RE: Block Web access for non-Web Proxy clients

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 5 Apr 2005 12:33:47 -0500

Hi Roy,

The users will still be able to disable the Web proxy settings. They
just won't be able to get to any resources requiring outbound access TCP
80, and I assume we can do the same thing with TCP 443, since the same
principles apply. 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] 
Sent: Tuesday, April 05, 2005 12:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Block Web access for non-Web Proxy clients

http://www.ISAserver.org

What about FCW client who can use Winsock Proxy by disable Web
Proxy?? 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Tuesday, April 05, 2005 8:52 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Block Web access for non-Web Proxy clients

http://www.ISAserver.org

Hey folks,

Regarding the SurfControl issue, it sounds like the primary issue is
that non-Web proxy clients can reach the Internet when the Web proxy
client configuration is disable. If we fix this, then most of the
problem is solved -- since we can whack the employee over the head
for explicitly carrying out an action that subverts network use
policy.

So, how to do it?

1. Create a Protocol Definition for TCP 80 outbound 2. Do NOT bind
the Web proxy filter to the Protocol Definition 3. Create an Access
Rule that Denies this protocol, put it above all the allow rules 4.
Test from a SecureNAT or Firewall client. Go to a Web site and see
the connection denied 5. Configure the same client as a Web proxy
client too -- Web site access is allowed

Why do it work? Because Web proxy clients always remote their
connections to the Web proxy listener, which is by default TCP 8080
on the ISA firewall's local interface (local to the client)

HTH, 
 
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA
Firewalls



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients
• » RE: Block Web access for non-Web Proxy clients

1. Home
2. isalist
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---