Yeah, I got it! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, April 06, 2005 1:34 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Block Web access for non-Web Proxy clients http://www.ISAserver.org Hi Roy, The users will still be able to disable the Web proxy settings. They just won't be able to get to any resources requiring outbound access TCP 80, and I assume we can do the same thing with TCP 443, since the same principles apply. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Tuesday, April 05, 2005 12:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Block Web access for non-Web Proxy clients http://www.ISAserver.org What about FCW client who can use Winsock Proxy by disable Web Proxy?? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, April 05, 2005 8:52 PM To: [ISAserver.org Discussion List] Subject: [isalist] Block Web access for non-Web Proxy clients http://www.ISAserver.org Hey folks, Regarding the SurfControl issue, it sounds like the primary issue is that non-Web proxy clients can reach the Internet when the Web proxy client configuration is disable. If we fix this, then most of the problem is solved -- since we can whack the employee over the head for explicitly carrying out an action that subverts network use policy. So, how to do it? 1. Create a Protocol Definition for TCP 80 outbound 2. Do NOT bind the Web proxy filter to the Protocol Definition 3. Create an Access Rule that Denies this protocol, put it above all the allow rules 4. Test from a SecureNAT or Firewall client. Go to a Web site and see the connection denied 5. Configure the same client as a Web proxy client too -- Web site access is allowed Why do it work? Because Web proxy clients always remote their connections to the Web proxy listener, which is by default TCP 8080 on the ISA firewall's local interface (local to the client) HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx