cannot perform name resolution on their > > >>>> behalf and the > > >>>>> clients don't have a DNS server configured on them to > > >> resolve names? > > >>>>> > > >>>>> For that matter, how do the Web proxy clients resolve > > >>>> external names? > > >>>>> The mechanism is the same. > > >>>>> > > >>>>> Tom > > >>>>> > > >>>>> Thomas W Shinder, M.D. > > >>>>> Site: www.isaserver.org > > >>>>> Blog: http://blogs.isaserver.org/shinder/ > > >>>>> Book: http://tinyurl.com/3xqb7 > > >>>>> MVP -- ISA Firewalls > > >>>>> > > >>>>> > > >>>>> > > >>>>>> -----Original Message----- > > >>>>>> From: isapros-bounce@xxxxxxxxxxxxx > > >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > >>>>>> (Hammer of God) > > >>>>>> Sent: Thursday, July 06, 2006 8:43 PM > > >>>>>> To: isapros@xxxxxxxxxxxxx > > >>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS > > >>>>>> resolution over control channel > > >>>>>> > > >>>>>> Yep. > > >>>>>> > > >>>>>> > > >>>>>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > >>>>>> spoketh to all: > > >>>>>> > > >>>>>>> Did you refresh the Firewall client configuration? > > >>>>>>> > > >>>>>>> Thomas W Shinder, M.D. > > >>>>>>> Site: www.isaserver.org > > >>>>>>> Blog: http://blogs.isaserver.org/shinder/ > > >>>>>>> Book: http://tinyurl.com/3xqb7 > > >>>>>>> MVP -- ISA Firewalls > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>>> -----Original Message----- > > >>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx > > >>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > >>>>>>>> (Hammer of God) > > >>>>>>>> Sent: Thursday, July 06, 2006 7:17 PM > > >>>>>>>> To: isapros@xxxxxxxxxxxxx > > >>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS > > >>>>>>>> resolution over control channel > > >>>>>>>> > > >>>>>>>> OK- I added the config option with "L" as described, and it > > >>>>>>>> still doesn't > > >>>>>>>> stop it. What exactly is the option? > > >>>>>>>> > > >>>>>>>> t > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> On 7/6/06 2:13 PM, "Thomas W Shinder" > <tshinder@xxxxxxxxxxx> > > >>>>>>>> spoketh to all: > > >>>>>>>> > > >>>>>>>>> Tim, > > >>>>>>>>> > > >>>>>>>>> You can change this behavior in the FWC configuration > > >> settings. > > >>>>>>>>> > > >>>>>>>>> Jim will be sad that you didn't read his semenal > > >> article on this > > >>>>>>>>> subject: > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir > > >>>>>>>> ewall_Clie > > >>>>>>>>> nt.html > > >>>>>>>>> > > >>>>>>>>> BTW -- post to the big boys list first ;) > > >>>>>>>>> > > >>>>>>>>> Thanks! > > >>>>>>>>> Tom > > >>>>>>>>> > > >>>>>>>>> Thomas W Shinder, M.D. > > >>>>>>>>> Site: www.isaserver.org > > >>>>>>>>> Blog: http://blogs.isaserver.org/shinder/ > > >>>>>>>>> Book: http://tinyurl.com/3xqb7 > > >>>>>>>>> MVP -- ISA Firewalls > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>>> -----Original Message----- > > >>>>>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > >>>>>>>>>> Sent: Thursday, July 06, 2006 4:03 PM > > >>>>>>>>>> To: ISA-MVP > > >>>>>>>>>> Subject: [ISAServer] Firewall client DNS resolution over > > >>>>>>>>>> control channel > > >>>>>>>>>> > > >>>>>>>>>> Greetings: > > >>>>>>>>>> > > >>>>>>>>>> As some of you may know, I practice least > > privilege whenever > > >>>>>>>>>> possible for > > >>>>>>>>>> all client access. Part of this strategy includes > > >>>>>>>>>> configuring internal AD > > >>>>>>>>>> DNS as root zones (with no possible forwarders.) In this > > >>>>>>>>>> way, internal > > >>>>>>>>>> clients can never have non proxy-aware > applications resolve > > >>>>>>>>>> external hosts. > > >>>>>>>>>> Almost all of my clients are exclusively Web > Proxy clients, > > >>>>>>>>>> which means that > > >>>>>>>>>> only services available via IE settings can have the DNS > > >>>>>>>>>> resolution proxied > > >>>>>>>>>> for them. > > >>>>>>>>>> > > >>>>>>>>>> However, in testing access with the Firewall > Client, I have > > >>>>>>>>>> found that no > > >>>>>>>>>> matter what I do, I cannot restrict a client > > running the FWC > > >>>>>>>>>> from resolving > > >>>>>>>>>> external hosts via the FWC control channel. I > > have no rules > > >>>>>>>>>> allowing DNS > > >>>>>>>>>> access from the internal network, have ensured that the > > >>>>>>>>>> system policy only > > >>>>>>>>>> resolves to Domain Controllers for DNS, ensured that only > > >>>>>>>>>> Local Host can > > >>>>>>>>>> look up DNS, and have even explicitly denied > Internal hosts > > >>>>>>>>>> from resolving > > >>>>>>>>>> DNS. Yet, if a system has the FWC on it (and > enabled) then > > >>>>>>>>>> they can resolve > > >>>>>>>>>> external hosts. > > >>>>>>>>>> > > >>>>>>>>>> How do I stop this? An more importantly, are there > > >>>> any other FWC > > >>>>>>>>>> control-channel policy exclusions that I should > know about? > > >>>>>>>>>> > > >>>>>>>>>> Thnx > > >>>>>>>>>> T > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> --- > > >>>>>>>>>> To subscribe to the list - send an email to > > >>>> list@xxxxxxxxxxxxxxx > > >>>>>>>>>> In the subject line put in JOIN > isaserver@xxxxxxxxxxxxxxx, > > >>>>>>>>>> youremailaddress > > >>>>>>>>>> > > >>>>>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx > > >>>>>>>>>> In the subject line put in LEAVE > isaserver@xxxxxxxxxxxxxxx, > > >>>>>>>>>> youremailaddress > > >>>>>>>>>> > > >>>>>>>>>> Don't forget the comma! > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>> > > >>>> > > >>>> > > >>>> > > >>> > > >>> > > >>> > > >> > > >> > > >> > > >> > > > > > > > > > > > > > > > > > > >