RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004
- From: "Ara" <ara@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 16 Mar 2005 22:53:05 -0800
Hi Tom,
What about if the user is smart enough changing the executable name to
something else? what about for safari, opera, Netscape, mozilla???
looks like my only option is removing firewall client and pushing proxy
settings through group policy. Also following one of my last post, I had to run
the firewall service under local system account instead of network service due
to some incompability with 3rd party tools. Do you think that might be a
problem too?
Regards
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wed 3/16/2005 7:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for
ISA Server 2004
http://www.ISAserver.org
Hi Ara,
Good question. None that I can think of, because the hosts have to be
configured as Web proxy clients for it to work. You can't use authentication to
control this, because the Firewall client can authenticate too. I suppose you
could disable=1 for the Firefox executable. That will cause the Firewall client
to bypass connections from Firefox and then then when authentication is
enforced, then they must be Web proxy clients since SecureNAT clients can't
auth.
That should work.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Ara [mailto:ara@xxxxxxxxxxxxx]
Sent: Wednesday, March 16, 2005 7:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for
ISA Server 2004
http://www.ISAserver.org
Hi Tom,
Is there any way to stop those firewall clients' users bypassing the web filter
using fire fox?
Thank you
________________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, March 16, 2005 6:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for
ISA Server 2004
http://www.ISAserver.org
Hi Dan,
Yeah, its a real problem. The HTTP redirector would work for anonymous
connections in 2000, but the auth model changed (for the better) for 2004, but
the filter guys didn't get wind of it or something, so now if you allow users
to disable their Web proxy config, they can still auth via FWC and get by the
Web filter, even though the Web proxy filter is still bound to the HTTP
protocol.
Supposed to be fixed soon, though.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
Other related posts:
