Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
FWC config to allow all protocols for one app
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
FWC config to allow all protocols for one app - 22.Apr.2008 2:46:56 PM
|
|
|
allybee
Posts: 17
Joined: 19.Apr.2008
Status: offline
|
Hi,
could someone help me out how should I configure FWC to allow one application (let's say app.exe) communicate via all protocols with external network? Is it possible to have this setting common for more users?
I have the application which connects on random UDP ports and used by 20 key users in the network. What are the rules I should put in the FWC config to allow such communication?
Thanks!
|
|
|
|
|
RE: FWC config to allow all protocols for one app - 23.Apr.2008 6:34:43 AM
|
|
|
allybee
Posts: 17
Joined: 19.Apr.2008
Status: offline
|
I checked also one thing.
I made a rule to allow all outbound connections for specific domain account. Then I used fwccred app /s appuser domain password. However traffic generated by the app is recognized as logged in user and therefore blocked.
Everything works fine when I runas the app for appuser, but I would like to avoid it as users may see that this account has elevated firewall privileges and use it for other apps.
Any ideas?
Thanks, Marcin
|
|
|
|
|
RE: FWC config to allow all protocols for one app - 23.Apr.2008 4:52:39 PM
|
|
|
elmajdal
Posts: 4944
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Hi,
to where does this application connects to ?
does it communicate with a specific address ?
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: FWC config to allow all protocols for one app - 23.Apr.2008 5:38:32 PM
|
|
|
allybee
Posts: 17
Joined: 19.Apr.2008
Status: offline
|
Hi, thanks for your reply.
Unfortunately not, it opens many connections to different IPs.
Thanks, Marcin
|
|
|
|
|
RE: FWC config to allow all protocols for one app - 24.Apr.2008 5:04:42 AM
|
|
|
allybee
Posts: 17
Joined: 19.Apr.2008
Status: offline
|
Seems I managed to find a solution. As a last rule in ISA I created allow all protocols internal->external for one domain account. Then created an AutoIT script to runs that software executable on this account (script built into exe). Now when users start the script exe file it invokes the application using privileged account and everything seems to be working fine.
Thanks, Marcin
|
|
|
|
|
RE: FWC config to allow all protocols for one app - 24.Apr.2008 6:39:11 AM
|
|
|
elmajdal
Posts: 4944
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Cool !
but be aware that your users might have access to the script and might start using it to launch other exe apps !
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: FWC config to allow all protocols for one app - 24.Apr.2008 6:51:19 AM
|
|
|
allybee
Posts: 17
Joined: 19.Apr.2008
Status: offline
|
I hope they can't. The script is built into exe file. It takes application exe location from the registry and launches it using AutoIT commands similar to windows runas.
So it is not they can provide any params as to what exe should be launched. Instead of using application's executable they launch my exe file. I think it should be quite safe to use.
Thanks, Marcin
|
|
|
|
|
RE: FWC config to allow all protocols for one app - 24.Apr.2008 7:00:43 AM
|
|
|
elmajdal
Posts: 4944
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
can you share the script with us.
How did you call the application and attached the credentials to that application using the script.
also what did you use to build the exe from the script ?
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: FWC config to allow all protocols for one app - 24.Apr.2008 7:53:47 AM
|
|
|
allybee
Posts: 17
Joined: 19.Apr.2008
Status: offline
|
Sure,
I used AutoIT and included SciTe Script Editor. The Editor has a build-in functionality to compile to exe binary.
Here is the au3 script source:
RunAsSet('account', 'domain', 'password')
$var = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\AppProducer\App\", "ExePath")
Run($var)
the good thing was that a default install of the app created the required registry keys which point to app exe file.
Thanks, Marcin
|
|
|
|
|
RE: FWC config to allow all protocols for one app - 24.Apr.2008 8:09:25 AM
|
|
|
elmajdal
Posts: 4944
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Mmm Cool.
Thanks for the tip.
Thanks,
Tarek
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
