Hey Dan, Sometimes simplicity is elegance :) (Einstein) This configuration pretty much replicates the ISA Server 2000 HTTP Redirector filter settings that allow you to drop connections from SecureNAT and Firewall clients. HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Tuesday, April 05, 2005 7:58 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Block Web access for non-Web Proxy clients http://www.ISAserver.org That won't work, it's too simple. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, April 05, 2005 08:52 To: [ISAserver.org Discussion List] Subject: [isalist] Block Web access for non-Web Proxy clients http://www.ISAserver.org Hey folks, Regarding the SurfControl issue, it sounds like the primary issue is that non-Web proxy clients can reach the Internet when the Web proxy client configuration is disable. If we fix this, then most of the problem is solved -- since we can whack the employee over the head for explicitly carrying out an action that subverts network use policy. So, how to do it? 1. Create a Protocol Definition for TCP 80 outbound 2. Do NOT bind the Web proxy filter to the Protocol Definition 3. Create an Access Rule that Denies this protocol, put it above all the allow rules 4. Test from a SecureNAT or Firewall client. Go to a Web site and see the connection denied 5. Configure the same client as a Web proxy client too -- Web site access is allowed Why do it work? Because Web proxy clients always remote their connections to the Web proxy listener, which is by default TCP 8080 on the ISA firewall's local interface (local to the client) HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx