ISA 2004 FWC Application Settings

DontRemoteOutboundTcpPorts

ISA 2004 FWC Application Settings 

(from “main reference” article linked above)

Firewall Clients Cause Flooding After Worm Attacks

Problem: Firewall clients contribute to the worm-induced flooding of an ISA Server computer with connection requests following a worm attack. This flooding can cause a denial of service (DoS).

Cause: When infected by a worm, a Firewall client starts generating many connection requests for specific ports that are intercepted by the Firewall Client LSP and sent to the Firewall service over the Firewall Client control channel (port 1745). The processing of these connection requests can consume a large amount of resources. Connection limits will not mitigate this issue because no new connections are actually being established.

Solution: Create new Firewall client application settings in which the application name is set to a wildcard character, an asterisk (*), select the keys DontRemoteOutboundTcpPorts and DontRemoteOutboundUdpPorts for these settings, and set their values to the ports to which the connection requests generated by the worm are being sent. The settings with the DontRemoteOutboundTcpPorts and DontRemoteOutboundUdpPorts keys instruct Firewall clients to connect to the specified ports locally and not through an ISA Server computer. Because the settings are named with the wildcard character *, they will apply to any application name that the worm supplies. The use of the * is necessary for worms that generate random application names.

To add these settings, perform the following steps:

1. In ISA Server Management, expand the Configuration node, and then click General.
2. In the details pane, click Define Firewall Client Settings.
3. On the Application Settings tab, click New.
4. In Application, type *.
5. In Key, select DontRemoteOutboundTcpPorts.
6. In Value, set the value to the range of ports to which the connection requests generated by the worm are being sent. Then click OK.
7. Repeat steps 3 and 4.
8. In Key, select DontRemoteOutboundUdpPorts.
9. In Value, set the value to the range of ports to which the connection requests generated by the worm are being sent. Then click OK.

New settings are picked up by Firewall clients each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the General tab in the Microsoft Firewall Client for ISA Server 2004 dialog box, and every six hours after the previous refresh.

The issue is that these “key settings” aren’t in the ISA 2004 interface. Why?  Are they there but by a different name?  How can these be obtained and added?

This is on Tom Shinder’s ISA 2004 top 25 Tricks & Tips article:  http://www.isaserver.org/tutorials/2004bestpractices-p1.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s