RE: Block Web access for non-Web Proxy clients
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 5 Apr 2005 12:59:35 -0400
Well, created your rule this afternoon, and it does appear to block
non-proxy traffic! Will test it out further, but it does look hopeful.
As soon as the phone calls start to come in saying they can't browse the
Internet anymore I'll know I did it right!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 08:52
To: [ISAserver.org Discussion List]
Subject: [isalist] Block Web access for non-Web Proxy clients
http://www.ISAserver.org
Hey folks,
Regarding the SurfControl issue, it sounds like the primary issue is
that non-Web proxy clients can reach the Internet when the Web proxy
client configuration is disable. If we fix this, then most of the
problem is solved -- since we can whack the employee over the head for
explicitly carrying out an action that subverts network use policy.
So, how to do it?
1. Create a Protocol Definition for TCP 80 outbound
2. Do NOT bind the Web proxy filter to the Protocol Definition
3. Create an Access Rule that Denies this protocol, put it above all the
allow rules
4. Test from a SecureNAT or Firewall client. Go to a Web site and see
the connection denied
5. Configure the same client as a Web proxy client too -- Web site
access is allowed
Why do it work? Because Web proxy clients always remote their
connections to the Web proxy listener, which is by default TCP 8080 on
the ISA firewall's local interface (local to the client)
HTH,
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
Other related posts:
