Wait a minute. How do the Firewall clients reach external resources if the ISA firewall cannot perform name resolution on their behalf and the clients don't have a DNS server configured on them to resolve names? For that matter, how do the Web proxy clients resolve external names? The mechanism is the same. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Thursday, July 06, 2006 8:43 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: [ISAServer] Firewall client DNS > resolution over control channel > > Yep. > > > On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > spoketh to all: > > > Did you refresh the Firewall client configuration? > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > >> (Hammer of God) > >> Sent: Thursday, July 06, 2006 7:17 PM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: [ISAServer] Firewall client DNS > >> resolution over control channel > >> > >> OK- I added the config option with "L" as described, and it > >> still doesn't > >> stop it. What exactly is the option? > >> > >> t > >> > >> > >> On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > >> spoketh to all: > >> > >>> Tim, > >>> > >>> You can change this behavior in the FWC configuration settings. > >>> > >>> Jim will be sad that you didn't read his semenal article on this > >>> subject: > >>> > >>> > >> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir > >> ewall_Clie > >>> nt.html > >>> > >>> BTW -- post to the big boys list first ;) > >>> > >>> Thanks! > >>> Tom > >>> > >>> Thomas W Shinder, M.D. > >>> Site: www.isaserver.org > >>> Blog: http://blogs.isaserver.org/shinder/ > >>> Book: http://tinyurl.com/3xqb7 > >>> MVP -- ISA Firewalls > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >>>> Sent: Thursday, July 06, 2006 4:03 PM > >>>> To: ISA-MVP > >>>> Subject: [ISAServer] Firewall client DNS resolution over > >>>> control channel > >>>> > >>>> Greetings: > >>>> > >>>> As some of you may know, I practice least privilege whenever > >>>> possible for > >>>> all client access. Part of this strategy includes > >>>> configuring internal AD > >>>> DNS as root zones (with no possible forwarders.) In this > >>>> way, internal > >>>> clients can never have non proxy-aware applications resolve > >>>> external hosts. > >>>> Almost all of my clients are exclusively Web Proxy clients, > >>>> which means that > >>>> only services available via IE settings can have the DNS > >>>> resolution proxied > >>>> for them. > >>>> > >>>> However, in testing access with the Firewall Client, I have > >>>> found that no > >>>> matter what I do, I cannot restrict a client running the FWC > >>>> from resolving > >>>> external hosts via the FWC control channel. I have no rules > >>>> allowing DNS > >>>> access from the internal network, have ensured that the > >>>> system policy only > >>>> resolves to Domain Controllers for DNS, ensured that only > >>>> Local Host can > >>>> look up DNS, and have even explicitly denied Internal hosts > >>>> from resolving > >>>> DNS. Yet, if a system has the FWC on it (and enabled) then > >>>> they can resolve > >>>> external hosts. > >>>> > >>>> How do I stop this? An more importantly, are there any other FWC > >>>> control-channel policy exclusions that I should know about? > >>>> > >>>> Thnx > >>>> T > >>>> > >>>> > >>>> --- > >>>> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > >>>> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > >>>> youremailaddress > >>>> > >>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx > >>>> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > >>>> youremailaddress > >>>> > >>>> Don't forget the comma! > >>>> > >>>> > >>> > >>> > >>> > >> > >> > >> > >> > > > > > > > > > >