[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Thu, 06 Jul 2006 20:56:46 -0700
So, rebooted both boxes. Verified the following settings on Firewall Client
Configuration on the server:
Application Entry Setting-
Application: "Common Configuration"
Key: "NameResolution" (selected from drop-down)
Value: "L" (selected from drop-down)
From the client, I disable the FWC, flush DNS, and try to ping
"www.yahoo.com" from a command prompt. Resolution fails as it should,
"can't find host."
Enable the FWC, don't even bother flushing DNS (even given the "cached
failed logons" crap that guy on BugTraq was talking about), ping
"www.yahoo.com" and it resolves the IP. Of course, it can't ping, but the
resolution was made.
Logging this transaction, I see port 1745 from the client to the ISA and
back again.
What could be the problem? Can anyone else verify that this actually works
for ISA2004? Jim's article was for ISA2000.
Need to figga this out.
Thx
T
On 7/6/06 7:39 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all:
> Lemme know what happens.
> Thanks!
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>> (Hammer of God)
>> Sent: Thursday, July 06, 2006 9:31 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>> resolution over control channel
>>
>> Bingo! You understand my issue perfectly.
>>
>> Internal clients have no business resolving external names via the FWC
>> unless I explicitly allow them to.
>>
>> I was not aware of the default behavior of the FWC in regard to DNS
>> resolution, but now that I am, I need to change it.
>>
>> This is ISA2004, and I have set the parameters exactly as
>> specified and it
>> does not work. I'll try restarting both the ISA server and
>> the client just
>> for S&G to see what happens.
>>
>> Thanks!
>>
>> t
>>
>>
>> On 7/6/06 7:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> spoketh to all:
>>
>>> OK, so it's not name resolution in general that's hurting
>> your feelings,
>>> its that you don't want all applications to be able to have the ISA
>>> firewall resolve names on the client's behalf. Is that correct?
>>>
>>> IOWs, it's OK for the ISA firewall to resolve names on
>> behalf of the Web
>>> proxy client, but its NOT OK to have the ISA firewall
>> resolve names on
>>> behalf of the Firewall client, because the Web proxy client is the
>>> browser (and other applications that use the WinInet or WinHTTP
>>> interfaces, I think), but its NOT OK for all Winsock applications to
>>> have names resolved on their behalf.
>>>
>>> All I can say is that it *should* work, at least for ISA
>> Server 2000 and
>>> ISA 2004. Haven't tested it yet on ISA Server 2006 and I
>> notice that in
>>> the RC, they've removed all documentation of FWC settings,
>> which doesn't
>>> forbode well. But here's what it says in the ISA 2004 HF:
>>>
>>> NameResolution Possible values: L or R. By default, dotted decimal
>>> notation or Internet domain names are redirected to the ISA Server
>>> computer for name resolution and all other names are resolved on the
>>> local computer. When the value is set to R, all names are
>> redirected to
>>> the ISA Server computer for resolution. When the value is
>> set to L, all
>>> names are resolved on the local computer.
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>> (Hammer of God)
>>>> Sent: Thursday, July 06, 2006 9:05 PM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>> resolution over control channel
>>>>
>>>>
>>>> Whatchu talkin 'bout Willis?
>>>>
>>>> All the clients have internal DNS set. Internal DNS has root
>>>> zones. From a
>>>> command prompt (or some exploit) they cannot resolve external
>>>> addresses.
>>>> But when you set them as Web Proxy clients, they can, of
>>>> course, use IE as
>>>> the ISA server *does* have DNS configured, and has rules that
>>>> allow it to
>>>> query my external name server and my ISP's server cache (and
>>>> *only* that
>>>> server cache). That works just fine, and always has.
>>>>
>>>> There are a few special cases where I've needed the firewall
>>>> client (those
>>>> are not important to the subject.)
>>>>
>>>> As I have seen in the linked article (and others) a FWC
>>>> machine will use the
>>>> control channel (1745) to query DNS, and the ISA server will
>>>> proxy that
>>>> request even in a shell. I added the "L" parameter to the
>>>> NameResolution
>>>> tag, applied settings, refreshed the client, and it can
>> still resolve
>>>> external host names via the ISA server. There is no reason
>>>> for the client
>>>> to be able to do that, and I want to disable that.
>>>>
>>>> t
>>>>
>>>> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>> spoketh to all:
>>>>
>>>>> Wait a minute. How do the Firewall clients reach external
>>>> resources if
>>>>> the ISA firewall cannot perform name resolution on their
>>>> behalf and the
>>>>> clients don't have a DNS server configured on them to
>> resolve names?
>>>>>
>>>>> For that matter, how do the Web proxy clients resolve
>>>> external names?
>>>>> The mechanism is the same.
>>>>>
>>>>> Tom
>>>>>
>>>>> Thomas W Shinder, M.D.
>>>>> Site: www.isaserver.org
>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>> Book: http://tinyurl.com/3xqb7
>>>>> MVP -- ISA Firewalls
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>> (Hammer of God)
>>>>>> Sent: Thursday, July 06, 2006 8:43 PM
>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>> resolution over control channel
>>>>>>
>>>>>> Yep.
>>>>>>
>>>>>>
>>>>>> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>>> spoketh to all:
>>>>>>
>>>>>>> Did you refresh the Firewall client configuration?
>>>>>>>
>>>>>>> Thomas W Shinder, M.D.
>>>>>>> Site: www.isaserver.org
>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>> MVP -- ISA Firewalls
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>>>> (Hammer of God)
>>>>>>>> Sent: Thursday, July 06, 2006 7:17 PM
>>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
>>>>>>>> resolution over control channel
>>>>>>>>
>>>>>>>> OK- I added the config option with "L" as described, and it
>>>>>>>> still doesn't
>>>>>>>> stop it. What exactly is the option?
>>>>>>>>
>>>>>>>> t
>>>>>>>>
>>>>>>>>
>>>>>>>> On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>>>>> spoketh to all:
>>>>>>>>
>>>>>>>>> Tim,
>>>>>>>>>
>>>>>>>>> You can change this behavior in the FWC configuration
>> settings.
>>>>>>>>>
>>>>>>>>> Jim will be sad that you didn't read his semenal
>> article on this
>>>>>>>>> subject:
>>>>>>>>>
>>>>>>>>>
>>>>>>>> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
>>>>>>>> ewall_Clie
>>>>>>>>> nt.html
>>>>>>>>>
>>>>>>>>> BTW -- post to the big boys list first ;)
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>> Tom
>>>>>>>>>
>>>>>>>>> Thomas W Shinder, M.D.
>>>>>>>>> Site: www.isaserver.org
>>>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>>>> MVP -- ISA Firewalls
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>>>>>>>>>> Sent: Thursday, July 06, 2006 4:03 PM
>>>>>>>>>> To: ISA-MVP
>>>>>>>>>> Subject: [ISAServer] Firewall client DNS resolution over
>>>>>>>>>> control channel
>>>>>>>>>>
>>>>>>>>>> Greetings:
>>>>>>>>>>
>>>>>>>>>> As some of you may know, I practice least privilege whenever
>>>>>>>>>> possible for
>>>>>>>>>> all client access. Part of this strategy includes
>>>>>>>>>> configuring internal AD
>>>>>>>>>> DNS as root zones (with no possible forwarders.) In this
>>>>>>>>>> way, internal
>>>>>>>>>> clients can never have non proxy-aware applications resolve
>>>>>>>>>> external hosts.
>>>>>>>>>> Almost all of my clients are exclusively Web Proxy clients,
>>>>>>>>>> which means that
>>>>>>>>>> only services available via IE settings can have the DNS
>>>>>>>>>> resolution proxied
>>>>>>>>>> for them.
>>>>>>>>>>
>>>>>>>>>> However, in testing access with the Firewall Client, I have
>>>>>>>>>> found that no
>>>>>>>>>> matter what I do, I cannot restrict a client running the FWC
>>>>>>>>>> from resolving
>>>>>>>>>> external hosts via the FWC control channel. I have no rules
>>>>>>>>>> allowing DNS
>>>>>>>>>> access from the internal network, have ensured that the
>>>>>>>>>> system policy only
>>>>>>>>>> resolves to Domain Controllers for DNS, ensured that only
>>>>>>>>>> Local Host can
>>>>>>>>>> look up DNS, and have even explicitly denied Internal hosts
>>>>>>>>>> from resolving
>>>>>>>>>> DNS. Yet, if a system has the FWC on it (and enabled) then
>>>>>>>>>> they can resolve
>>>>>>>>>> external hosts.
>>>>>>>>>>
>>>>>>>>>> How do I stop this? An more importantly, are there
>>>> any other FWC
>>>>>>>>>> control-channel policy exclusions that I should know about?
>>>>>>>>>>
>>>>>>>>>> Thnx
>>>>>>>>>> T
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---
>>>>>>>>>> To subscribe to the list - send an email to
>>>> list@xxxxxxxxxxxxxxx
>>>>>>>>>> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
>>>>>>>>>> youremailaddress
>>>>>>>>>>
>>>>>>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
>>>>>>>>>> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
>>>>>>>>>> youremailaddress
>>>>>>>>>>
>>>>>>>>>> Don't forget the comma!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
Other related posts:
