[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 6 Jul 2006 20:08:03 -0500
Did you refresh the Firewall client configuration?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Thursday, July 06, 2006 7:17 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> resolution over control channel
>
> OK- I added the config option with "L" as described, and it
> still doesn't
> stop it. What exactly is the option?
>
> t
>
>
> On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> spoketh to all:
>
> > Tim,
> >
> > You can change this behavior in the FWC configuration settings.
> >
> > Jim will be sad that you didn't read his semenal article on this
> > subject:
> >
> >
> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
> ewall_Clie
> > nt.html
> >
> > BTW -- post to the big boys list first ;)
> >
> > Thanks!
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> Sent: Thursday, July 06, 2006 4:03 PM
> >> To: ISA-MVP
> >> Subject: [ISAServer] Firewall client DNS resolution over
> >> control channel
> >>
> >> Greetings:
> >>
> >> As some of you may know, I practice least privilege whenever
> >> possible for
> >> all client access. Part of this strategy includes
> >> configuring internal AD
> >> DNS as root zones (with no possible forwarders.) In this
> >> way, internal
> >> clients can never have non proxy-aware applications resolve
> >> external hosts.
> >> Almost all of my clients are exclusively Web Proxy clients,
> >> which means that
> >> only services available via IE settings can have the DNS
> >> resolution proxied
> >> for them.
> >>
> >> However, in testing access with the Firewall Client, I have
> >> found that no
> >> matter what I do, I cannot restrict a client running the FWC
> >> from resolving
> >> external hosts via the FWC control channel. I have no rules
> >> allowing DNS
> >> access from the internal network, have ensured that the
> >> system policy only
> >> resolves to Domain Controllers for DNS, ensured that only
> >> Local Host can
> >> look up DNS, and have even explicitly denied Internal hosts
> >> from resolving
> >> DNS. Yet, if a system has the FWC on it (and enabled) then
> >> they can resolve
> >> external hosts.
> >>
> >> How do I stop this? An more importantly, are there any other FWC
> >> control-channel policy exclusions that I should know about?
> >>
> >> Thnx
> >> T
> >>
> >>
> >> ---
> >> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> >> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
> >> youremailaddress
> >>
> >> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> >> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
> >> youremailaddress
> >>
> >> Don't forget the comma!
> >>
> >>
> >
> >
> >
>
>
>
>
Other related posts:
