[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 6 Jul 2006 20:46:34 -0500
Wait a minute. How do the Firewall clients reach external resources if
the ISA firewall cannot perform name resolution on their behalf and the
clients don't have a DNS server configured on them to resolve names?
For that matter, how do the Web proxy clients resolve external names?
The mechanism is the same.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Thursday, July 06, 2006 8:43 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> resolution over control channel
>
> Yep.
>
>
> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> spoketh to all:
>
> > Did you refresh the Firewall client configuration?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >> (Hammer of God)
> >> Sent: Thursday, July 06, 2006 7:17 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> >> resolution over control channel
> >>
> >> OK- I added the config option with "L" as described, and it
> >> still doesn't
> >> stop it. What exactly is the option?
> >>
> >> t
> >>
> >>
> >> On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> spoketh to all:
> >>
> >>> Tim,
> >>>
> >>> You can change this behavior in the FWC configuration settings.
> >>>
> >>> Jim will be sad that you didn't read his semenal article on this
> >>> subject:
> >>>
> >>>
> >> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
> >> ewall_Clie
> >>> nt.html
> >>>
> >>> BTW -- post to the big boys list first ;)
> >>>
> >>> Thanks!
> >>> Tom
> >>>
> >>> Thomas W Shinder, M.D.
> >>> Site: www.isaserver.org
> >>> Blog: http://blogs.isaserver.org/shinder/
> >>> Book: http://tinyurl.com/3xqb7
> >>> MVP -- ISA Firewalls
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >>>> Sent: Thursday, July 06, 2006 4:03 PM
> >>>> To: ISA-MVP
> >>>> Subject: [ISAServer] Firewall client DNS resolution over
> >>>> control channel
> >>>>
> >>>> Greetings:
> >>>>
> >>>> As some of you may know, I practice least privilege whenever
> >>>> possible for
> >>>> all client access. Part of this strategy includes
> >>>> configuring internal AD
> >>>> DNS as root zones (with no possible forwarders.) In this
> >>>> way, internal
> >>>> clients can never have non proxy-aware applications resolve
> >>>> external hosts.
> >>>> Almost all of my clients are exclusively Web Proxy clients,
> >>>> which means that
> >>>> only services available via IE settings can have the DNS
> >>>> resolution proxied
> >>>> for them.
> >>>>
> >>>> However, in testing access with the Firewall Client, I have
> >>>> found that no
> >>>> matter what I do, I cannot restrict a client running the FWC
> >>>> from resolving
> >>>> external hosts via the FWC control channel. I have no rules
> >>>> allowing DNS
> >>>> access from the internal network, have ensured that the
> >>>> system policy only
> >>>> resolves to Domain Controllers for DNS, ensured that only
> >>>> Local Host can
> >>>> look up DNS, and have even explicitly denied Internal hosts
> >>>> from resolving
> >>>> DNS. Yet, if a system has the FWC on it (and enabled) then
> >>>> they can resolve
> >>>> external hosts.
> >>>>
> >>>> How do I stop this? An more importantly, are there any other FWC
> >>>> control-channel policy exclusions that I should know about?
> >>>>
> >>>> Thnx
> >>>> T
> >>>>
> >>>>
> >>>> ---
> >>>> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> >>>> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
> >>>> youremailaddress
> >>>>
> >>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> >>>> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
> >>>> youremailaddress
> >>>>
> >>>> Don't forget the comma!
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>
>
Other related posts:
