[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>, Timothy Mullen <thor@xxxxxxxxxxxxxxx>, Jim Harrison <Jim@xxxxxxxxxxxx>
- Date: Wed, 12 Jul 2006 07:37:00 -0700
So, anyone ever find out how to keep FWC's from automatically resolving DNS
through the control channel? To refresh, the "NameResolution" key does not
work in ISA2004...
t
On 7/6/06 10:05 PM, "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> spoketh to
all:
> I *knew* you'd know ;)
>
> t
>
>
> On 7/6/06 9:55 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
>
>> There is a way, but as you've discovered, it's different for ISA 2004.
>> Lemme dig into my archivvies and I'll respond ASAP...
>>
>> ________________________________
>>
>> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
>> Sent: Thu 7/6/2006 9:42 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: [ISAServer] Firewall client DNS resolution over
>> control
>> channel
>>
>>
>>
>> Time for us to post over to the MVP list.
>>
>> To me, that totally sucks. I know others may have a "who cares" attitude,
>> but uncontrollable traffic (that should be controllable) is a Bad Thing.
>>
>> Help us Jimbowan! You are our only hope!
>>
>> t
>>
>>
>> On 7/6/06 9:34 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all:
>>
>>> Well, poke me in the eye with a stick. It doesn't work, and I tried
>>> every trick in the book. I must have had a trick to make it work in the
>>> past, but I certainly don't have it working now.
>>>
>>> Maybe that's why they left out all the FWC settings documentation out of
>>> ISA Server 2006?
>>>
>>>
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>>>> Sent: Thursday, July 06, 2006 10:59 PM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>> resolution over control channel
>>>>
>>>> I know I've had it working before.
>>>>
>>>> Let me check here.
>>>>
>>>> Tom
>>>>
>>>> Thomas W Shinder, M.D.
>>>> Site: www.isaserver.org
>>>> Blog: http://blogs.isaserver.org/shinder/
>>>> Book: http://tinyurl.com/3xqb7
>>>> MVP -- ISA Firewalls
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>> (Hammer of God)
>>>>> Sent: Thursday, July 06, 2006 10:57 PM
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>> resolution over control channel
>>>>>
>>>>> So, rebooted both boxes. Verified the following settings on
>>>>> Firewall Client
>>>>> Configuration on the server:
>>>>>
>>>>> Application Entry Setting-
>>>>> Application: "Common Configuration"
>>>>> Key: "NameResolution" (selected from drop-down)
>>>>> Value: "L" (selected from drop-down)
>>>>>
>>>>> From the client, I disable the FWC, flush DNS, and try to ping
>>>>> "www.yahoo.com" from a command prompt. Resolution fails as
>>>> it should,
>>>>> "can't find host."
>>>>>
>>>>> Enable the FWC, don't even bother flushing DNS (even given
>>>> the "cached
>>>>> failed logons" crap that guy on BugTraq was talking about), ping
>>>>> "www.yahoo.com" and it resolves the IP. Of course, it can't
>>>>> ping, but the
>>>>> resolution was made.
>>>>>
>>>>> Logging this transaction, I see port 1745 from the client to
>>>>> the ISA and
>>>>> back again.
>>>>>
>>>>> What could be the problem? Can anyone else verify that this
>>>>> actually works
>>>>> for ISA2004? Jim's article was for ISA2000.
>>>>>
>>>>> Need to figga this out.
>>>>>
>>>>> Thx
>>>>> T
>>>>>
>>>>>
>>>>>
>>>>> On 7/6/06 7:39 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>> spoketh to all:
>>>>>
>>>>>> Lemme know what happens.
>>>>>> Thanks!
>>>>>>
>>>>>> Thomas W Shinder, M.D.
>>>>>> Site: www.isaserver.org
>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>> MVP -- ISA Firewalls
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>>> (Hammer of God)
>>>>>>> Sent: Thursday, July 06, 2006 9:31 PM
>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>>> resolution over control channel
>>>>>>>
>>>>>>> Bingo! You understand my issue perfectly.
>>>>>>>
>>>>>>> Internal clients have no business resolving external names
>>>>> via the FWC
>>>>>>> unless I explicitly allow them to.
>>>>>>>
>>>>>>> I was not aware of the default behavior of the FWC in
>>>> regard to DNS
>>>>>>> resolution, but now that I am, I need to change it.
>>>>>>>
>>>>>>> This is ISA2004, and I have set the parameters exactly as
>>>>>>> specified and it
>>>>>>> does not work. I'll try restarting both the ISA server and
>>>>>>> the client just
>>>>>>> for S&G to see what happens.
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> t
>>>>>>>
>>>>>>>
>>>>>>> On 7/6/06 7:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>>>> spoketh to all:
>>>>>>>
>>>>>>>> OK, so it's not name resolution in general that's hurting
>>>>>>> your feelings,
>>>>>>>> its that you don't want all applications to be able to
>>>>> have the ISA
>>>>>>>> firewall resolve names on the client's behalf. Is that correct?
>>>>>>>>
>>>>>>>> IOWs, it's OK for the ISA firewall to resolve names on
>>>>>>> behalf of the Web
>>>>>>>> proxy client, but its NOT OK to have the ISA firewall
>>>>>>> resolve names on
>>>>>>>> behalf of the Firewall client, because the Web proxy
>>>> client is the
>>>>>>>> browser (and other applications that use the WinInet or WinHTTP
>>>>>>>> interfaces, I think), but its NOT OK for all Winsock
>>>>> applications to
>>>>>>>> have names resolved on their behalf.
>>>>>>>>
>>>>>>>> All I can say is that it *should* work, at least for ISA
>>>>>>> Server 2000 and
>>>>>>>> ISA 2004. Haven't tested it yet on ISA Server 2006 and I
>>>>>>> notice that in
>>>>>>>> the RC, they've removed all documentation of FWC settings,
>>>>>>> which doesn't
>>>>>>>> forbode well. But here's what it says in the ISA 2004 HF:
>>>>>>>>
>>>>>>>> NameResolution Possible values: L or R. By default,
>>>> dotted decimal
>>>>>>>> notation or Internet domain names are redirected to the
>>>> ISA Server
>>>>>>>> computer for name resolution and all other names are
>>>>> resolved on the
>>>>>>>> local computer. When the value is set to R, all names are
>>>>>>> redirected to
>>>>>>>> the ISA Server computer for resolution. When the value is
>>>>>>> set to L, all
>>>>>>>> names are resolved on the local computer.
>>>>>>>>
>>>>>>>> Thomas W Shinder, M.D.
>>>>>>>> Site: www.isaserver.org
>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>>> MVP -- ISA Firewalls
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>>>>> (Hammer of God)
>>>>>>>>> Sent: Thursday, July 06, 2006 9:05 PM
>>>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>>>>> resolution over control channel
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Whatchu talkin 'bout Willis?
>>>>>>>>>
>>>>>>>>> All the clients have internal DNS set. Internal DNS has root
>>>>>>>>> zones. From a
>>>>>>>>> command prompt (or some exploit) they cannot resolve external
>>>>>>>>> addresses.
>>>>>>>>> But when you set them as Web Proxy clients, they can, of
>>>>>>>>> course, use IE as
>>>>>>>>> the ISA server *does* have DNS configured, and has rules that
>>>>>>>>> allow it to
>>>>>>>>> query my external name server and my ISP's server cache (and
>>>>>>>>> *only* that
>>>>>>>>> server cache). That works just fine, and always has.
>>>>>>>>>
>>>>>>>>> There are a few special cases where I've needed the firewall
>>>>>>>>> client (those
>>>>>>>>> are not important to the subject.)
>>>>>>>>>
>>>>>>>>> As I have seen in the linked article (and others) a FWC
>>>>>>>>> machine will use the
>>>>>>>>> control channel (1745) to query DNS, and the ISA server will
>>>>>>>>> proxy that
>>>>>>>>> request even in a shell. I added the "L" parameter to the
>>>>>>>>> NameResolution
>>>>>>>>> tag, applied settings, refreshed the client, and it can
>>>>>>> still resolve
>>>>>>>>> external host names via the ISA server. There is no reason
>>>>>>>>> for the client
>>>>>>>>> to be able to do that, and I want to disable that.
>>>>>>>>>
>>>>>>>>> t
>>>>>>>>>
>>>>>>>>> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>>>>>> spoketh to all:
>>>>>>>>>
>>>>>>>>>> Wait a minute. How do the Firewall clients reach external
>>>>>>>>> resources if
>>>>>>>>>> the ISA firewall cannot perform name resolution on their
>>>>>>>>> behalf and the
>>>>>>>>>> clients don't have a DNS server configured on them to
>>>>>>> resolve names?
>>>>>>>>>>
>>>>>>>>>> For that matter, how do the Web proxy clients resolve
>>>>>>>>> external names?
>>>>>>>>>> The mechanism is the same.
>>>>>>>>>>
>>>>>>>>>> Tom
>>>>>>>>>>
>>>>>>>>>> Thomas W Shinder, M.D.
>>>>>>>>>> Site: www.isaserver.org
>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>>>>> MVP -- ISA Firewalls
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>>>>>>> (Hammer of God)
>>>>>>>>>>> Sent: Thursday, July 06, 2006 8:43 PM
>>>>>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>>>>>>> resolution over control channel
>>>>>>>>>>>
>>>>>>>>>>> Yep.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>>>>>>>> spoketh to all:
>>>>>>>>>>>
>>>>>>>>>>>> Did you refresh the Firewall client configuration?
>>>>>>>>>>>>
>>>>>>>>>>>> Thomas W Shinder, M.D.
>>>>>>>>>>>> Site: www.isaserver.org
>>>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>>>>>>> MVP -- ISA Firewalls
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>>>>>>>> (Hammer of God)
>>>>>>>>>>>> Sent: Thursday, July 06, 2006 7:17 PM
>>>>>>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>>>>>>>> resolution over control channel
>>>>>>>>>>>>
>>>>>>>>>>>> OK- I added the config option with "L" as described, and it
>>>>>>>>>>>> still doesn't
>>>>>>>>>>>> stop it. What exactly is the option?
>>>>>>>>>>>>
>>>>>>>>>>>> t
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 7/6/06 2:13 PM, "Thomas W Shinder"
>>>> <tshinder@xxxxxxxxxxx>
>>>>>>>>>>>> spoketh to all:
>>>>>>>>>>>>
>>>>>>>>>>>> Tim,
>>>>>>>>>>>>
>>>>>>>>>>>> You can change this behavior in the FWC configuration
>>>>>>> settings.
>>>>>>>>>>>>
>>>>>>>>>>>> Jim will be sad that you didn't read his semenal
>>>>>>> article on this
>>>>>>>>>>>> subject:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
>>>>>>>>>>>> ewall_Clie
>>>>>>>>>>>> nt.html
>>>>>>>>>>>>
>>>>>>>>>>>> BTW -- post to the big boys list first ;)
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks!
>>>>>>>>>>>> Tom
>>>>>>>>>>>>
>>>>>>>>>>>> Thomas W Shinder, M.D.
>>>>>>>>>>>> Site: www.isaserver.org
>>>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>>>>>>> MVP -- ISA Firewalls
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>>>>>>>>>>>> Sent: Thursday, July 06, 2006 4:03 PM
>>>>>>>>>>>> To: ISA-MVP
>>>>>>>>>>>> Subject: [ISAServer] Firewall client DNS resolution over
>>>>>>>>>>>> control channel
>>>>>>>>>>>>
>>>>>>>>>>>> Greetings:
>>>>>>>>>>>>
>>>>>>>>>>>> As some of you may know, I practice least
>>>>> privilege whenever
>>>>>>>>>>>> possible for
>>>>>>>>>>>> all client access. Part of this strategy includes
>>>>>>>>>>>> configuring internal AD
>>>>>>>>>>>> DNS as root zones (with no possible forwarders.) In this
>>>>>>>>>>>> way, internal
>>>>>>>>>>>> clients can never have non proxy-aware
>>>> applications resolve
>>>>>>>>>>>> external hosts.
>>>>>>>>>>>> Almost all of my clients are exclusively Web
>>>> Proxy clients,
>>>>>>>>>>>> which means that
>>>>>>>>>>>> only services available via IE settings can have the DNS
>>>>>>>>>>>> resolution proxied
>>>>>>>>>>>> for them.
>>>>>>>>>>>>
>>>>>>>>>>>> However, in testing access with the Firewall
>>>> Client, I have
>>>>>>>>>>>> found that no
>>>>>>>>>>>> matter what I do, I cannot restrict a client
>>>>> running the FWC
>>>>>>>>>>>> from resolving
>>>>>>>>>>>> external hosts via the FWC control channel. I
>>>>> have no rules
>>>>>>>>>>>> allowing DNS
>>>>>>>>>>>> access from the internal network, have ensured that the
>>>>>>>>>>>> system policy only
>>>>>>>>>>>> resolves to Domain Controllers for DNS, ensured that only
>>>>>>>>>>>> Local Host can
>>>>>>>>>>>> look up DNS, and have even explicitly denied
>>>> Internal hosts
>>>>>>>>>>>> from resolving
>>>>>>>>>>>> DNS. Yet, if a system has the FWC on it (and
>>>> enabled) then
>>>>>>>>>>>> they can resolve
>>>>>>>>>>>> external hosts.
>>>>>>>>>>>>
>>>>>>>>>>>> How do I stop this? An more importantly, are there
>>>>>>>>> any other FWC
>>>>>>>>>>>> control-channel policy exclusions that I should
>>>> know about?
>>>>>>>>>>>>
>>>>>>>>>>>> Thnx
>>>>>>>>>>>> T
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ---
>>>>>>>>>>>> To subscribe to the list - send an email to
>>>>>>>>> list@xxxxxxxxxxxxxxx
>>>>>>>>>>>> In the subject line put in JOIN
>>>> isaserver@xxxxxxxxxxxxxxx,
>>>>>>>>>>>> youremailaddress
>>>>>>>>>>>>
>>>>>>>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
>>>>>>>>>>>> In the subject line put in LEAVE
>>>> isaserver@xxxxxxxxxxxxxxx,
>>>>>>>>>>>> youremailaddress
>>>>>>>>>>>>
>>>>>>>>>>>> Don't forget the comma!
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>> All mail to and from this domain is GFI-scanned.
>>
>
>
>
>
>
Other related posts:
