Hi Tom I appreciate your words of wisdom :), but I am trying to better understand the FW Client itself. Initially I never had the FW Client installed because it was not necessary, but now I have unfortunately been pushed into a situation where I definitely need to use the FW Client to get some applications working. My biggest concern though is how to control which applications are allowed to use the FW Client. My understanding is that the FW Client pretty much allows ANY application which doesn't have an explicit DISABLE=1 entry in the MSPCLNT.INI, to access the ISA Server and then to be processed further with the Protocol & S+C rules. My problem with this is that I do not know the names of all the possible applications that exist on our network, so I have no way of controlling them all, that is why I was looking for a generic way of denying access. I thought that if I added a DISABLE=1 into the [Common Configuration] section that this would work, but it doesn't seem to have done the job. Your comments? Cheers William R. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 06 November 2002 08:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi William, There's a very easy way to prevent all applications from using the Firewall client -- uninstall it. HTH, Tom Thomas W Shinder www.isaserver.org/shinder http://tinyurl.com/1jq1 http://tinyurl.com/1llp -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: Tuesday, November 05, 2002 10:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi there Please could someone comment on the following: I do not understand how the FW Client uses the MSPCLNT.INI file. This is due to the following: When installing the FW Client on users workstations, they started experiencing an INCREDIBLY long "logon time". And when trying to perform any kind of network activity it would still take immensely long. I eventually found that all of the default FW Client settings (such as LSASS=Disable(1), WINLOGON=Disable(1) etc) were causing this. As soon as I put all these default settings back, my workstations worked a lot faster. Now this is curious because that means that all the little Windows subsystems were trying to make use of the FW Client, and because the FW Client did not have any rule entry DENYING these Windows subsystems, they then tried very hard, and possibly succeeded, in using the FW Client. And yet, when I tried to get my SAP clients to work through the ISA Firewall, I had to add the SAPGUI=Disable(0) entry into the MSPCLNT.INI file before it would work. Now I'm confused! I am specifically looking for a way in which I can generically DENY ALL APPLICATIONS within the MSPCLNT.INI, instead of having to declare them all one by one (in the case of the Windows subsystems), but it seems that the FW Client only seems to let some applications through (even though they don't have a corresponding entry in the MSPCLNT.INI) and others not. Any ideas? Cheers William R. -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: 05 November 2002 07:32 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi there Thanks for that. I have since changed my S&C rules to use Username authentication and it seems a lot better now. I do however have another question though... I have now configured my FW Client Config to have a [Master Config] section that looks like this: [Master Config] Path1=\\<ISA Server>\mspclnt\ [Common Configuration] NameResolution=L [msmsgs] Disable=0 [Internal] scp=9,10,11 (You'll notice that I have removed all the original settings in order to complete my testing) Now this works fine as the FW Client permits the Windows Messenger to connect to the ISA where it is successfully validated. But you will notice that I have NO settings for OUTLOOK in the above config, and yet when I do a SEND/RECEIVE on my external POP3 mail server, it completes successfully. Now this I do not understand as I have created a Protocol Rule & a Site & Content rule for POP3 traffic, both of which are validating according to Group Membership. Now granted, I am a member of the group that is permitted to use those rules, but surely with the abovementioned FW Client configuration, the FW Client should not permit the request through to the ISA Server because OUTLOOK is not explicitly ALLOWED within the MSPCLNT.INI? What I also tried was to add to the [Common Configuration] Section the following: Disable=1 By doing this I was hoping to add a generic rule for the FW Client to DENY access to ALL applications, except those that are specifically permitted within the MSPCLNT.INI. Any comments on this? Cheers William R. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 04 November 2002 19:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org All that setting accomplishes is to deny access to the FW client for that app. It does not deny access through the ISA for the app if the client is also a SecureNAT client. You'll need to set up blocking filters and rules as dictated in Tom's article on dangerous messenger clients. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, November 03, 2002 9:03 PM Subject: [isalist] Struggling to DENY access for applications! http://www.ISAserver.org Hi there I have tried to make modifications to the Firewall Client Config (thru the MMC), but I cannot seem to get the FW Client to DENY access to certain applications. For example, I would like to be able to have the FW Client block applications such as Windows Messenger, ICQ etc. But when I add an entry to the FW Client config with the following parameters: Application: msmsgs Key: Disable Value: 1 Nothing happens. The Windows Messenger continues to get through to my ISA Server, instead of being denied by the FW Client. Another thing I have tried is to add the following: Application: Common Configuration Key: Disable Value: 1 By doing this I was hoping to DENY access to ALL applications that were not specifically ALLOWED within the FW Client config, but this also did not work. Does anybody have any idea how I can DENY access to all applications on a workstation that are not explicitly ALLOWEd by the FW Client config? Cheers William R. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. ---------------------------------------------------------------------