[isapros] Re: [ISAServer] Firewall client DNS resolution over control channel
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 6 Jul 2006 21:13:21 -0500
OK, so it's not name resolution in general that's hurting your feelings,
its that you don't want all applications to be able to have the ISA
firewall resolve names on the client's behalf. Is that correct?
IOWs, it's OK for the ISA firewall to resolve names on behalf of the Web
proxy client, but its NOT OK to have the ISA firewall resolve names on
behalf of the Firewall client, because the Web proxy client is the
browser (and other applications that use the WinInet or WinHTTP
interfaces, I think), but its NOT OK for all Winsock applications to
have names resolved on their behalf.
All I can say is that it *should* work, at least for ISA Server 2000 and
ISA 2004. Haven't tested it yet on ISA Server 2006 and I notice that in
the RC, they've removed all documentation of FWC settings, which doesn't
forbode well. But here's what it says in the ISA 2004 HF:
NameResolution Possible values: L or R. By default, dotted decimal
notation or Internet domain names are redirected to the ISA Server
computer for name resolution and all other names are resolved on the
local computer. When the value is set to R, all names are redirected to
the ISA Server computer for resolution. When the value is set to L, all
names are resolved on the local computer.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Thursday, July 06, 2006 9:05 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> resolution over control channel
>
>
> Whatchu talkin 'bout Willis?
>
> All the clients have internal DNS set. Internal DNS has root
> zones. From a
> command prompt (or some exploit) they cannot resolve external
> addresses.
> But when you set them as Web Proxy clients, they can, of
> course, use IE as
> the ISA server *does* have DNS configured, and has rules that
> allow it to
> query my external name server and my ISP's server cache (and
> *only* that
> server cache). That works just fine, and always has.
>
> There are a few special cases where I've needed the firewall
> client (those
> are not important to the subject.)
>
> As I have seen in the linked article (and others) a FWC
> machine will use the
> control channel (1745) to query DNS, and the ISA server will
> proxy that
> request even in a shell. I added the "L" parameter to the
> NameResolution
> tag, applied settings, refreshed the client, and it can still resolve
> external host names via the ISA server. There is no reason
> for the client
> to be able to do that, and I want to disable that.
>
> t
>
> On 7/6/06 6:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> spoketh to all:
>
> > Wait a minute. How do the Firewall clients reach external
> resources if
> > the ISA firewall cannot perform name resolution on their
> behalf and the
> > clients don't have a DNS server configured on them to resolve names?
> >
> > For that matter, how do the Web proxy clients resolve
> external names?
> > The mechanism is the same.
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >> (Hammer of God)
> >> Sent: Thursday, July 06, 2006 8:43 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> >> resolution over control channel
> >>
> >> Yep.
> >>
> >>
> >> On 7/6/06 6:08 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> spoketh to all:
> >>
> >>> Did you refresh the Firewall client configuration?
> >>>
> >>> Thomas W Shinder, M.D.
> >>> Site: www.isaserver.org
> >>> Blog: http://blogs.isaserver.org/shinder/
> >>> Book: http://tinyurl.com/3xqb7
> >>> MVP -- ISA Firewalls
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >>>> (Hammer of God)
> >>>> Sent: Thursday, July 06, 2006 7:17 PM
> >>>> To: isapros@xxxxxxxxxxxxx
> >>>> Subject: [isapros] Re: [ISAServer] Firewall client DNS
> >>>> resolution over control channel
> >>>>
> >>>> OK- I added the config option with "L" as described, and it
> >>>> still doesn't
> >>>> stop it. What exactly is the option?
> >>>>
> >>>> t
> >>>>
> >>>>
> >>>> On 7/6/06 2:13 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >>>> spoketh to all:
> >>>>
> >>>>> Tim,
> >>>>>
> >>>>> You can change this behavior in the FWC configuration settings.
> >>>>>
> >>>>> Jim will be sad that you didn't read his semenal article on this
> >>>>> subject:
> >>>>>
> >>>>>
> >>>> http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Fir
> >>>> ewall_Clie
> >>>>> nt.html
> >>>>>
> >>>>> BTW -- post to the big boys list first ;)
> >>>>>
> >>>>> Thanks!
> >>>>> Tom
> >>>>>
> >>>>> Thomas W Shinder, M.D.
> >>>>> Site: www.isaserver.org
> >>>>> Blog: http://blogs.isaserver.org/shinder/
> >>>>> Book: http://tinyurl.com/3xqb7
> >>>>> MVP -- ISA Firewalls
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >>>>>> Sent: Thursday, July 06, 2006 4:03 PM
> >>>>>> To: ISA-MVP
> >>>>>> Subject: [ISAServer] Firewall client DNS resolution over
> >>>>>> control channel
> >>>>>>
> >>>>>> Greetings:
> >>>>>>
> >>>>>> As some of you may know, I practice least privilege whenever
> >>>>>> possible for
> >>>>>> all client access. Part of this strategy includes
> >>>>>> configuring internal AD
> >>>>>> DNS as root zones (with no possible forwarders.) In this
> >>>>>> way, internal
> >>>>>> clients can never have non proxy-aware applications resolve
> >>>>>> external hosts.
> >>>>>> Almost all of my clients are exclusively Web Proxy clients,
> >>>>>> which means that
> >>>>>> only services available via IE settings can have the DNS
> >>>>>> resolution proxied
> >>>>>> for them.
> >>>>>>
> >>>>>> However, in testing access with the Firewall Client, I have
> >>>>>> found that no
> >>>>>> matter what I do, I cannot restrict a client running the FWC
> >>>>>> from resolving
> >>>>>> external hosts via the FWC control channel. I have no rules
> >>>>>> allowing DNS
> >>>>>> access from the internal network, have ensured that the
> >>>>>> system policy only
> >>>>>> resolves to Domain Controllers for DNS, ensured that only
> >>>>>> Local Host can
> >>>>>> look up DNS, and have even explicitly denied Internal hosts
> >>>>>> from resolving
> >>>>>> DNS. Yet, if a system has the FWC on it (and enabled) then
> >>>>>> they can resolve
> >>>>>> external hosts.
> >>>>>>
> >>>>>> How do I stop this? An more importantly, are there
> any other FWC
> >>>>>> control-channel policy exclusions that I should know about?
> >>>>>>
> >>>>>> Thnx
> >>>>>> T
> >>>>>>
> >>>>>>
> >>>>>> ---
> >>>>>> To subscribe to the list - send an email to
> list@xxxxxxxxxxxxxxx
> >>>>>> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
> >>>>>> youremailaddress
> >>>>>>
> >>>>>> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> >>>>>> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
> >>>>>> youremailaddress
> >>>>>>
> >>>>>> Don't forget the comma!
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>
>
Other related posts:
