RE: possible fix

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 24 Mar 2005 11:13:17 -0600

Hi Ara,
 
OK, sounds like we have two different issues. One is Firefox and one is
the Firewall client. 
 
What I don't think makes sense is that not enabling autodetect or manual
autoconfig script would somehow change the Web proxy client config. If
you look at the traces, you'll see they're exactly the same except for
the DNS query or DHCPINFORM.
 
Thanks!
Tom

________________________________

From: Ara [mailto:ara@xxxxxxxxxxxxx] 
Sent: Thursday, March 24, 2005 9:48 AM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] possible fix


Tom,

This might not make any sense technically, but physically does. If auto
detect or manual proxy config or on network tab is enabled, then fire
fox clients can by pass the filter with direct connection. Even IE users
can change the settings manually from going through proxy and make it
nothing checked at all. In that case they can simply bypass the filter.

 But if you disable auto detect or manual proxy config, and then they
try to use direct connection or none through proxy, a big deny message
comes from ISA. This will force them use proxy and get filtered or don't
go anywhere keeping firewall client installed. 

You are the big expert on this but if you want, I can make you a remote
connection to my network to test and see

Pretty crazy ...


________________________________

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thu 3/24/2005 6:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: possible fix RE: ISAserver.org - Review of
SurfControl Web Filter 5.0 for ISA Server 2004


http://www.ISAserver.org

Hi Dan,
 
I have to say that none of this makes sense to me. From what I
understand, in order for this to work, you need to configure the clients
as Web proxy clients. So, autodetect or manual proxy config should work
fine. 
 
Tom

________________________________

From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
Sent: Thursday, March 24, 2005 8:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: possible fix RE: ISAserver.org - Review of
SurfControl Web Filter 5.0 for ISA Server 2004


http://www.ISAserver.org


When I was on the phone with them last week, they were still in the
mindset that SurfControl would NOT work with the FWC installed.  I was
calling because one of our subnets was passing through unfiltered (even
with IE) while the others were working just fine, and they both had the
same settings (same scenario you described).  They kept going over and
over how I had to uninstall or disable FWC to get traffic filtered.  It
was a concept he couldn't grasp, hundreds of workstations WOULD work
with the settings, while others would not.  So, it wasn't easy, but I
managed to control my temper at his attitude and kept him on the phone
testing various scenarios.  

 

Eventually, I stumbled upon the settings where if I disabled the
"Automatically detect settings' and "Use automatic configuration script"
settings, IE would start using the proxy again (Like you had described).
And, since these settings were passed to IE from the FWC, which in turn
gets them from the ISA server, I just had to make those changes in the
Network Properties to get them passed out to all the workstations.  The
difference between my network settings and the one you described is that
I didn't clear everything, I only cleared the "Automatically detect
settings' and "Use automatic configuration script" settings.  I have to
have the others in place or the computers cannot find the right proxy
port.  

 

As I was describing what I found, I could hear him typing away, copying
down everything I did.  So, that is probably where they got the
information to pass to you... How ironic...

 

As for passing the settings out via firewall client or policy settings,
I ran into a dilemma with that.  Since each sub-net needs to have
different proxy settings, I could not put them in the Default Domain
GPO.  I then considered putting them in a lower-level user GPO, but that
would not allow users to log into different sub-nets.  So, I put them
into the FWC settings, and thus they get set by the ISA server when they
connect.  One other option I heard later was a site-level GPO, which
might do the trick with one exception; if the user takes the computer
home or on a business trip, they have to manually go in and disable the
proxy settings to get it working.  This poses a problem because we had
locked down that tab to keep people from disabling the proxy settings
and therefore by-passing the filtering.

 

I have a reference in my MS Official Course book about how to disable
SecureNAT (which would solve a LOT of our problems), but I haven't had
time to experiment with it much yet.

 

________________________________

From: Ara [mailto:ara@xxxxxxxxxxxxx] 
Sent: Thursday, March 24, 2005 00:29
To: [ISAserver.org Discussion List]
Subject: possible fix RE: ISAserver.org - Review of SurfControl Web
Filter 5.0 for ISA Server 2004

 

 

I think I have found a workaround for this. Today I got a call from surf
control regarding the issue and fire fox clients by passing the filter.
Accidentally I removed the proxy settings and set the internet explorer
to use automatic detect settings. Guess what, even IE was bypassing the
filter. What a nightmare. So I thought the case would be this control
software's are not able to filter any direct access to internet,
basically if the browser is not set to isa and port 8080, they won't be
seen by filter and of course by pass the filter. On the other hand I
needed my firewall client to be on as I wanted to do some application
policies based on users. So we came up with this idea that set the
browser setting using group policy to go through isa and port 8080.

Also going to networks, right click on internal and hit properties. Go
to firewall client tab and get rid everything except the enable firewall
client for this network. In this case users can still use applications
based on firewall client and also any direct access or automatic with
any browser including fire fox and IE will get a big deny from ISA. This
will force them either go through proxy and get caught or do nothing. 

I also appreciate any help or comment on this method. Also if there is
anyway to force a direct connection to go through proxy and get filtered

Hope this helps

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts:

• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » RE: possible fix
• » re: possible fix
• » RE: possible fix
• » re: possible fix
• » RE: possible fix

1. Home
2. isalist
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---