Hi Tom, Yes it is more political problem than technical. But I don't have a proof on my hand. As an example, if I use surf control real time monitor, I can see where people go with IE and even generate logs. But when they use fire fox, that doesn't show up on monitor or logs which is pretty crazy Anyway thank you for suggestions ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thu 3/17/2005 3:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 http://www.ISAserver.org Hi Ara, It sounds like you might have behavior issues with your users. Several problems I see here: * They are not use IE. I don't consider the alternate browsers more secure and in fact, probably in the next few months they'll be much more of a security risk than IE * They are disabling the proxy configuration to subvert network use and security policy * They are willing to endanger the network and business to such an extent that they will rename executable files to subvert security policy and the viability and profitability of the business If I had these problems, I'd worry more about which law enforcement wing to report these uses to, since I could choose from local, State or Federal. HTH< Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Ara [mailto:ara@xxxxxxxxxxxxx] Sent: Thursday, March 17, 2005 12:53 AM To: [ISAserver.org Discussion List] Subject: RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 Hi Tom, What about if the user is smart enough changing the executable name to something else? what about for safari, opera, Netscape, mozilla??? looks like my only option is removing firewall client and pushing proxy settings through group policy. Also following one of my last post, I had to run the firewall service under local system account instead of network service due to some incompability with 3rd party tools. Do you think that might be a problem too? Regards ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wed 3/16/2005 7:42 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 http://www.ISAserver.org Hi Ara, Good question. None that I can think of, because the hosts have to be configured as Web proxy clients for it to work. You can't use authentication to control this, because the Firewall client can authenticate too. I suppose you could disable=1 for the Firefox executable. That will cause the Firewall client to bypass connections from Firefox and then then when authentication is enforced, then they must be Web proxy clients since SecureNAT clients can't auth. That should work. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Ara [mailto:ara@xxxxxxxxxxxxx] Sent: Wednesday, March 16, 2005 7:51 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 http://www.ISAserver.org Hi Tom, Is there any way to stop those firewall clients' users bypassing the web filter using fire fox? Thank you ________________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, March 16, 2005 6:35 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 http://www.ISAserver.org Hi Dan, Yeah, its a real problem. The HTTP redirector would work for anonymous connections in 2000, but the auth model changed (for the better) for 2004, but the filter guys didn't get wind of it or something, so now if you allow users to disable their Web proxy config, they can still auth via FWC and get by the Web filter, even though the Web proxy filter is still bound to the HTTP protocol. Supposed to be fixed soon, though. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ara@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx