I *knew* you'd know ;) t On 7/6/06 9:55 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > There is a way, but as you've discovered, it's different for ISA 2004. > Lemme dig into my archivvies and I'll respond ASAP... > > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) > Sent: Thu 7/6/2006 9:42 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: [ISAServer] Firewall client DNS resolution over control > channel > > > > Time for us to post over to the MVP list. > > To me, that totally sucks. I know others may have a "who cares" attitude, > but uncontrollable traffic (that should be controllable) is a Bad Thing. > > Help us Jimbowan! You are our only hope! > > t > > > On 7/6/06 9:34 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > >> Well, poke me in the eye with a stick. It doesn't work, and I tried >> every trick in the book. I must have had a trick to make it work in the >> past, but I certainly don't have it working now. >> >> Maybe that's why they left out all the FWC settings documentation out of >> ISA Server 2006? >> >> >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- ISA Firewalls >> >> >> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder >>> Sent: Thursday, July 06, 2006 10:59 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>> resolution over control channel >>> >>> I know I've had it working before. >>> >>> Let me check here. >>> >>> Tom >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 >>> MVP -- ISA Firewalls >>> >>> >>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>> (Hammer of God) >>>> Sent: Thursday, July 06, 2006 10:57 PM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>> resolution over control channel >>>> >>>> So, rebooted both boxes. Verified the following settings on >>>> Firewall Client >>>> Configuration on the server: >>>> >>>> Application Entry Setting- >>>> Application: "Common Configuration" >>>> Key: "NameResolution" (selected from drop-down) >>>> Value: "L" (selected from drop-down) >>>> >>>> From the client, I disable the FWC, flush DNS, and try to ping >>>> "www.yahoo.com" from a command prompt. Resolution fails as >>> it should, >>>> "can't find host." >>>> >>>> Enable the FWC, don't even bother flushing DNS (even given >>> the "cached >>>> failed logons" crap that guy on BugTraq was talking about), ping >>>> "www.yahoo.com" and it resolves the IP. Of course, it can't >>>> ping, but the >>>> resolution was made. >>>> >>>> Logging this transaction, I see port 1745 from the client to >>>> the ISA and >>>> back again. >>>> >>>> What could be the problem? Can anyone else verify that this >>>> actually works >>>> for ISA2004? Jim's article was for ISA2000. >>>> >>>> Need to figga this out. >>>> >>>> Thx >>>> T >>>> >>>> >>>> >>>> On 7/6/06 7:39 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>> spoketh to all: >>>> >>>>> Lemme know what happens. >>>>> Thanks! >>>>> >>>>> Thomas W Shinder, M.D. >>>>> Site: www.isaserver.org >>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>> Book: http://tinyurl.com/3xqb7 >>>>> MVP -- ISA Firewalls >>>>> >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>> (Hammer of God) >>>>>> Sent: Thursday, July 06, 2006 9:31 PM >>>>>> To: isapros@xxxxxxxxxxxxx >>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>> resolution over control channel >>>>>> >>>>>> Bingo! You understand my issue perfectly. >>>>>> >>>>>> Internal clients have no business resolving external names >>>> via the FWC >>>>>> unless I explicitly allow them to. >>>>>> >>>>>> I was not aware of the default behavior of the FWC in >>> regard to DNS >>>>>> resolution, but now that I am, I need to change it. >>>>>> >>>>>> This is ISA2004, and I have set the parameters exactly as >>>>>> specified and it >>>>>> does not work. I'll try restarting both the ISA server and >>>>>> the client just >>>>>> for S&G to see what happens. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> t >>>>>> >>>>>> >>>>>> On 7/6/06 7:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>>> spoketh to all: >>>>>> >>>>>>> OK, so it's not name resolution in general that's hurting >>>>>> your feelings, >>>>>>> its that you don't want all applications to be able to >>>> have the ISA >>>>>>> firewall resolve names on the client's behalf. Is that correct? >>>>>>> >>>>>>> IOWs, it's OK for the ISA firewall to resolve names on >>>>>> behalf of the Web >>>>>>> proxy client, but its NOT OK to have the ISA firewall >>>>>> resolve names on >>>>>>> behalf of the Firewall client, because the Web proxy >>> client is the >>>>>>> browser (and other applications that use the WinInet or WinHTTP >>>>>>> interfaces, I think), but its NOT OK for all Winsock >>>> applications to >>>>>>> have names resolved on their behalf. >>>>>>> >>>>>>> All I can say is that it *should* work, at least for ISA >>>>>> Server 2000 and >>>>>>> ISA 2004. Haven't tested it yet on ISA Server 2006 and I >>>>>> notice that in >>>>>>> the RC, they've removed all documentation of FWC settings, >>>>>> which doesn't >>>>>>> forbode well. But here's what it says in the ISA 2004 HF: >>>>>>> >>>>>>> NameResolution Possible values: L or R. By default, >>> dotted decimal >>>>>>> notation or Internet domain names are redirected to the >>> ISA Server >>>>>>> computer for name resolution and all other names are >>>> resolved on the >>>>>>> local computer. When the value is set to R, all names are >>>>>> redirected to >>>>>>> the ISA Server computer for resolution. When the value is >>>>>> set to L, all >>>>>>> names are resolved on the local computer. >>>>>>> >>>>>>> Thomas W Shinder, M.D. >>>>>>> Site: www.isaserver.org >>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>> MVP -- ISA Firewalls >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>>> (Hammer of God) >>>>>>>> Sent: Thursday, July 06, 2006 9:05 PM >>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>>> resolution over control channel >>>>>>>> >>>>>>>> >>>>>>>> Whatchu talkin 'bout Willis? >>>>>>>> >>>>>>>> All the clients have internal DNS set. Internal DNS has root >>>>>>>> zones. From a >>>>>>>> command prompt (or some exploit) they cannot resolve external >>>>>>>> addresses. >>>>>>>> But when you set them as Web Proxy clients, they can, of >>>>>>>> course, use IE as >>>>>>>> the ISA server *does* have DNS configured, and has rules that >>>>>>>> allow it to >>>>>>>> query my external name server and my ISP's server cache (and >>>>>>>> *only* that >>>>>>>> server cache). That works just fine, and always has. >>>>>>>> >>>>>>>> There are a few special cases where I've needed the firewall >>>>>>>> client (those >>>>>>>> are not important to the subject.) >>>>>>>> >>>>>>>> As I have seen in the linked article (and others) a FWC >>>>>>>> machine will use the >>>>>>>> control channel (1745) to query DNS, and the ISA server will >>>>>>>> proxy that >>>>>>>> request even in a shell. I added the "L" parameter to the >>>>>>>> NameResolution >>>>>>>> tag, applied settings, refreshed the client, and it can >>>>>> still resolve >>>>>>>> external host names via the ISA server. There is no reason >>>>>>>> for the client >>>>>>>> to be able to do that, and I want to disable that. >>>>>>>> >>>>>>>> t >>>>>>>> >>>>>>>> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>>>>> spoketh to all: >>>>>>>> >>>>>>>>> Wait a minute. How do the Firewall clients reach external >>>>>>>> resources if >>>>>>>>> the ISA firewall cannot perform name resolution on their >>>>>>>> behalf and the >>>>>>>>> clients don't have a DNS server configured on them to >>>>>> resolve names? >>>>>>>>> >>>>>>>>> For that matter, how do the Web proxy clients resolve >>>>>>>> external names? >>>>>>>>> The mechanism is the same. >>>>>>>>> >>>>>>>>> Tom >>>>>>>>> >>>>>>>>> Thomas W Shinder, M.D. >>>>>>>>> Site: www.isaserver.org >>>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>>> MVP -- ISA Firewalls >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>>>>> (Hammer of God) >>>>>>>>>> Sent: Thursday, July 06, 2006 8:43 PM >>>>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>>>>> resolution over control channel >>>>>>>>>> >>>>>>>>>> Yep. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>>>>>>> spoketh to all: >>>>>>>>>> >>>>>>>>>>> Did you refresh the Firewall client configuration? >>>>>>>>>>> >>>>>>>>>>> Thomas W Shinder, M.D. >>>>>>>>>>> Site: www.isaserver.org >>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>>>>> MVP -- ISA Firewalls >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>>>>>>> (Hammer of God) >>>>>>>>>>>> Sent: Thursday, July 06, 2006 7:17 PM >>>>>>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>>>>>>> resolution over control channel >>>>>>>>>>>> >>>>>>>>>>>> OK- I added the config option with "L" as described, and it >>>>>>>>>>>> still doesn't >>>>>>>>>>>> stop it. What exactly is the option? >>>>>>>>>>>> >>>>>>>>>>>> t >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 7/6/06 2:13 PM, "Thomas W Shinder" >>> <tshinder@xxxxxxxxxxx> >>>>>>>>>>>> spoketh to all: >>>>>>>>>>>> >>>>>>>>>>>> Tim, >>>>>>>>>>>> >>>>>>>>>>>> You can change this behavior in the FWC configuration >>>>>> settings. >>>>>>>>>>>> >>>>>>>>>>>> Jim will be sad that you didn't read his semenal >>>>>> article on this >>>>>>>>>>>> subject: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir >>>>>>>>>>>> ewall_Clie >>>>>>>>>>>> nt.html >>>>>>>>>>>> >>>>>>>>>>>> BTW -- post to the big boys list first ;) >>>>>>>>>>>> >>>>>>>>>>>> Thanks! >>>>>>>>>>>> Tom >>>>>>>>>>>> >>>>>>>>>>>> Thomas W Shinder, M.D. >>>>>>>>>>>> Site: www.isaserver.org >>>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>>>>>> MVP -- ISA Firewalls >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >>>>>>>>>>>> Sent: Thursday, July 06, 2006 4:03 PM >>>>>>>>>>>> To: ISA-MVP >>>>>>>>>>>> Subject: [ISAServer] Firewall client DNS resolution over >>>>>>>>>>>> control channel >>>>>>>>>>>> >>>>>>>>>>>> Greetings: >>>>>>>>>>>> >>>>>>>>>>>> As some of you may know, I practice least >>>> privilege whenever >>>>>>>>>>>> possible for >>>>>>>>>>>> all client access. Part of this strategy includes >>>>>>>>>>>> configuring internal AD >>>>>>>>>>>> DNS as root zones (with no possible forwarders.) In this >>>>>>>>>>>> way, internal >>>>>>>>>>>> clients can never have non proxy-aware >>> applications resolve >>>>>>>>>>>> external hosts. >>>>>>>>>>>> Almost all of my clients are exclusively Web >>> Proxy clients, >>>>>>>>>>>> which means that >>>>>>>>>>>> only services available via IE settings can have the DNS >>>>>>>>>>>> resolution proxied >>>>>>>>>>>> for them. >>>>>>>>>>>> >>>>>>>>>>>> However, in testing access with the Firewall >>> Client, I have >>>>>>>>>>>> found that no >>>>>>>>>>>> matter what I do, I cannot restrict a client >>>> running the FWC >>>>>>>>>>>> from resolving >>>>>>>>>>>> external hosts via the FWC control channel. I >>>> have no rules >>>>>>>>>>>> allowing DNS >>>>>>>>>>>> access from the internal network, have ensured that the >>>>>>>>>>>> system policy only >>>>>>>>>>>> resolves to Domain Controllers for DNS, ensured that only >>>>>>>>>>>> Local Host can >>>>>>>>>>>> look up DNS, and have even explicitly denied >>> Internal hosts >>>>>>>>>>>> from resolving >>>>>>>>>>>> DNS. Yet, if a system has the FWC on it (and >>> enabled) then >>>>>>>>>>>> they can resolve >>>>>>>>>>>> external hosts. >>>>>>>>>>>> >>>>>>>>>>>> How do I stop this? An more importantly, are there >>>>>>>> any other FWC >>>>>>>>>>>> control-channel policy exclusions that I should >>> know about? >>>>>>>>>>>> >>>>>>>>>>>> Thnx >>>>>>>>>>>> T >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> --- >>>>>>>>>>>> To subscribe to the list - send an email to >>>>>>>> list@xxxxxxxxxxxxxxx >>>>>>>>>>>> In the subject line put in JOIN >>> isaserver@xxxxxxxxxxxxxxx, >>>>>>>>>>>> youremailaddress >>>>>>>>>>>> >>>>>>>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx >>>>>>>>>>>> In the subject line put in LEAVE >>> isaserver@xxxxxxxxxxxxxxx, >>>>>>>>>>>> youremailaddress >>>>>>>>>>>> >>>>>>>>>>>> Don't forget the comma! >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >> >> >> > > > > > > > All mail to and from this domain is GFI-scanned. >