How would I allow Logmein.com and Gotomypc.com types of browser-based remote control services to my admin team, yet disallow them for the rest of the company?
Specifically, what kind of rule would I use to DENY these services? Maybe I would search the HTTPS stream for an executable header or something? How would I do that? I am not too savvy yet with ISA 2K4. I think Logmein uses port 2002, but I can't be sure yet...
Anyone else running into this situation? I don't want "typical" domain users having this service because of the FileManager capability. They could easily upload all kinds of virused/trojaned files to their work PC, and I don't want that. Yes, we do have active, updated AV and such, but I don't even want the possibility to exist that a user could do damage from a home/traveling PC...
So, as ISA Server 2004 stands today, as well as other firewalls, I CAN'T stop my users from setting up a GoToMyPC account and using it to access other PC's out on the Internet? Policy or no policy, they will find this stuff and do it. I would like a technical method for stopping this, and I thought ISA would be able to see the traffic going out (or coming in) and be able to do something about it.
And from the article mentioned, I also see that MSoft is going to promote this security-crippling capability in their R2 for W2K3! Are they insane!? Foolish is the only word that comes to mind...here they are out touting how secure their new products are, and yet they're including a bypass method around all of it! That just sounds plain stupid...
From: Albuquerque NM USA
One way that should work would be to monitor the URLs that these programs connect to and block them. In the past, I believe I read on this site that you could block access to poll.gotomypc.com to keep GoToMyPC from working.
There are ways to check which Domain, URL or Protocol. You can use Network Monitor of Windows, Simple DOS Command -- Netstat -o(Client side - Install the software and execute the command), or better use ISA Server's Realtime monitoring. Create a rule to Deny GoToMyPC and LogMein Domain and URL.
This is becoming a real pain in the butt as many of these services are popping up and all using ports 80 and 443. We have a rule that explicitly blocks HTTP (actually all ports) access to all of these sites:
This is why I don't create deny rules, I create allow rules only, for SSL. I never allow SSL through except to legit sites that users have demonstrated a need to access. Its impossible to beat these SSL tunnelers any other way. At least, not until we can get outbound SSL to SSL bridging on our networks.
Thanks for the help. What I think you are saying is that we shouldn't allow blanket HTTPS outbound activity for our users, right? Make a single HTTPS rule and keep adding HTTPS sites that users are requesting and make sense, right? Sort of an HTTPS whitelist, right?
I hope I'm hearing you correctly since I am still a bit perturbed about this tunneling problem. Could you give us a thumbnail sketch of what a rule would look like using this theory?
FYI You can use the Corporate version of GoToMyPC to have full control of who uses the service. You can even control what computers have access to the host computers within your network. Contact the GoToMyPC sales for more information.
This is still a very hot topic at my work. We can't put in our new Exchange and ISA systems until I get some new kind of direction. Maybe someone can suggest something other than DENY rules? We have Websense, and they have a Proxy Avoidance category that'll take care of those types of sites (mostly), but I was hoping that we as a group could find a better way to monitor/filter HTTPS Tunneling using ISA Server 2004...
Maybe for somebody it would be interesting to know about another remote access program called pc file transfer on http://www.pc-file-transfer.com/. There are two panels in it, one shows files and folders on the local computer, the other one does the same for the remote computer. You can transfer files and folders from a laptop to a computer or the other way around. Besides, the program features two different remote access methods: direct connection to a remote computer using its IP address and account connection to connect to any computer without knowing its IP address.