RE: Block Web access for non-Web Proxy clients

  • From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 6 Apr 2005 02:11:07 +0800

Yeah, I got it! 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, April 06, 2005 1:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Block Web access for non-Web Proxy clients

http://www.ISAserver.org

Hi Roy,

The users will still be able to disable the Web proxy settings. They
just won't be able to get to any resources requiring outbound access
TCP 80, and I assume we can do the same thing with TCP 443, since the
same principles apply. 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 12:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Block Web access for non-Web Proxy clients

http://www.ISAserver.org

What about FCW client who can use Winsock Proxy by disable Web
Proxy?? 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tuesday, April 05, 2005 8:52 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Block Web access for non-Web Proxy clients

http://www.ISAserver.org

Hey folks,

Regarding the SurfControl issue, it sounds like the primary issue is
that non-Web proxy clients can reach the Internet when the Web proxy
client configuration is disable. If we fix this, then most of the
problem is solved -- since we can whack the employee over the head
for explicitly carrying out an action that subverts network use
policy.

So, how to do it?

1. Create a Protocol Definition for TCP 80 outbound 2. Do NOT bind
the Web proxy filter to the Protocol Definition 3. Create an Access
Rule that Denies this protocol, put it above all the allow rules 4.
Test from a SecureNAT or Firewall client. Go to a Web site and see
the connection denied 5. Configure the same client as a Web proxy
client too -- Web site access is allowed

Why do it work? Because Web proxy clients always remote their
connections to the Web proxy listener, which is by default TCP 8080
on the ISA firewall's local interface (local to the client)

HTH, 
 
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA
Firewalls



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



Other related posts: