[spanked] ;) t On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Tim, > > You can change this behavior in the FWC configuration settings. > > Jim will be sad that you didn't read his semenal article on this > subject: > > http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Firewall_Clie > nt.html > > BTW -- post to the big boys list first ;) > > Thanks! > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> Sent: Thursday, July 06, 2006 4:03 PM >> To: ISA-MVP >> Subject: [ISAServer] Firewall client DNS resolution over >> control channel >> >> Greetings: >> >> As some of you may know, I practice least privilege whenever >> possible for >> all client access. Part of this strategy includes >> configuring internal AD >> DNS as root zones (with no possible forwarders.) In this >> way, internal >> clients can never have non proxy-aware applications resolve >> external hosts. >> Almost all of my clients are exclusively Web Proxy clients, >> which means that >> only services available via IE settings can have the DNS >> resolution proxied >> for them. >> >> However, in testing access with the Firewall Client, I have >> found that no >> matter what I do, I cannot restrict a client running the FWC >> from resolving >> external hosts via the FWC control channel. I have no rules >> allowing DNS >> access from the internal network, have ensured that the >> system policy only >> resolves to Domain Controllers for DNS, ensured that only >> Local Host can >> look up DNS, and have even explicitly denied Internal hosts >> from resolving >> DNS. Yet, if a system has the FWC on it (and enabled) then >> they can resolve >> external hosts. >> >> How do I stop this? An more importantly, are there any other FWC >> control-channel policy exclusions that I should know about? >> >> Thnx >> T >> >> >> --- >> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx >> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, >> youremailaddress >> >> To leave the list - send an email to list@xxxxxxxxxxxxxxx >> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, >> youremailaddress >> >> Don't forget the comma! >> >> > > >