FWC config to allow all protocols for one app

FWC config to allow all protocols for one app (Full Version)

All Forums >> [ISA 2006 Firewall] >> Firewall Client

Message

allybee -> FWC config to allow all protocols for one app (22.Apr.2008 2:46:56 PM)
Hi, could someone help me out how should I configure FWC to allow one application (let's say app.exe) communicate via all protocols with external network? Is it possible to have this setting common for more users? I have the application which connects on random UDP ports and used by 20 key users in the network. What are the rules I should put in the FWC config to allow such communication? Thanks!

allybee -> RE: FWC config to allow all protocols for one app (23.Apr.2008 6:34:43 AM)
I checked also one thing. I made a rule to allow all outbound connections for specific domain account. Then I used fwccred app /s appuser domain password. However traffic generated by the app is recognized as logged in user and therefore blocked. Everything works fine when I runas the app for appuser, but I would like to avoid it as users may see that this account has elevated firewall privileges and use it for other apps. Any ideas? Thanks, Marcin

elmajdal -> RE: FWC config to allow all protocols for one app (23.Apr.2008 4:52:39 PM)
Hi, to where does this application connects to ? does it communicate with a specific address ?

allybee -> RE: FWC config to allow all protocols for one app (23.Apr.2008 5:38:32 PM)
Hi, thanks for your reply. Unfortunately not, it opens many connections to different IPs. Thanks, Marcin

allybee -> RE: FWC config to allow all protocols for one app (24.Apr.2008 5:04:42 AM)
Seems I managed to find a solution. As a last rule in ISA I created allow all protocols internal->external for one domain account. Then created an AutoIT script to runs that software executable on this account (script built into exe). Now when users start the script exe file it invokes the application using privileged account and everything seems to be working fine. Thanks, Marcin

elmajdal -> RE: FWC config to allow all protocols for one app (24.Apr.2008 6:39:11 AM)
Cool ! but be aware that your users might have access to the script and might start using it to launch other exe apps !

allybee -> RE: FWC config to allow all protocols for one app (24.Apr.2008 6:51:19 AM)
I hope they can't. The script is built into exe file. It takes application exe location from the registry and launches it using AutoIT commands similar to windows runas. So it is not they can provide any params as to what exe should be launched. Instead of using application's executable they launch my exe file. I think it should be quite safe to use. Thanks, Marcin

elmajdal -> RE: FWC config to allow all protocols for one app (24.Apr.2008 7:00:43 AM)
can you share the script with us. How did you call the application and attached the credentials to that application using the script. also what did you use to build the exe from the script ?

allybee -> RE: FWC config to allow all protocols for one app (24.Apr.2008 7:53:47 AM)
Sure, I used AutoIT and included SciTe Script Editor. The Editor has a build-in functionality to compile to exe binary. Here is the au3 script source: RunAsSet('account', 'domain', 'password') $var = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\AppProducer\App\", "ExePath") Run($var) the good thing was that a default install of the app created the required registry keys which point to app exe file. Thanks, Marcin

elmajdal -> RE: FWC config to allow all protocols for one app (24.Apr.2008 8:09:25 AM)
Mmm Cool. Thanks for the tip. Thanks, Tarek

Page: [1]