The could easily use Group Policy to set the proxy configuration, and to completely remove access to those components from the users. t ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, August 10, 2004 6:48 AM Subject: [isalist] RE: Using the firewall client to webproxy access upstream ISA server http://www.ISAserver.org Hi Andy, OK, so the problem isn't with the firewall client, its with the users manually setting their Web proxy to a different address. How about an access rule that explicitly denied TCP 8080 from Internal --> External? HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Andy Greenhalgh [mailto:andy.greenhalgh@xxxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 10, 2004 4:42 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Using the firewall client to webproxy access upstream ISA server http://www.ISAserver.org Hi Tom, Got both ISA 2000 books, both are excellent and useful resources. Our config looks like Internet | ISAServer4 | DMZ --------172.16.0.0/16-------- | | | ISA1 ISA2 ISA3 | | | Corporate Education Library 10.x.0.0/16 10.y.0.0/16 10.z.0.0/16 Some users in the corporate network have their proxy set to 172.16.10.10:8080, ISAServer4. They have the firewall client configured to use 10.1.1.30, ISA1. It appears that the firewall service on ISA1 is direting the port 8080 traffic to ISAServer4 where the Webproxy service takes over. I've tried it and our security officer has tried it and it does bypass the content filtering on ISA1. Anonymous access is allowed on ISAServer4 which is in a workgroup. ISA1, ISA2, ISA3 are in separate 2000 domains and all require authentication. The content filtering for the Library network is less restrictive than the Corporate network. The Eductaion network is the most tightly controlled. My worry is if the knowledge of this mechanism gets into the schools then we will no longer be able to properly protect the children from inappropriate web content on the education network. It is obviously a mistake in my configuration somewhere but I think I'm going to need some suggestions. Cheers Andy, > Hi Andy, > > How can they do that? The upstream ISA firewall should not be directly > reachable from behind any of the back-end ISA firewalls. > > Thanks! > > Tom > www.isaserver.org/shinder > Get the book! > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > -----Original Message----- > From: Andy Greenhalgh [mailto:andy.greenhalgh@xxxxxxxxxxxxxxxxxxx]=20 > Sent: Monday, August 09, 2004 11:52 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Using the firewall client to webproxy access upstream > ISA server > > > http://www.ISAserver.org > > We have a back to back ISA server DMZ configuration. We run 3 internal > ISA > servers for 3 separate internal networks, Corporate, Education, and > Public > Library. The DMZ has a single connection to the internet. > > Each internal network has different content filtering requirements so > the > content filtering is installed on each internal ISA server. > > Some of our more technically able users are bypassing the content > filtering by configuring Internet Explorer to use the uptstream ISA > server > IP address and using the firewall client to reach the upstream ISA > server. > > Is there a configuration which can prevent this? Our users will still > need > to access some content using the firewall client. > > Andy Greenhalgh > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit = > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx