[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 6 Jul 2006 23:34:13 -0500
Well, poke me in the eye with a stick. It doesn't work, and I tried
every trick in the book. I must have had a trick to make it work in the
past, but I certainly don't have it working now.
Maybe that's why they left out all the FWC settings documentation out of
ISA Server 2006?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Thursday, July 06, 2006 10:59 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> resolution over control channel
>
> I know I've had it working before.
>
> Let me check here.
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > (Hammer of God)
> > Sent: Thursday, July 06, 2006 10:57 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: [ISAServer] Firewall client DNS
> > resolution over control channel
> >
> > So, rebooted both boxes. Verified the following settings on
> > Firewall Client
> > Configuration on the server:
> >
> > Application Entry Setting-
> > Application: "Common Configuration"
> > Key: "NameResolution" (selected from drop-down)
> > Value: "L" (selected from drop-down)
> >
> > From the client, I disable the FWC, flush DNS, and try to ping
> > "www.yahoo.com" from a command prompt. Resolution fails as
> it should,
> > "can't find host."
> >
> > Enable the FWC, don't even bother flushing DNS (even given
> the "cached
> > failed logons" crap that guy on BugTraq was talking about), ping
> > "www.yahoo.com" and it resolves the IP. Of course, it can't
> > ping, but the
> > resolution was made.
> >
> > Logging this transaction, I see port 1745 from the client to
> > the ISA and
> > back again.
> >
> > What could be the problem? Can anyone else verify that this
> > actually works
> > for ISA2004? Jim's article was for ISA2000.
> >
> > Need to figga this out.
> >
> > Thx
> > T
> >
> >
> >
> > On 7/6/06 7:39 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > spoketh to all:
> >
> > > Lemme know what happens.
> > > Thanks!
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: isapros-bounce@xxxxxxxxxxxxx
> > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > >> (Hammer of God)
> > >> Sent: Thursday, July 06, 2006 9:31 PM
> > >> To: isapros@xxxxxxxxxxxxx
> > >> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> > >> resolution over control channel
> > >>
> > >> Bingo! You understand my issue perfectly.
> > >>
> > >> Internal clients have no business resolving external names
> > via the FWC
> > >> unless I explicitly allow them to.
> > >>
> > >> I was not aware of the default behavior of the FWC in
> regard to DNS
> > >> resolution, but now that I am, I need to change it.
> > >>
> > >> This is ISA2004, and I have set the parameters exactly as
> > >> specified and it
> > >> does not work. I'll try restarting both the ISA server and
> > >> the client just
> > >> for S&G to see what happens.
> > >>
> > >> Thanks!
> > >>
> > >> t
> > >>
> > >>
> > >> On 7/6/06 7:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > >> spoketh to all:
> > >>
> > >>> OK, so it's not name resolution in general that's hurting
> > >> your feelings,
> > >>> its that you don't want all applications to be able to
> > have the ISA
> > >>> firewall resolve names on the client's behalf. Is that correct?
> > >>>
> > >>> IOWs, it's OK for the ISA firewall to resolve names on
> > >> behalf of the Web
> > >>> proxy client, but its NOT OK to have the ISA firewall
> > >> resolve names on
> > >>> behalf of the Firewall client, because the Web proxy
> client is the
> > >>> browser (and other applications that use the WinInet or WinHTTP
> > >>> interfaces, I think), but its NOT OK for all Winsock
> > applications to
> > >>> have names resolved on their behalf.
> > >>>
> > >>> All I can say is that it *should* work, at least for ISA
> > >> Server 2000 and
> > >>> ISA 2004. Haven't tested it yet on ISA Server 2006 and I
> > >> notice that in
> > >>> the RC, they've removed all documentation of FWC settings,
> > >> which doesn't
> > >>> forbode well. But here's what it says in the ISA 2004 HF:
> > >>>
> > >>> NameResolution Possible values: L or R. By default,
> dotted decimal
> > >>> notation or Internet domain names are redirected to the
> ISA Server
> > >>> computer for name resolution and all other names are
> > resolved on the
> > >>> local computer. When the value is set to R, all names are
> > >> redirected to
> > >>> the ISA Server computer for resolution. When the value is
> > >> set to L, all
> > >>> names are resolved on the local computer.
> > >>>
> > >>> Thomas W Shinder, M.D.
> > >>> Site: www.isaserver.org
> > >>> Blog: http://blogs.isaserver.org/shinder/
> > >>> Book: http://tinyurl.com/3xqb7
> > >>> MVP -- ISA Firewalls
> > >>>
> > >>>
> > >>>
> > >>>> -----Original Message-----
> > >>>> From: isapros-bounce@xxxxxxxxxxxxx
> > >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > >>>> (Hammer of God)
> > >>>> Sent: Thursday, July 06, 2006 9:05 PM
> > >>>> To: isapros@xxxxxxxxxxxxx
> > >>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> > >>>> resolution over control channel
> > >>>>
> > >>>>
> > >>>> Whatchu talkin 'bout Willis?
> > >>>>
> > >>>> All the clients have internal DNS set. Internal DNS has root
> > >>>> zones. From a
> > >>>> command prompt (or some exploit) they cannot resolve external
> > >>>> addresses.
> > >>>> But when you set them as Web Proxy clients, they can, of
> > >>>> course, use IE as
> > >>>> the ISA server *does* have DNS configured, and has rules that
> > >>>> allow it to
> > >>>> query my external name server and my ISP's server cache (and
> > >>>> *only* that
> > >>>> server cache). That works just fine, and always has.
> > >>>>
> > >>>> There are a few special cases where I've needed the firewall
> > >>>> client (those
> > >>>> are not important to the subject.)
> > >>>>
> > >>>> As I have seen in the linked article (and others) a FWC
> > >>>> machine will use the
> > >>>> control channel (1745) to query DNS, and the ISA server will
> > >>>> proxy that
> > >>>> request even in a shell. I added the "L" parameter to the
> > >>>> NameResolution
> > >>>> tag, applied settings, refreshed the client, and it can
> > >> still resolve
> > >>>> external host names via the ISA server. There is no reason
> > >>>> for the client
> > >>>> to be able to do that, and I want to disable that.
> > >>>>
> > >>>> t
> > >>>>
> > >>>> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > >>>> spoketh to all:
> > >>>>
> > >>>>> Wait a minute. How do the Firewall clients reach external
> > >>>> resources if
> > >>>>> the ISA firewall cannot perform name resolution on their
> > >>>> behalf and the
> > >>>>> clients don't have a DNS server configured on them to
> > >> resolve names?
> > >>>>>
> > >>>>> For that matter, how do the Web proxy clients resolve
> > >>>> external names?
> > >>>>> The mechanism is the same.
> > >>>>>
> > >>>>> Tom
> > >>>>>
> > >>>>> Thomas W Shinder, M.D.
> > >>>>> Site: www.isaserver.org
> > >>>>> Blog: http://blogs.isaserver.org/shinder/
> > >>>>> Book: http://tinyurl.com/3xqb7
> > >>>>> MVP -- ISA Firewalls
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>> -----Original Message-----
> > >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> > >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > >>>>>> (Hammer of God)
> > >>>>>> Sent: Thursday, July 06, 2006 8:43 PM
> > >>>>>> To: isapros@xxxxxxxxxxxxx
> > >>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> > >>>>>> resolution over control channel
> > >>>>>>
> > >>>>>> Yep.
> > >>>>>>
> > >>>>>>
> > >>>>>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > >>>>>> spoketh to all:
> > >>>>>>
> > >>>>>>> Did you refresh the Firewall client configuration?
> > >>>>>>>
> > >>>>>>> Thomas W Shinder, M.D.
> > >>>>>>> Site: www.isaserver.org
> > >>>>>>> Blog: http://blogs.isaserver.org/shinder/
> > >>>>>>> Book: http://tinyurl.com/3xqb7
> > >>>>>>> MVP -- ISA Firewalls
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>> -----Original Message-----
> > >>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> > >>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > >>>>>>>> (Hammer of God)
> > >>>>>>>> Sent: Thursday, July 06, 2006 7:17 PM
> > >>>>>>>> To: isapros@xxxxxxxxxxxxx
> > >>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> > >>>>>>>> resolution over control channel
> > >>>>>>>>
> > >>>>>>>> OK- I added the config option with "L" as described, and it
> > >>>>>>>> still doesn't
> > >>>>>>>> stop it. What exactly is the option?
> > >>>>>>>>
> > >>>>>>>> t
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> On 7/6/06 2:13 PM, "Thomas W Shinder"
> <tshinder@xxxxxxxxxxx>
> > >>>>>>>> spoketh to all:
> > >>>>>>>>
> > >>>>>>>>> Tim,
> > >>>>>>>>>
> > >>>>>>>>> You can change this behavior in the FWC configuration
> > >> settings.
> > >>>>>>>>>
> > >>>>>>>>> Jim will be sad that you didn't read his semenal
> > >> article on this
> > >>>>>>>>> subject:
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>
> > http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
> > >>>>>>>> ewall_Clie
> > >>>>>>>>> nt.html
> > >>>>>>>>>
> > >>>>>>>>> BTW -- post to the big boys list first ;)
> > >>>>>>>>>
> > >>>>>>>>> Thanks!
> > >>>>>>>>> Tom
> > >>>>>>>>>
> > >>>>>>>>> Thomas W Shinder, M.D.
> > >>>>>>>>> Site: www.isaserver.org
> > >>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
> > >>>>>>>>> Book: http://tinyurl.com/3xqb7
> > >>>>>>>>> MVP -- ISA Firewalls
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>> -----Original Message-----
> > >>>>>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > >>>>>>>>>> Sent: Thursday, July 06, 2006 4:03 PM
> > >>>>>>>>>> To: ISA-MVP
> > >>>>>>>>>> Subject: [ISAServer] Firewall client DNS resolution over
> > >>>>>>>>>> control channel
> > >>>>>>>>>>
> > >>>>>>>>>> Greetings:
> > >>>>>>>>>>
> > >>>>>>>>>> As some of you may know, I practice least
> > privilege whenever
> > >>>>>>>>>> possible for
> > >>>>>>>>>> all client access. Part of this strategy includes
> > >>>>>>>>>> configuring internal AD
> > >>>>>>>>>> DNS as root zones (with no possible forwarders.) In this
> > >>>>>>>>>> way, internal
> > >>>>>>>>>> clients can never have non proxy-aware
> applications resolve
> > >>>>>>>>>> external hosts.
> > >>>>>>>>>> Almost all of my clients are exclusively Web
> Proxy clients,
> > >>>>>>>>>> which means that
> > >>>>>>>>>> only services available via IE settings can have the DNS
> > >>>>>>>>>> resolution proxied
> > >>>>>>>>>> for them.
> > >>>>>>>>>>
> > >>>>>>>>>> However, in testing access with the Firewall
> Client, I have
> > >>>>>>>>>> found that no
> > >>>>>>>>>> matter what I do, I cannot restrict a client
> > running the FWC
> > >>>>>>>>>> from resolving
> > >>>>>>>>>> external hosts via the FWC control channel. I
> > have no rules
> > >>>>>>>>>> allowing DNS
> > >>>>>>>>>> access from the internal network, have ensured that the
> > >>>>>>>>>> system policy only
> > >>>>>>>>>> resolves to Domain Controllers for DNS, ensured that only
> > >>>>>>>>>> Local Host can
> > >>>>>>>>>> look up DNS, and have even explicitly denied
> Internal hosts
> > >>>>>>>>>> from resolving
> > >>>>>>>>>> DNS. Yet, if a system has the FWC on it (and
> enabled) then
> > >>>>>>>>>> they can resolve
> > >>>>>>>>>> external hosts.
> > >>>>>>>>>>
> > >>>>>>>>>> How do I stop this? An more importantly, are there
> > >>>> any other FWC
> > >>>>>>>>>> control-channel policy exclusions that I should
> know about?
> > >>>>>>>>>>
> > >>>>>>>>>> Thnx
> > >>>>>>>>>> T
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>> ---
> > >>>>>>>>>> To subscribe to the list - send an email to
> > >>>> list@xxxxxxxxxxxxxxx
> > >>>>>>>>>> In the subject line put in JOIN
> isaserver@xxxxxxxxxxxxxxx,
> > >>>>>>>>>> youremailaddress
> > >>>>>>>>>>
> > >>>>>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> > >>>>>>>>>> In the subject line put in LEAVE
> isaserver@xxxxxxxxxxxxxxx,
> > >>>>>>>>>> youremailaddress
> > >>>>>>>>>>
> > >>>>>>>>>> Don't forget the comma!
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>
> > >>>
> > >>>
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> >
> >
> >
> >
>
>
Other related posts:
