RE: Block Web access for non-Web Proxy clients
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 5 Apr 2005 08:10:39 -0500
Hey Dan,
Sometimes simplicity is elegance :) (Einstein)
This configuration pretty much replicates the ISA Server 2000 HTTP
Redirector filter settings that allow you to drop connections from
SecureNAT and Firewall clients.
HTH,
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 7:58 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Block Web access for non-Web Proxy clients
http://www.ISAserver.org
That won't work, it's too simple.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 08:52
To: [ISAserver.org Discussion List]
Subject: [isalist] Block Web access for non-Web Proxy clients
http://www.ISAserver.org
Hey folks,
Regarding the SurfControl issue, it sounds like the primary issue is
that non-Web proxy clients can reach the Internet when the Web proxy
client configuration is disable. If we fix this, then most of the
problem is solved -- since we can whack the employee over the head for
explicitly carrying out an action that subverts network use policy.
So, how to do it?
1. Create a Protocol Definition for TCP 80 outbound
2. Do NOT bind the Web proxy filter to the Protocol Definition
3. Create an Access Rule that Denies this protocol, put it above all the
allow rules
4. Test from a SecureNAT or Firewall client. Go to a Web site and see
the connection denied
5. Configure the same client as a Web proxy client too -- Web site
access is allowed
Why do it work? Because Web proxy clients always remote their
connections to the Web proxy listener, which is by default TCP 8080 on
the ISA firewall's local interface (local to the client)
HTH,
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
