[THIN] Re: I will ask again...
- From: "Steve Greenberg" <steveg@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Mon, 12 May 2008 15:51:19 -0700
Good call Rick (as always)- be sure that DNS is pointing to the inside
authority!
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85266
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Rick Mack
Sent: Monday, May 12, 2008 3:09 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: I will ask again...
Hi Chad,
Let's accept that's what happens for the moment. But it's worth noting that
split tunnelling happens at the client end, NOT the SSL appliance end.
So how do we stop it?
The CAG has no need to know about the rest of the world. It needs to know
the internal DNS to resolve internal host names, eg to your citrix servers
etc, but it doesn't need to be able to resolve external host names.
So let's talk about internal DNS configurations.
The only, and I repeat ONLY systems on your internal network that should be
able to do an external DNS lookup are your web proxy/IIS servers and your
mail servers and associated support functionality (spam filters, mail virus
checker, smtp gateway). Doing this will break stuff, but it's about time
you upgraded your ISA server anyway ;-).
Everything else has no requirement to talk directly to the internet and
shouldn't even know where to look.
Now lets be properly paranoid and make sure that the ONLY outbound
connections allowed through the internal and external firewall are from our
web proxy and mail servers (include mail gateway, spam filters etc).
In that scenario, if I point the CAG at an internal DNS server which doesn't
resolve external DNS addresses, it won't be able to resolve external DNS
addresses, and even if it could, it would be blocked at your firewall.
Having fixed your DNS I'm also pretty sure you can tighten down on the web
resources available on the CAG to fix this problem. It's a lot smarter than
just a SecureGateway replacement.
But secure your internal DNS and firewall first.
regards,
Rick
--
Ulrich Mack
Quest Software
Provision Networks Division
On 5/13/08, Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx> wrote:
Public interface is Eth0.
As far as we can tell, gateway is configured properly. We are able to watch
the external port 80 traffic go right back out the eth0 on the CAG, rather
than route through the internal network.
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
Other related posts:
