- Main reference
- Describes values that are to be expected when configuring FWC Applications Settings via the ISA 2004 Management Console
(from “main reference” article linked above)
Firewall Clients Cause Flooding After Worm Attacks
Problem: Firewall clients contribute to the worm-induced flooding of an ISA Server computer with connection requests following a worm attack. This flooding can cause a denial of service (DoS).
Cause: When infected by a worm, a Firewall client starts generating many connection requests for specific ports that are intercepted by the Firewall Client LSP and sent to the Firewall service over the Firewall Client control channel (port 1745). The processing of these connection requests can consume a large amount of resources. Connection limits will not mitigate this issue because no new connections are actually being established.
Solution: Create new Firewall client application settings in which the application name is set to a wildcard character, an asterisk (*), select the keys DontRemoteOutboundTcpPorts and DontRemoteOutboundUdpPorts for these settings, and set their values to the ports to which the connection requests generated by the worm are being sent. The settings with the DontRemoteOutboundTcpPorts and DontRemoteOutboundUdpPorts keys instruct Firewall clients to connect to the specified ports locally and not through an ISA Server computer. Because the settings are named with the wildcard character *, they will apply to any application name that the worm supplies. The use of the * is necessary for worms that generate random application names.
To add these settings, perform the following steps:
|1.||In ISA Server Management, expand the Configuration node, and then click General.|
|2.||In the details pane, click Define Firewall Client Settings.|
|3.||On the Application Settings tab, click New.|
|4.||In Application, type *.|
|5.||In Key, select DontRemoteOutboundTcpPorts.|
|6.||In Value, set the value to the range of ports to which the connection requests generated by the worm are being sent. Then click OK.|
|7.||Repeat steps 3 and 4.|
|8.||In Key, select DontRemoteOutboundUdpPorts.|
|9.||In Value, set the value to the range of ports to which the connection requests generated by the worm are being sent. Then click OK.|
New settings are picked up by Firewall clients each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the General tab in the Microsoft Firewall Client for ISA Server 2004 dialog box, and every six hours after the previous refresh.
The issue is that these “key settings” aren’t in the ISA 2004 interface. Why? Are they there but by a different name? How can these be obtained and added?
This is on Tom Shinder’s ISA 2004 top 25 Tricks & Tips article: http://www.isaserver.org/tutorials/2004bestpractices-p1.html