[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>, Jim Harrison <Jim@xxxxxxxxxxxx>
- Date: Thu, 06 Jul 2006 22:05:14 -0700
I *knew* you'd know ;)
t
On 7/6/06 9:55 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> There is a way, but as you've discovered, it's different for ISA 2004.
> Lemme dig into my archivvies and I'll respond ASAP...
>
> ________________________________
>
> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
> Sent: Thu 7/6/2006 9:42 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: [ISAServer] Firewall client DNS resolution over control
> channel
>
>
>
> Time for us to post over to the MVP list.
>
> To me, that totally sucks. I know others may have a "who cares" attitude,
> but uncontrollable traffic (that should be controllable) is a Bad Thing.
>
> Help us Jimbowan! You are our only hope!
>
> t
>
>
> On 7/6/06 9:34 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all:
>
>> Well, poke me in the eye with a stick. It doesn't work, and I tried
>> every trick in the book. I must have had a trick to make it work in the
>> past, but I certainly don't have it working now.
>>
>> Maybe that's why they left out all the FWC settings documentation out of
>> ISA Server 2006?
>>
>>
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://blogs.isaserver.org/shinder/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- ISA Firewalls
>>
>>
>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>>> Sent: Thursday, July 06, 2006 10:59 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>> resolution over control channel
>>>
>>> I know I've had it working before.
>>>
>>> Let me check here.
>>>
>>> Tom
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>> (Hammer of God)
>>>> Sent: Thursday, July 06, 2006 10:57 PM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>> resolution over control channel
>>>>
>>>> So, rebooted both boxes. Verified the following settings on
>>>> Firewall Client
>>>> Configuration on the server:
>>>>
>>>> Application Entry Setting-
>>>> Application: "Common Configuration"
>>>> Key: "NameResolution" (selected from drop-down)
>>>> Value: "L" (selected from drop-down)
>>>>
>>>> From the client, I disable the FWC, flush DNS, and try to ping
>>>> "www.yahoo.com" from a command prompt. Resolution fails as
>>> it should,
>>>> "can't find host."
>>>>
>>>> Enable the FWC, don't even bother flushing DNS (even given
>>> the "cached
>>>> failed logons" crap that guy on BugTraq was talking about), ping
>>>> "www.yahoo.com" and it resolves the IP. Of course, it can't
>>>> ping, but the
>>>> resolution was made.
>>>>
>>>> Logging this transaction, I see port 1745 from the client to
>>>> the ISA and
>>>> back again.
>>>>
>>>> What could be the problem? Can anyone else verify that this
>>>> actually works
>>>> for ISA2004? Jim's article was for ISA2000.
>>>>
>>>> Need to figga this out.
>>>>
>>>> Thx
>>>> T
>>>>
>>>>
>>>>
>>>> On 7/6/06 7:39 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>> spoketh to all:
>>>>
>>>>> Lemme know what happens.
>>>>> Thanks!
>>>>>
>>>>> Thomas W Shinder, M.D.
>>>>> Site: www.isaserver.org
>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>> Book: http://tinyurl.com/3xqb7
>>>>> MVP -- ISA Firewalls
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>> (Hammer of God)
>>>>>> Sent: Thursday, July 06, 2006 9:31 PM
>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>> resolution over control channel
>>>>>>
>>>>>> Bingo! You understand my issue perfectly.
>>>>>>
>>>>>> Internal clients have no business resolving external names
>>>> via the FWC
>>>>>> unless I explicitly allow them to.
>>>>>>
>>>>>> I was not aware of the default behavior of the FWC in
>>> regard to DNS
>>>>>> resolution, but now that I am, I need to change it.
>>>>>>
>>>>>> This is ISA2004, and I have set the parameters exactly as
>>>>>> specified and it
>>>>>> does not work. I'll try restarting both the ISA server and
>>>>>> the client just
>>>>>> for S&G to see what happens.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> t
>>>>>>
>>>>>>
>>>>>> On 7/6/06 7:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>>> spoketh to all:
>>>>>>
>>>>>>> OK, so it's not name resolution in general that's hurting
>>>>>> your feelings,
>>>>>>> its that you don't want all applications to be able to
>>>> have the ISA
>>>>>>> firewall resolve names on the client's behalf. Is that correct?
>>>>>>>
>>>>>>> IOWs, it's OK for the ISA firewall to resolve names on
>>>>>> behalf of the Web
>>>>>>> proxy client, but its NOT OK to have the ISA firewall
>>>>>> resolve names on
>>>>>>> behalf of the Firewall client, because the Web proxy
>>> client is the
>>>>>>> browser (and other applications that use the WinInet or WinHTTP
>>>>>>> interfaces, I think), but its NOT OK for all Winsock
>>>> applications to
>>>>>>> have names resolved on their behalf.
>>>>>>>
>>>>>>> All I can say is that it *should* work, at least for ISA
>>>>>> Server 2000 and
>>>>>>> ISA 2004. Haven't tested it yet on ISA Server 2006 and I
>>>>>> notice that in
>>>>>>> the RC, they've removed all documentation of FWC settings,
>>>>>> which doesn't
>>>>>>> forbode well. But here's what it says in the ISA 2004 HF:
>>>>>>>
>>>>>>> NameResolution Possible values: L or R. By default,
>>> dotted decimal
>>>>>>> notation or Internet domain names are redirected to the
>>> ISA Server
>>>>>>> computer for name resolution and all other names are
>>>> resolved on the
>>>>>>> local computer. When the value is set to R, all names are
>>>>>> redirected to
>>>>>>> the ISA Server computer for resolution. When the value is
>>>>>> set to L, all
>>>>>>> names are resolved on the local computer.
>>>>>>>
>>>>>>> Thomas W Shinder, M.D.
>>>>>>> Site: www.isaserver.org
>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>> MVP -- ISA Firewalls
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>>>> (Hammer of God)
>>>>>>>> Sent: Thursday, July 06, 2006 9:05 PM
>>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>>>> resolution over control channel
>>>>>>>>
>>>>>>>>
>>>>>>>> Whatchu talkin 'bout Willis?
>>>>>>>>
>>>>>>>> All the clients have internal DNS set. Internal DNS has root
>>>>>>>> zones. From a
>>>>>>>> command prompt (or some exploit) they cannot resolve external
>>>>>>>> addresses.
>>>>>>>> But when you set them as Web Proxy clients, they can, of
>>>>>>>> course, use IE as
>>>>>>>> the ISA server *does* have DNS configured, and has rules that
>>>>>>>> allow it to
>>>>>>>> query my external name server and my ISP's server cache (and
>>>>>>>> *only* that
>>>>>>>> server cache). That works just fine, and always has.
>>>>>>>>
>>>>>>>> There are a few special cases where I've needed the firewall
>>>>>>>> client (those
>>>>>>>> are not important to the subject.)
>>>>>>>>
>>>>>>>> As I have seen in the linked article (and others) a FWC
>>>>>>>> machine will use the
>>>>>>>> control channel (1745) to query DNS, and the ISA server will
>>>>>>>> proxy that
>>>>>>>> request even in a shell. I added the "L" parameter to the
>>>>>>>> NameResolution
>>>>>>>> tag, applied settings, refreshed the client, and it can
>>>>>> still resolve
>>>>>>>> external host names via the ISA server. There is no reason
>>>>>>>> for the client
>>>>>>>> to be able to do that, and I want to disable that.
>>>>>>>>
>>>>>>>> t
>>>>>>>>
>>>>>>>> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>>>>> spoketh to all:
>>>>>>>>
>>>>>>>>> Wait a minute. How do the Firewall clients reach external
>>>>>>>> resources if
>>>>>>>>> the ISA firewall cannot perform name resolution on their
>>>>>>>> behalf and the
>>>>>>>>> clients don't have a DNS server configured on them to
>>>>>> resolve names?
>>>>>>>>>
>>>>>>>>> For that matter, how do the Web proxy clients resolve
>>>>>>>> external names?
>>>>>>>>> The mechanism is the same.
>>>>>>>>>
>>>>>>>>> Tom
>>>>>>>>>
>>>>>>>>> Thomas W Shinder, M.D.
>>>>>>>>> Site: www.isaserver.org
>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>>>> MVP -- ISA Firewalls
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>>>>>> (Hammer of God)
>>>>>>>>>> Sent: Thursday, July 06, 2006 8:43 PM
>>>>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>>>>>> resolution over control channel
>>>>>>>>>>
>>>>>>>>>> Yep.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>>>>>>> spoketh to all:
>>>>>>>>>>
>>>>>>>>>>> Did you refresh the Firewall client configuration?
>>>>>>>>>>>
>>>>>>>>>>> Thomas W Shinder, M.D.
>>>>>>>>>>> Site: www.isaserver.org
>>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>>>>>> MVP -- ISA Firewalls
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>>>>>>>> (Hammer of God)
>>>>>>>>>>>> Sent: Thursday, July 06, 2006 7:17 PM
>>>>>>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>>>>>>>> resolution over control channel
>>>>>>>>>>>>
>>>>>>>>>>>> OK- I added the config option with "L" as described, and it
>>>>>>>>>>>> still doesn't
>>>>>>>>>>>> stop it. What exactly is the option?
>>>>>>>>>>>>
>>>>>>>>>>>> t
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 7/6/06 2:13 PM, "Thomas W Shinder"
>>> <tshinder@xxxxxxxxxxx>
>>>>>>>>>>>> spoketh to all:
>>>>>>>>>>>>
>>>>>>>>>>>> Tim,
>>>>>>>>>>>>
>>>>>>>>>>>> You can change this behavior in the FWC configuration
>>>>>> settings.
>>>>>>>>>>>>
>>>>>>>>>>>> Jim will be sad that you didn't read his semenal
>>>>>> article on this
>>>>>>>>>>>> subject:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
>>>>>>>>>>>> ewall_Clie
>>>>>>>>>>>> nt.html
>>>>>>>>>>>>
>>>>>>>>>>>> BTW -- post to the big boys list first ;)
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks!
>>>>>>>>>>>> Tom
>>>>>>>>>>>>
>>>>>>>>>>>> Thomas W Shinder, M.D.
>>>>>>>>>>>> Site: www.isaserver.org
>>>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>>>>>>> MVP -- ISA Firewalls
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>>>>>>>>>>>> Sent: Thursday, July 06, 2006 4:03 PM
>>>>>>>>>>>> To: ISA-MVP
>>>>>>>>>>>> Subject: [ISAServer] Firewall client DNS resolution over
>>>>>>>>>>>> control channel
>>>>>>>>>>>>
>>>>>>>>>>>> Greetings:
>>>>>>>>>>>>
>>>>>>>>>>>> As some of you may know, I practice least
>>>> privilege whenever
>>>>>>>>>>>> possible for
>>>>>>>>>>>> all client access. Part of this strategy includes
>>>>>>>>>>>> configuring internal AD
>>>>>>>>>>>> DNS as root zones (with no possible forwarders.) In this
>>>>>>>>>>>> way, internal
>>>>>>>>>>>> clients can never have non proxy-aware
>>> applications resolve
>>>>>>>>>>>> external hosts.
>>>>>>>>>>>> Almost all of my clients are exclusively Web
>>> Proxy clients,
>>>>>>>>>>>> which means that
>>>>>>>>>>>> only services available via IE settings can have the DNS
>>>>>>>>>>>> resolution proxied
>>>>>>>>>>>> for them.
>>>>>>>>>>>>
>>>>>>>>>>>> However, in testing access with the Firewall
>>> Client, I have
>>>>>>>>>>>> found that no
>>>>>>>>>>>> matter what I do, I cannot restrict a client
>>>> running the FWC
>>>>>>>>>>>> from resolving
>>>>>>>>>>>> external hosts via the FWC control channel. I
>>>> have no rules
>>>>>>>>>>>> allowing DNS
>>>>>>>>>>>> access from the internal network, have ensured that the
>>>>>>>>>>>> system policy only
>>>>>>>>>>>> resolves to Domain Controllers for DNS, ensured that only
>>>>>>>>>>>> Local Host can
>>>>>>>>>>>> look up DNS, and have even explicitly denied
>>> Internal hosts
>>>>>>>>>>>> from resolving
>>>>>>>>>>>> DNS. Yet, if a system has the FWC on it (and
>>> enabled) then
>>>>>>>>>>>> they can resolve
>>>>>>>>>>>> external hosts.
>>>>>>>>>>>>
>>>>>>>>>>>> How do I stop this? An more importantly, are there
>>>>>>>> any other FWC
>>>>>>>>>>>> control-channel policy exclusions that I should
>>> know about?
>>>>>>>>>>>>
>>>>>>>>>>>> Thnx
>>>>>>>>>>>> T
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ---
>>>>>>>>>>>> To subscribe to the list - send an email to
>>>>>>>> list@xxxxxxxxxxxxxxx
>>>>>>>>>>>> In the subject line put in JOIN
>>> isaserver@xxxxxxxxxxxxxxx,
>>>>>>>>>>>> youremailaddress
>>>>>>>>>>>>
>>>>>>>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
>>>>>>>>>>>> In the subject line put in LEAVE
>>> isaserver@xxxxxxxxxxxxxxx,
>>>>>>>>>>>> youremailaddress
>>>>>>>>>>>>
>>>>>>>>>>>> Don't forget the comma!
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
Other related posts:
