RE: possible fix ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004
- From: "Ara" <ara@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 24 Mar 2005 07:29:21 -0800
Hello Dan,
So you say on internal network tab, only the enable firewall client for this
network and use a proxy server has to be set? In that case do I have to also
use group policy for proxy settings on IE? I assume not
Thank you
________________________________
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thu 3/24/2005 6:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: possible fix RE: ISAserver.org - Review of SurfControl
Web Filter 5.0 for ISA Server 2004
http://www.ISAserver.org
When I was on the phone with them last week, they were still in the mindset
that SurfControl would NOT work with the FWC installed. I was calling because
one of our subnets was passing through unfiltered (even with IE) while the
others were working just fine, and they both had the same settings (same
scenario you described). They kept going over and over how I had to uninstall
or disable FWC to get traffic filtered. It was a concept he couldn't grasp,
hundreds of workstations WOULD work with the settings, while others would not.
So, it wasn't easy, but I managed to control my temper at his attitude and kept
him on the phone testing various scenarios.
Eventually, I stumbled upon the settings where if I disabled the "Automatically
detect settings' and "Use automatic configuration script" settings, IE would
start using the proxy again (Like you had described). And, since these
settings were passed to IE from the FWC, which in turn gets them from the ISA
server, I just had to make those changes in the Network Properties to get them
passed out to all the workstations. The difference between my network settings
and the one you described is that I didn't clear everything, I only cleared the
"Automatically detect settings' and "Use automatic configuration script"
settings. I have to have the others in place or the computers cannot find the
right proxy port.
As I was describing what I found, I could hear him typing away, copying down
everything I did. So, that is probably where they got the information to pass
to you... How ironic...
As for passing the settings out via firewall client or policy settings, I ran
into a dilemma with that. Since each sub-net needs to have different proxy
settings, I could not put them in the Default Domain GPO. I then considered
putting them in a lower-level user GPO, but that would not allow users to log
into different sub-nets. So, I put them into the FWC settings, and thus they
get set by the ISA server when they connect. One other option I heard later
was a site-level GPO, which might do the trick with one exception; if the user
takes the computer home or on a business trip, they have to manually go in and
disable the proxy settings to get it working. This poses a problem because we
had locked down that tab to keep people from disabling the proxy settings and
therefore by-passing the filtering.
I have a reference in my MS Official Course book about how to disable SecureNAT
(which would solve a LOT of our problems), but I haven't had time to experiment
with it much yet.
________________________________
From: Ara [mailto:ara@xxxxxxxxxxxxx]
Sent: Thursday, March 24, 2005 00:29
To: [ISAserver.org Discussion List]
Subject: possible fix RE: ISAserver.org - Review of SurfControl Web Filter 5.0
for ISA Server 2004
I think I have found a workaround for this. Today I got a call from surf
control regarding the issue and fire fox clients by passing the filter.
Accidentally I removed the proxy settings and set the internet explorer to use
automatic detect settings. Guess what, even IE was bypassing the filter. What a
nightmare. So I thought the case would be this control software's are not able
to filter any direct access to internet, basically if the browser is not set to
isa and port 8080, they won't be seen by filter and of course by pass the
filter. On the other hand I needed my firewall client to be on as I wanted to
do some application policies based on users. So we came up with this idea that
set the browser setting using group policy to go through isa and port 8080.
Also going to networks, right click on internal and hit properties. Go to
firewall client tab and get rid everything except the enable firewall client
for this network. In this case users can still use applications based on
firewall client and also any direct access or automatic with any browser
including fire fox and IE will get a big deny from ISA. This will force them
either go through proxy and get caught or do nothing.
I also appreciate any help or comment on this method. Also if there is anyway
to force a direct connection to go through proxy and get filtered
Hope this helps
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
