First, let's look at how to prevent applications (in this example, Kazaa Lite) from using the Firewall client to access resources through the ISA firewall.
- In the ISA Server Management console, expand the server name in the left-hand pane, then expand the Configuration node. Click the General node, then click the Define Firewall Client Settings link in the middle pane.
- In the Firewall Client Settings dialog box, go to the Application Settings tab, then click New.
- Type the name of the application executable (e.g., KazaaLite) in the Application text box, as Figure 3 shows. Select Disable from the Key drop-down list and set the Value to 1 (1 enables the setting, 0 disables it). Click OK, then click Apply to save the changes to the firewall policy.
The changes take effect immediately on the ISA firewall but can take as long as 6 hours to propagate to the Firewall client systems on your network. If you don't want to wait for the automatic refresh of the Firewall client settings, you can manually update the settings by using the Firewall client application-on the Firewall client computer, or you can restart the Firewall client agent.
Another way to leverage the Firewall client to block applications and worms on a global basis is to block selected ports for all applications. This capability prevents any connection for the specified ports from being remoted to the ISA firewall. Blocking selected ports for all applications is especially helpful in blocking traffic from network worms that don't have a predictable application name. For example, the MyDoom worm, which assigns itself a random application name. Because of this behavior, you can't use the name of a specific application to block outgoing connections from MyDoom-infected Firewall client devices. However, because we know that MyDoom uses TCP ports 3127 to 3198 to spread itself to other devices over the network, you can configure the Firewall client settings to prevent the Firewall client from remoting connections to the ISA firewall for all applications that attempt to use one of these ports. You can use this type of configuration to prevent the spread of worms through the firewall and to prevent worms from creating a possible Denial of Service (DOS) condition at the firewall.
The next example globally configures Firewall clients to block selected ports.
- In the ISA Server Management snap-in, expand the server name in the left-hand pane, then expand the Configuration node. Click the General node, then click the Define Firewall Client Settings link in the middle pane.
- In the Firewall Client Settings dialog box, go to the Application Settings tab, then click New.
- In the Application Entry Setting dialog box, enter an asterisk (*) in the Application box, as Figure 4 shows. Type DontRemoteOutboundTcpPorts in the Key text box, then in the Value box enter the ports you want to block, using a comma to separate each port number. (To prevent the Firewall client from proxying through specific UDP ports, you can use the DontRemoteOutboundUdpPorts key.) Click OK, then click Apply to save the changes to the firewall policy. Note that the ability to prevent remoting of specific ports for all applications is available only with ISA Server 2004 Enterprise Edition.
A Powerful Combination
You can get very fine-tuned control over application access by combining the power of ISA Server 2004 access rules, HTTP security filter, and centralized Firewall client configuration. At the same time, you can protect your network and workstations from malicious code that might other through the ISA firewall.
End of Article
Register
