So, anyone ever find out how to keep FWC's from automatically resolving DNS through the control channel? To refresh, the "NameResolution" key does not work in ISA2004... t On 7/6/06 10:05 PM, "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> spoketh to all: > I *knew* you'd know ;) > > t > > > On 7/6/06 9:55 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > >> There is a way, but as you've discovered, it's different for ISA 2004. >> Lemme dig into my archivvies and I'll respond ASAP... >> >> ________________________________ >> >> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) >> Sent: Thu 7/6/2006 9:42 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: [ISAServer] Firewall client DNS resolution over >> control >> channel >> >> >> >> Time for us to post over to the MVP list. >> >> To me, that totally sucks. I know others may have a "who cares" attitude, >> but uncontrollable traffic (that should be controllable) is a Bad Thing. >> >> Help us Jimbowan! You are our only hope! >> >> t >> >> >> On 7/6/06 9:34 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: >> >>> Well, poke me in the eye with a stick. It doesn't work, and I tried >>> every trick in the book. I must have had a trick to make it work in the >>> past, but I certainly don't have it working now. >>> >>> Maybe that's why they left out all the FWC settings documentation out of >>> ISA Server 2006? >>> >>> >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 >>> MVP -- ISA Firewalls >>> >>> >>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder >>>> Sent: Thursday, July 06, 2006 10:59 PM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>> resolution over control channel >>>> >>>> I know I've had it working before. >>>> >>>> Let me check here. >>>> >>>> Tom >>>> >>>> Thomas W Shinder, M.D. >>>> Site: www.isaserver.org >>>> Blog: http://blogs.isaserver.org/shinder/ >>>> Book: http://tinyurl.com/3xqb7 >>>> MVP -- ISA Firewalls >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>> (Hammer of God) >>>>> Sent: Thursday, July 06, 2006 10:57 PM >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>> resolution over control channel >>>>> >>>>> So, rebooted both boxes. Verified the following settings on >>>>> Firewall Client >>>>> Configuration on the server: >>>>> >>>>> Application Entry Setting- >>>>> Application: "Common Configuration" >>>>> Key: "NameResolution" (selected from drop-down) >>>>> Value: "L" (selected from drop-down) >>>>> >>>>> From the client, I disable the FWC, flush DNS, and try to ping >>>>> "www.yahoo.com" from a command prompt. Resolution fails as >>>> it should, >>>>> "can't find host." >>>>> >>>>> Enable the FWC, don't even bother flushing DNS (even given >>>> the "cached >>>>> failed logons" crap that guy on BugTraq was talking about), ping >>>>> "www.yahoo.com" and it resolves the IP. Of course, it can't >>>>> ping, but the >>>>> resolution was made. >>>>> >>>>> Logging this transaction, I see port 1745 from the client to >>>>> the ISA and >>>>> back again. >>>>> >>>>> What could be the problem? Can anyone else verify that this >>>>> actually works >>>>> for ISA2004? Jim's article was for ISA2000. >>>>> >>>>> Need to figga this out. >>>>> >>>>> Thx >>>>> T >>>>> >>>>> >>>>> >>>>> On 7/6/06 7:39 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>> spoketh to all: >>>>> >>>>>> Lemme know what happens. >>>>>> Thanks! >>>>>> >>>>>> Thomas W Shinder, M.D. >>>>>> Site: www.isaserver.org >>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>> Book: http://tinyurl.com/3xqb7 >>>>>> MVP -- ISA Firewalls >>>>>> >>>>>> >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>> (Hammer of God) >>>>>>> Sent: Thursday, July 06, 2006 9:31 PM >>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>> resolution over control channel >>>>>>> >>>>>>> Bingo! You understand my issue perfectly. >>>>>>> >>>>>>> Internal clients have no business resolving external names >>>>> via the FWC >>>>>>> unless I explicitly allow them to. >>>>>>> >>>>>>> I was not aware of the default behavior of the FWC in >>>> regard to DNS >>>>>>> resolution, but now that I am, I need to change it. >>>>>>> >>>>>>> This is ISA2004, and I have set the parameters exactly as >>>>>>> specified and it >>>>>>> does not work. I'll try restarting both the ISA server and >>>>>>> the client just >>>>>>> for S&G to see what happens. >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> t >>>>>>> >>>>>>> >>>>>>> On 7/6/06 7:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>>>> spoketh to all: >>>>>>> >>>>>>>> OK, so it's not name resolution in general that's hurting >>>>>>> your feelings, >>>>>>>> its that you don't want all applications to be able to >>>>> have the ISA >>>>>>>> firewall resolve names on the client's behalf. Is that correct? >>>>>>>> >>>>>>>> IOWs, it's OK for the ISA firewall to resolve names on >>>>>>> behalf of the Web >>>>>>>> proxy client, but its NOT OK to have the ISA firewall >>>>>>> resolve names on >>>>>>>> behalf of the Firewall client, because the Web proxy >>>> client is the >>>>>>>> browser (and other applications that use the WinInet or WinHTTP >>>>>>>> interfaces, I think), but its NOT OK for all Winsock >>>>> applications to >>>>>>>> have names resolved on their behalf. >>>>>>>> >>>>>>>> All I can say is that it *should* work, at least for ISA >>>>>>> Server 2000 and >>>>>>>> ISA 2004. Haven't tested it yet on ISA Server 2006 and I >>>>>>> notice that in >>>>>>>> the RC, they've removed all documentation of FWC settings, >>>>>>> which doesn't >>>>>>>> forbode well. But here's what it says in the ISA 2004 HF: >>>>>>>> >>>>>>>> NameResolution Possible values: L or R. By default, >>>> dotted decimal >>>>>>>> notation or Internet domain names are redirected to the >>>> ISA Server >>>>>>>> computer for name resolution and all other names are >>>>> resolved on the >>>>>>>> local computer. When the value is set to R, all names are >>>>>>> redirected to >>>>>>>> the ISA Server computer for resolution. When the value is >>>>>>> set to L, all >>>>>>>> names are resolved on the local computer. >>>>>>>> >>>>>>>> Thomas W Shinder, M.D. >>>>>>>> Site: www.isaserver.org >>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>> MVP -- ISA Firewalls >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>>>> (Hammer of God) >>>>>>>>> Sent: Thursday, July 06, 2006 9:05 PM >>>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>>>> resolution over control channel >>>>>>>>> >>>>>>>>> >>>>>>>>> Whatchu talkin 'bout Willis? >>>>>>>>> >>>>>>>>> All the clients have internal DNS set. Internal DNS has root >>>>>>>>> zones. From a >>>>>>>>> command prompt (or some exploit) they cannot resolve external >>>>>>>>> addresses. >>>>>>>>> But when you set them as Web Proxy clients, they can, of >>>>>>>>> course, use IE as >>>>>>>>> the ISA server *does* have DNS configured, and has rules that >>>>>>>>> allow it to >>>>>>>>> query my external name server and my ISP's server cache (and >>>>>>>>> *only* that >>>>>>>>> server cache). That works just fine, and always has. >>>>>>>>> >>>>>>>>> There are a few special cases where I've needed the firewall >>>>>>>>> client (those >>>>>>>>> are not important to the subject.) >>>>>>>>> >>>>>>>>> As I have seen in the linked article (and others) a FWC >>>>>>>>> machine will use the >>>>>>>>> control channel (1745) to query DNS, and the ISA server will >>>>>>>>> proxy that >>>>>>>>> request even in a shell. I added the "L" parameter to the >>>>>>>>> NameResolution >>>>>>>>> tag, applied settings, refreshed the client, and it can >>>>>>> still resolve >>>>>>>>> external host names via the ISA server. There is no reason >>>>>>>>> for the client >>>>>>>>> to be able to do that, and I want to disable that. >>>>>>>>> >>>>>>>>> t >>>>>>>>> >>>>>>>>> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>>>>>> spoketh to all: >>>>>>>>> >>>>>>>>>> Wait a minute. How do the Firewall clients reach external >>>>>>>>> resources if >>>>>>>>>> the ISA firewall cannot perform name resolution on their >>>>>>>>> behalf and the >>>>>>>>>> clients don't have a DNS server configured on them to >>>>>>> resolve names? >>>>>>>>>> >>>>>>>>>> For that matter, how do the Web proxy clients resolve >>>>>>>>> external names? >>>>>>>>>> The mechanism is the same. >>>>>>>>>> >>>>>>>>>> Tom >>>>>>>>>> >>>>>>>>>> Thomas W Shinder, M.D. >>>>>>>>>> Site: www.isaserver.org >>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>>>> MVP -- ISA Firewalls >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> -----Original Message----- >>>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>>>>>> (Hammer of God) >>>>>>>>>>> Sent: Thursday, July 06, 2006 8:43 PM >>>>>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>>>>>> resolution over control channel >>>>>>>>>>> >>>>>>>>>>> Yep. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>>>>>>>> spoketh to all: >>>>>>>>>>> >>>>>>>>>>>> Did you refresh the Firewall client configuration? >>>>>>>>>>>> >>>>>>>>>>>> Thomas W Shinder, M.D. >>>>>>>>>>>> Site: www.isaserver.org >>>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>>>>>> MVP -- ISA Firewalls >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>>>>>>> (Hammer of God) >>>>>>>>>>>> Sent: Thursday, July 06, 2006 7:17 PM >>>>>>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS >>>>>>>>>>>> resolution over control channel >>>>>>>>>>>> >>>>>>>>>>>> OK- I added the config option with "L" as described, and it >>>>>>>>>>>> still doesn't >>>>>>>>>>>> stop it. What exactly is the option? >>>>>>>>>>>> >>>>>>>>>>>> t >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 7/6/06 2:13 PM, "Thomas W Shinder" >>>> <tshinder@xxxxxxxxxxx> >>>>>>>>>>>> spoketh to all: >>>>>>>>>>>> >>>>>>>>>>>> Tim, >>>>>>>>>>>> >>>>>>>>>>>> You can change this behavior in the FWC configuration >>>>>>> settings. >>>>>>>>>>>> >>>>>>>>>>>> Jim will be sad that you didn't read his semenal >>>>>>> article on this >>>>>>>>>>>> subject: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir >>>>>>>>>>>> ewall_Clie >>>>>>>>>>>> nt.html >>>>>>>>>>>> >>>>>>>>>>>> BTW -- post to the big boys list first ;) >>>>>>>>>>>> >>>>>>>>>>>> Thanks! >>>>>>>>>>>> Tom >>>>>>>>>>>> >>>>>>>>>>>> Thomas W Shinder, M.D. >>>>>>>>>>>> Site: www.isaserver.org >>>>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>>>>>>> MVP -- ISA Firewalls >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >>>>>>>>>>>> Sent: Thursday, July 06, 2006 4:03 PM >>>>>>>>>>>> To: ISA-MVP >>>>>>>>>>>> Subject: [ISAServer] Firewall client DNS resolution over >>>>>>>>>>>> control channel >>>>>>>>>>>> >>>>>>>>>>>> Greetings: >>>>>>>>>>>> >>>>>>>>>>>> As some of you may know, I practice least >>>>> privilege whenever >>>>>>>>>>>> possible for >>>>>>>>>>>> all client access. Part of this strategy includes >>>>>>>>>>>> configuring internal AD >>>>>>>>>>>> DNS as root zones (with no possible forwarders.) In this >>>>>>>>>>>> way, internal >>>>>>>>>>>> clients can never have non proxy-aware >>>> applications resolve >>>>>>>>>>>> external hosts. >>>>>>>>>>>> Almost all of my clients are exclusively Web >>>> Proxy clients, >>>>>>>>>>>> which means that >>>>>>>>>>>> only services available via IE settings can have the DNS >>>>>>>>>>>> resolution proxied >>>>>>>>>>>> for them. >>>>>>>>>>>> >>>>>>>>>>>> However, in testing access with the Firewall >>>> Client, I have >>>>>>>>>>>> found that no >>>>>>>>>>>> matter what I do, I cannot restrict a client >>>>> running the FWC >>>>>>>>>>>> from resolving >>>>>>>>>>>> external hosts via the FWC control channel. I >>>>> have no rules >>>>>>>>>>>> allowing DNS >>>>>>>>>>>> access from the internal network, have ensured that the >>>>>>>>>>>> system policy only >>>>>>>>>>>> resolves to Domain Controllers for DNS, ensured that only >>>>>>>>>>>> Local Host can >>>>>>>>>>>> look up DNS, and have even explicitly denied >>>> Internal hosts >>>>>>>>>>>> from resolving >>>>>>>>>>>> DNS. Yet, if a system has the FWC on it (and >>>> enabled) then >>>>>>>>>>>> they can resolve >>>>>>>>>>>> external hosts. >>>>>>>>>>>> >>>>>>>>>>>> How do I stop this? An more importantly, are there >>>>>>>>> any other FWC >>>>>>>>>>>> control-channel policy exclusions that I should >>>> know about? >>>>>>>>>>>> >>>>>>>>>>>> Thnx >>>>>>>>>>>> T >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> --- >>>>>>>>>>>> To subscribe to the list - send an email to >>>>>>>>> list@xxxxxxxxxxxxxxx >>>>>>>>>>>> In the subject line put in JOIN >>>> isaserver@xxxxxxxxxxxxxxx, >>>>>>>>>>>> youremailaddress >>>>>>>>>>>> >>>>>>>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx >>>>>>>>>>>> In the subject line put in LEAVE >>>> isaserver@xxxxxxxxxxxxxxx, >>>>>>>>>>>> youremailaddress >>>>>>>>>>>> >>>>>>>>>>>> Don't forget the comma! >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >>> >> >> >> >> >> >> >> All mail to and from this domain is GFI-scanned. >> > > > > >