Yep. On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Did you refresh the Firewall client configuration? > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >> (Hammer of God) >> Sent: Thursday, July 06, 2006 7:17 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: [ISAServer] Firewall client DNS >> resolution over control channel >> >> OK- I added the config option with "L" as described, and it >> still doesn't >> stop it. What exactly is the option? >> >> t >> >> >> On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >> spoketh to all: >> >>> Tim, >>> >>> You can change this behavior in the FWC configuration settings. >>> >>> Jim will be sad that you didn't read his semenal article on this >>> subject: >>> >>> >> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir >> ewall_Clie >>> nt.html >>> >>> BTW -- post to the big boys list first ;) >>> >>> Thanks! >>> Tom >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 >>> MVP -- ISA Firewalls >>> >>> >>> >>>> -----Original Message----- >>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >>>> Sent: Thursday, July 06, 2006 4:03 PM >>>> To: ISA-MVP >>>> Subject: [ISAServer] Firewall client DNS resolution over >>>> control channel >>>> >>>> Greetings: >>>> >>>> As some of you may know, I practice least privilege whenever >>>> possible for >>>> all client access. Part of this strategy includes >>>> configuring internal AD >>>> DNS as root zones (with no possible forwarders.) In this >>>> way, internal >>>> clients can never have non proxy-aware applications resolve >>>> external hosts. >>>> Almost all of my clients are exclusively Web Proxy clients, >>>> which means that >>>> only services available via IE settings can have the DNS >>>> resolution proxied >>>> for them. >>>> >>>> However, in testing access with the Firewall Client, I have >>>> found that no >>>> matter what I do, I cannot restrict a client running the FWC >>>> from resolving >>>> external hosts via the FWC control channel. I have no rules >>>> allowing DNS >>>> access from the internal network, have ensured that the >>>> system policy only >>>> resolves to Domain Controllers for DNS, ensured that only >>>> Local Host can >>>> look up DNS, and have even explicitly denied Internal hosts >>>> from resolving >>>> DNS. Yet, if a system has the FWC on it (and enabled) then >>>> they can resolve >>>> external hosts. >>>> >>>> How do I stop this? An more importantly, are there any other FWC >>>> control-channel policy exclusions that I should know about? >>>> >>>> Thnx >>>> T >>>> >>>> >>>> --- >>>> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx >>>> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, >>>> youremailaddress >>>> >>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx >>>> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, >>>> youremailaddress >>>> >>>> Don't forget the comma! >>>> >>>> >>> >>> >>> >> >> >> >> > > >