Well, created your rule this afternoon, and it does appear to block non-proxy traffic! Will test it out further, but it does look hopeful. As soon as the phone calls start to come in saying they can't browse the Internet anymore I'll know I did it right! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, April 05, 2005 08:52 To: [ISAserver.org Discussion List] Subject: [isalist] Block Web access for non-Web Proxy clients http://www.ISAserver.org Hey folks, Regarding the SurfControl issue, it sounds like the primary issue is that non-Web proxy clients can reach the Internet when the Web proxy client configuration is disable. If we fix this, then most of the problem is solved -- since we can whack the employee over the head for explicitly carrying out an action that subverts network use policy. So, how to do it? 1. Create a Protocol Definition for TCP 80 outbound 2. Do NOT bind the Web proxy filter to the Protocol Definition 3. Create an Access Rule that Denies this protocol, put it above all the allow rules 4. Test from a SecureNAT or Firewall client. Go to a Web site and see the connection denied 5. Configure the same client as a Web proxy client too -- Web site access is allowed Why do it work? Because Web proxy clients always remote their connections to the Web proxy listener, which is by default TCP 8080 on the ISA firewall's local interface (local to the client) HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls