Time for us to post over to the MVP list. To me, that totally sucks. I know others may have a "who cares" attitude, but uncontrollable traffic (that should be controllable) is a Bad Thing. Help us Jimbowan! You are our only hope! t On 7/6/06 9:34 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Well, poke me in the eye with a stick. It doesn't work, and I tried > every trick in the book. I must have had a trick to make it work in the > past, but I certainly don't have it working now. > > Maybe that's why they left out all the FWC settings documentation out of > ISA Server 2006? > > > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder >> Sent: Thursday, July 06, 2006 10:59 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: [ISAServer] Firewall client DNS >> resolution over control channel >> >> I know I've had it working before. >> >> Let me check here. >> >> Tom >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- ISA Firewalls >> >> >> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>> (Hammer of God) >>> Sent: Thursday, July 06, 2006 10:57 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>> resolution over control channel >>> >>> So, rebooted both boxes. Verified the following settings on >>> Firewall Client >>> Configuration on the server: >>> >>> Application Entry Setting- >>> Application: "Common Configuration" >>> Key: "NameResolution" (selected from drop-down) >>> Value: "L" (selected from drop-down) >>> >>> From the client, I disable the FWC, flush DNS, and try to ping >>> "www.yahoo.com" from a command prompt. Resolution fails as >> it should, >>> "can't find host." >>> >>> Enable the FWC, don't even bother flushing DNS (even given >> the "cached >>> failed logons" crap that guy on BugTraq was talking about), ping >>> "www.yahoo.com" and it resolves the IP. Of course, it can't >>> ping, but the >>> resolution was made. >>> >>> Logging this transaction, I see port 1745 from the client to >>> the ISA and >>> back again. >>> >>> What could be the problem? Can anyone else verify that this >>> actually works >>> for ISA2004? Jim's article was for ISA2000. >>> >>> Need to figga this out. >>> >>> Thx >>> T >>> >>> >>> >>> On 7/6/06 7:39 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>> spoketh to all: >>> >>>> Lemme know what happens. >>>> Thanks! >>>> >>>> Thomas W Shinder, M.D. >>>> Site: www.isaserver.org >>>> Blog: http://blogs.isaserver.org/shinder/ >>>> Book: http://tinyurl.com/3xqb7 >>>> MVP -- ISA Firewalls >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>> (Hammer of God) >>>>> Sent: Thursday, July 06, 2006 9:31 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>> resolution over control channel >>>>> >>>>> Bingo! You understand my issue perfectly. >>>>> >>>>> Internal clients have no business resolving external names >>> via the FWC >>>>> unless I explicitly allow them to. >>>>> >>>>> I was not aware of the default behavior of the FWC in >> regard to DNS >>>>> resolution, but now that I am, I need to change it. >>>>> >>>>> This is ISA2004, and I have set the parameters exactly as >>>>> specified and it >>>>> does not work. I'll try restarting both the ISA server and >>>>> the client just >>>>> for S&G to see what happens. >>>>> >>>>> Thanks! >>>>> >>>>> t >>>>> >>>>> >>>>> On 7/6/06 7:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>> spoketh to all: >>>>> >>>>>> OK, so it's not name resolution in general that's hurting >>>>> your feelings, >>>>>> its that you don't want all applications to be able to >>> have the ISA >>>>>> firewall resolve names on the client's behalf. Is that correct? >>>>>> >>>>>> IOWs, it's OK for the ISA firewall to resolve names on >>>>> behalf of the Web >>>>>> proxy client, but its NOT OK to have the ISA firewall >>>>> resolve names on >>>>>> behalf of the Firewall client, because the Web proxy >> client is the >>>>>> browser (and other applications that use the WinInet or WinHTTP >>>>>> interfaces, I think), but its NOT OK for all Winsock >>> applications to >>>>>> have names resolved on their behalf. >>>>>> >>>>>> All I can say is that it *should* work, at least for ISA >>>>> Server 2000 and >>>>>> ISA 2004. Haven't tested it yet on ISA Server 2006 and I >>>>> notice that in >>>>>> the RC, they've removed all documentation of FWC settings, >>>>> which doesn't >>>>>> forbode well. But here's what it says in the ISA 2004 HF: >>>>>> >>>>>> NameResolution Possible values: L or R. By default, >> dotted decimal >>>>>> notation or Internet domain names are redirected to the >> ISA Server >>>>>> computer for name resolution and all other names are >>> resolved on the >>>>>> local computer. When the value is set to R, all names are >>>>> redirected to >>>>>> the ISA Server computer for resolution. When the value is >>>>> set to L, all >>>>>> names are resolved on the local computer. >>>>>> >>>>>> Thomas W Shinder, M.D. >>>>>> Site: www.isaserver.org >>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>> Book: http://tinyurl.com/3xqb7 >>>>>> MVP -- ISA Firewalls >>>>>> >>>>>> >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>> (Hammer of God) >>>>>>> Sent: Thursday, July 06, 2006 9:05 PM >>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>> resolution over control channel >>>>>>> >>>>>>> >>>>>>> Whatchu talkin 'bout Willis? >>>>>>> >>>>>>> All the clients have internal DNS set. Internal DNS has root >>>>>>> zones. From a >>>>>>> command prompt (or some exploit) they cannot resolve external >>>>>>> addresses. >>>>>>> But when you set them as Web Proxy clients, they can, of >>>>>>> course, use IE as >>>>>>> the ISA server *does* have DNS configured, and has rules that >>>>>>> allow it to >>>>>>> query my external name server and my ISP's server cache (and >>>>>>> *only* that >>>>>>> server cache). That works just fine, and always has. >>>>>>> >>>>>>> There are a few special cases where I've needed the firewall >>>>>>> client (those >>>>>>> are not important to the subject.) >>>>>>> >>>>>>> As I have seen in the linked article (and others) a FWC >>>>>>> machine will use the >>>>>>> control channel (1745) to query DNS, and the ISA server will >>>>>>> proxy that >>>>>>> request even in a shell. I added the "L" parameter to the >>>>>>> NameResolution >>>>>>> tag, applied settings, refreshed the client, and it can >>>>> still resolve >>>>>>> external host names via the ISA server. There is no reason >>>>>>> for the client >>>>>>> to be able to do that, and I want to disable that. >>>>>>> >>>>>>> t >>>>>>> >>>>>>> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>>>> spoketh to all: >>>>>>> >>>>>>>> Wait a minute. How do the Firewall clients reach external >>>>>>> resources if >>>>>>>> the ISA firewall cannot perform name resolution on their >>>>>>> behalf and the >>>>>>>> clients don't have a DNS server configured on them to >>>>> resolve names? >>>>>>>> >>>>>>>> For that matter, how do the Web proxy clients resolve >>>>>>> external names? >>>>>>>> The mechanism is the same. >>>>>>>> >>>>>>>> Tom >>>>>>>> >>>>>>>> Thomas W Shinder, M.D. >>>>>>>> Site: www.isaserver.org >>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>> MVP -- ISA Firewalls >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>>>> (Hammer of God) >>>>>>>>> Sent: Thursday, July 06, 2006 8:43 PM >>>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>>>> resolution over control channel >>>>>>>>> >>>>>>>>> Yep. >>>>>>>>> >>>>>>>>> >>>>>>>>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>>>>>> spoketh to all: >>>>>>>>> >>>>>>>>>> Did you refresh the Firewall client configuration? >>>>>>>>>> >>>>>>>>>> Thomas W Shinder, M.D. >>>>>>>>>> Site: www.isaserver.org >>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>>>> MVP -- ISA Firewalls >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> -----Original Message----- >>>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>>>>>> (Hammer of God) >>>>>>>>>>> Sent: Thursday, July 06, 2006 7:17 PM >>>>>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>>>>>> resolution over control channel >>>>>>>>>>> >>>>>>>>>>> OK- I added the config option with "L" as described, and it >>>>>>>>>>> still doesn't >>>>>>>>>>> stop it. What exactly is the option? >>>>>>>>>>> >>>>>>>>>>> t >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 7/6/06 2:13 PM, "Thomas W Shinder" >> <tshinder@xxxxxxxxxxx> >>>>>>>>>>> spoketh to all: >>>>>>>>>>> >>>>>>>>>>>> Tim, >>>>>>>>>>>> >>>>>>>>>>>> You can change this behavior in the FWC configuration >>>>> settings. >>>>>>>>>>>> >>>>>>>>>>>> Jim will be sad that you didn't read his semenal >>>>> article on this >>>>>>>>>>>> subject: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir >>>>>>>>>>> ewall_Clie >>>>>>>>>>>> nt.html >>>>>>>>>>>> >>>>>>>>>>>> BTW -- post to the big boys list first ;) >>>>>>>>>>>> >>>>>>>>>>>> Thanks! >>>>>>>>>>>> Tom >>>>>>>>>>>> >>>>>>>>>>>> Thomas W Shinder, M.D. >>>>>>>>>>>> Site: www.isaserver.org >>>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>>>>>> MVP -- ISA Firewalls >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >>>>>>>>>>>> Sent: Thursday, July 06, 2006 4:03 PM >>>>>>>>>>>> To: ISA-MVP >>>>>>>>>>>> Subject: [ISAServer] Firewall client DNS resolution over >>>>>>>>>>>> control channel >>>>>>>>>>>> >>>>>>>>>>>> Greetings: >>>>>>>>>>>> >>>>>>>>>>>> As some of you may know, I practice least >>> privilege whenever >>>>>>>>>>>> possible for >>>>>>>>>>>> all client access. Part of this strategy includes >>>>>>>>>>>> configuring internal AD >>>>>>>>>>>> DNS as root zones (with no possible forwarders.) In this >>>>>>>>>>>> way, internal >>>>>>>>>>>> clients can never have non proxy-aware >> applications resolve >>>>>>>>>>>> external hosts. >>>>>>>>>>>> Almost all of my clients are exclusively Web >> Proxy clients, >>>>>>>>>>>> which means that >>>>>>>>>>>> only services available via IE settings can have the DNS >>>>>>>>>>>> resolution proxied >>>>>>>>>>>> for them. >>>>>>>>>>>> >>>>>>>>>>>> However, in testing access with the Firewall >> Client, I have >>>>>>>>>>>> found that no >>>>>>>>>>>> matter what I do, I cannot restrict a client >>> running the FWC >>>>>>>>>>>> from resolving >>>>>>>>>>>> external hosts via the FWC control channel. I >>> have no rules >>>>>>>>>>>> allowing DNS >>>>>>>>>>>> access from the internal network, have ensured that the >>>>>>>>>>>> system policy only >>>>>>>>>>>> resolves to Domain Controllers for DNS, ensured that only >>>>>>>>>>>> Local Host can >>>>>>>>>>>> look up DNS, and have even explicitly denied >> Internal hosts >>>>>>>>>>>> from resolving >>>>>>>>>>>> DNS. Yet, if a system has the FWC on it (and >> enabled) then >>>>>>>>>>>> they can resolve >>>>>>>>>>>> external hosts. >>>>>>>>>>>> >>>>>>>>>>>> How do I stop this? An more importantly, are there >>>>>>> any other FWC >>>>>>>>>>>> control-channel policy exclusions that I should >> know about? >>>>>>>>>>>> >>>>>>>>>>>> Thnx >>>>>>>>>>>> T >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> --- >>>>>>>>>>>> To subscribe to the list - send an email to >>>>>>> list@xxxxxxxxxxxxxxx >>>>>>>>>>>> In the subject line put in JOIN >> isaserver@xxxxxxxxxxxxxxx, >>>>>>>>>>>> youremailaddress >>>>>>>>>>>> >>>>>>>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx >>>>>>>>>>>> In the subject line put in LEAVE >> isaserver@xxxxxxxxxxxxxxx, >>>>>>>>>>>> youremailaddress >>>>>>>>>>>> >>>>>>>>>>>> Don't forget the comma! >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> > > >