RE: Using the firewall client to webproxy access upstream ISA server
- From: "Thor" <thor@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 10 Aug 2004 10:55:01 -0700
The could easily use Group Policy to set the proxy configuration, and to
completely remove access to those components from the users.
t
----- Original Message -----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 10, 2004 6:48 AM
Subject: [isalist] RE: Using the firewall client to webproxy access upstream
ISA server
http://www.ISAserver.org
Hi Andy,
OK, so the problem isn't with the firewall client, its with the users
manually setting their Web proxy to a different address.
How about an access rule that explicitly denied TCP 8080 from Internal
--> External?
HTH,
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Andy Greenhalgh [mailto:andy.greenhalgh@xxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 10, 2004 4:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Using the firewall client to webproxy access
upstream ISA server
http://www.ISAserver.org
Hi Tom,
Got both ISA 2000 books, both are excellent and useful resources.
Our config looks like
Internet
|
ISAServer4
|
DMZ
--------172.16.0.0/16--------
| | |
ISA1 ISA2 ISA3
| | |
Corporate Education Library
10.x.0.0/16 10.y.0.0/16 10.z.0.0/16
Some users in the corporate network have their proxy set to
172.16.10.10:8080, ISAServer4. They have the firewall client configured
to
use 10.1.1.30, ISA1.
It appears that the firewall service on ISA1 is direting the port 8080
traffic to ISAServer4 where the Webproxy service takes over.
I've tried it and our security officer has tried it and it does bypass
the
content filtering on ISA1.
Anonymous access is allowed on ISAServer4 which is in a workgroup. ISA1,
ISA2, ISA3 are in separate 2000 domains and all require authentication.
The content filtering for the Library network is less restrictive than
the
Corporate network. The Eductaion network is the most tightly controlled.
My worry is if the knowledge of this mechanism gets into the schools
then
we will no longer be able to properly protect the children from
inappropriate web content on the education network.
It is obviously a mistake in my configuration somewhere but I think I'm
going to need some suggestions.
Cheers Andy,
> Hi Andy,
>
> How can they do that? The upstream ISA firewall should not be directly
> reachable from behind any of the back-end ISA firewalls.
>
> Thanks!
>
> Tom
> www.isaserver.org/shinder
> Get the book!
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> -----Original Message-----
> From: Andy Greenhalgh [mailto:andy.greenhalgh@xxxxxxxxxxxxxxxxxxx]=20
> Sent: Monday, August 09, 2004 11:52 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Using the firewall client to webproxy access
upstream
> ISA server
>
>
> http://www.ISAserver.org
>
> We have a back to back ISA server DMZ configuration. We run 3 internal
> ISA
> servers for 3 separate internal networks, Corporate, Education, and
> Public
> Library. The DMZ has a single connection to the internet.
>
> Each internal network has different content filtering requirements so
> the
> content filtering is installed on each internal ISA server.
>
> Some of our more technically able users are bypassing the content
> filtering by configuring Internet Explorer to use the uptstream ISA
> server
> IP address and using the firewall client to reach the upstream ISA
> server.
>
> Is there a configuration which can prevent this? Our users will still
> need
> to access some content using the firewall client.
>
> Andy Greenhalgh
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit =
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
