[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>, Thomas W Shinder <tshinder@xxxxxxxxxxx>
- Date: Thu, 06 Jul 2006 14:16:17 -0700
[spanked] ;)
t
On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all:
> Tim,
>
> You can change this behavior in the FWC configuration settings.
>
> Jim will be sad that you didn't read his semenal article on this
> subject:
>
> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Firewall_Clie
> nt.html
>
> BTW -- post to the big boys list first ;)
>
> Thanks!
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
>> -----Original Message-----
>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> Sent: Thursday, July 06, 2006 4:03 PM
>> To: ISA-MVP
>> Subject: [ISAServer] Firewall client DNS resolution over
>> control channel
>>
>> Greetings:
>>
>> As some of you may know, I practice least privilege whenever
>> possible for
>> all client access. Part of this strategy includes
>> configuring internal AD
>> DNS as root zones (with no possible forwarders.) In this
>> way, internal
>> clients can never have non proxy-aware applications resolve
>> external hosts.
>> Almost all of my clients are exclusively Web Proxy clients,
>> which means that
>> only services available via IE settings can have the DNS
>> resolution proxied
>> for them.
>>
>> However, in testing access with the Firewall Client, I have
>> found that no
>> matter what I do, I cannot restrict a client running the FWC
>> from resolving
>> external hosts via the FWC control channel. I have no rules
>> allowing DNS
>> access from the internal network, have ensured that the
>> system policy only
>> resolves to Domain Controllers for DNS, ensured that only
>> Local Host can
>> look up DNS, and have even explicitly denied Internal hosts
>> from resolving
>> DNS. Yet, if a system has the FWC on it (and enabled) then
>> they can resolve
>> external hosts.
>>
>> How do I stop this? An more importantly, are there any other FWC
>> control-channel policy exclusions that I should know about?
>>
>> Thnx
>> T
>>
>>
>> ---
>> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
>> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
>> youremailaddress
>>
>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
>> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
>> youremailaddress
>>
>> Don't forget the comma!
>>
>>
>
>
>
Other related posts:
