RE: possible fix RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 24 Mar 2005 09:25:11 -0500
When I was on the phone with them last week, they were still in the
mindset that SurfControl would NOT work with the FWC installed. I was
calling because one of our subnets was passing through unfiltered (even
with IE) while the others were working just fine, and they both had the
same settings (same scenario you described). They kept going over and
over how I had to uninstall or disable FWC to get traffic filtered. It
was a concept he couldn't grasp, hundreds of workstations WOULD work
with the settings, while others would not. So, it wasn't easy, but I
managed to control my temper at his attitude and kept him on the phone
testing various scenarios.
Eventually, I stumbled upon the settings where if I disabled the
"Automatically detect settings' and "Use automatic configuration script"
settings, IE would start using the proxy again (Like you had described).
And, since these settings were passed to IE from the FWC, which in turn
gets them from the ISA server, I just had to make those changes in the
Network Properties to get them passed out to all the workstations. The
difference between my network settings and the one you described is that
I didn't clear everything, I only cleared the "Automatically detect
settings' and "Use automatic configuration script" settings. I have to
have the others in place or the computers cannot find the right proxy
port.
As I was describing what I found, I could hear him typing away, copying
down everything I did. So, that is probably where they got the
information to pass to you... How ironic...
As for passing the settings out via firewall client or policy settings,
I ran into a dilemma with that. Since each sub-net needs to have
different proxy settings, I could not put them in the Default Domain
GPO. I then considered putting them in a lower-level user GPO, but that
would not allow users to log into different sub-nets. So, I put them
into the FWC settings, and thus they get set by the ISA server when they
connect. One other option I heard later was a site-level GPO, which
might do the trick with one exception; if the user takes the computer
home or on a business trip, they have to manually go in and disable the
proxy settings to get it working. This poses a problem because we had
locked down that tab to keep people from disabling the proxy settings
and therefore by-passing the filtering.
I have a reference in my MS Official Course book about how to disable
SecureNAT (which would solve a LOT of our problems), but I haven't had
time to experiment with it much yet.
________________________________
From: Ara [mailto:ara@xxxxxxxxxxxxx]
Sent: Thursday, March 24, 2005 00:29
To: [ISAserver.org Discussion List]
Subject: possible fix RE: ISAserver.org - Review of SurfControl Web
Filter 5.0 for ISA Server 2004
I think I have found a workaround for this. Today I got a call from surf
control regarding the issue and fire fox clients by passing the filter.
Accidentally I removed the proxy settings and set the internet explorer
to use automatic detect settings. Guess what, even IE was bypassing the
filter. What a nightmare. So I thought the case would be this control
software's are not able to filter any direct access to internet,
basically if the browser is not set to isa and port 8080, they won't be
seen by filter and of course by pass the filter. On the other hand I
needed my firewall client to be on as I wanted to do some application
policies based on users. So we came up with this idea that set the
browser setting using group policy to go through isa and port 8080.
Also going to networks, right click on internal and hit properties. Go
to firewall client tab and get rid everything except the enable firewall
client for this network. In this case users can still use applications
based on firewall client and also any direct access or automatic with
any browser including fire fox and IE will get a big deny from ISA. This
will force them either go through proxy and get caught or do nothing.
I also appreciate any help or comment on this method. Also if there is
anyway to force a direct connection to go through proxy and get filtered
Hope this helps
Other related posts:
