[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Thu, 06 Jul 2006 18:42:44 -0700
Yep.
On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all:
> Did you refresh the Firewall client configuration?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>> (Hammer of God)
>> Sent: Thursday, July 06, 2006 7:17 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>> resolution over control channel
>>
>> OK- I added the config option with "L" as described, and it
>> still doesn't
>> stop it. What exactly is the option?
>>
>> t
>>
>>
>> On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> spoketh to all:
>>
>>> Tim,
>>>
>>> You can change this behavior in the FWC configuration settings.
>>>
>>> Jim will be sad that you didn't read his semenal article on this
>>> subject:
>>>
>>>
>> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
>> ewall_Clie
>>> nt.html
>>>
>>> BTW -- post to the big boys list first ;)
>>>
>>> Thanks!
>>> Tom
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>>>> Sent: Thursday, July 06, 2006 4:03 PM
>>>> To: ISA-MVP
>>>> Subject: [ISAServer] Firewall client DNS resolution over
>>>> control channel
>>>>
>>>> Greetings:
>>>>
>>>> As some of you may know, I practice least privilege whenever
>>>> possible for
>>>> all client access. Part of this strategy includes
>>>> configuring internal AD
>>>> DNS as root zones (with no possible forwarders.) In this
>>>> way, internal
>>>> clients can never have non proxy-aware applications resolve
>>>> external hosts.
>>>> Almost all of my clients are exclusively Web Proxy clients,
>>>> which means that
>>>> only services available via IE settings can have the DNS
>>>> resolution proxied
>>>> for them.
>>>>
>>>> However, in testing access with the Firewall Client, I have
>>>> found that no
>>>> matter what I do, I cannot restrict a client running the FWC
>>>> from resolving
>>>> external hosts via the FWC control channel. I have no rules
>>>> allowing DNS
>>>> access from the internal network, have ensured that the
>>>> system policy only
>>>> resolves to Domain Controllers for DNS, ensured that only
>>>> Local Host can
>>>> look up DNS, and have even explicitly denied Internal hosts
>>>> from resolving
>>>> DNS. Yet, if a system has the FWC on it (and enabled) then
>>>> they can resolve
>>>> external hosts.
>>>>
>>>> How do I stop this? An more importantly, are there any other FWC
>>>> control-channel policy exclusions that I should know about?
>>>>
>>>> Thnx
>>>> T
>>>>
>>>>
>>>> ---
>>>> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
>>>> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
>>>> youremailaddress
>>>>
>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
>>>> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
>>>> youremailaddress
>>>>
>>>> Don't forget the comma!
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
Other related posts:
