No problems. You can spank me back later as I'm sure they'll be plenty of opportunities. ;) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Thursday, July 06, 2006 4:16 PM > To: isapros@xxxxxxxxxxxxx; Thomas W Shinder > Subject: Re: [isapros] Re: [ISAServer] Firewall client DNS > resolution over control channel > > [spanked] ;) > > t > > > On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > spoketh to all: > > > Tim, > > > > You can change this behavior in the FWC configuration settings. > > > > Jim will be sad that you didn't read his semenal article on this > > subject: > > > > > http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir > ewall_Clie > > nt.html > > > > BTW -- post to the big boys list first ;) > > > > Thanks! > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > >> -----Original Message----- > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >> Sent: Thursday, July 06, 2006 4:03 PM > >> To: ISA-MVP > >> Subject: [ISAServer] Firewall client DNS resolution over > >> control channel > >> > >> Greetings: > >> > >> As some of you may know, I practice least privilege whenever > >> possible for > >> all client access. Part of this strategy includes > >> configuring internal AD > >> DNS as root zones (with no possible forwarders.) In this > >> way, internal > >> clients can never have non proxy-aware applications resolve > >> external hosts. > >> Almost all of my clients are exclusively Web Proxy clients, > >> which means that > >> only services available via IE settings can have the DNS > >> resolution proxied > >> for them. > >> > >> However, in testing access with the Firewall Client, I have > >> found that no > >> matter what I do, I cannot restrict a client running the FWC > >> from resolving > >> external hosts via the FWC control channel. I have no rules > >> allowing DNS > >> access from the internal network, have ensured that the > >> system policy only > >> resolves to Domain Controllers for DNS, ensured that only > >> Local Host can > >> look up DNS, and have even explicitly denied Internal hosts > >> from resolving > >> DNS. Yet, if a system has the FWC on it (and enabled) then > >> they can resolve > >> external hosts. > >> > >> How do I stop this? An more importantly, are there any other FWC > >> control-channel policy exclusions that I should know about? > >> > >> Thnx > >> T > >> > >> > >> --- > >> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > >> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > >> youremailaddress > >> > >> To leave the list - send an email to list@xxxxxxxxxxxxxxx > >> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > >> youremailaddress > >> > >> Don't forget the comma! > >> > >> > > > > > > > > > >