When I was on the phone with them last week, they were still in the mindset that SurfControl would NOT work with the FWC installed. I was calling because one of our subnets was passing through unfiltered (even with IE) while the others were working just fine, and they both had the same settings (same scenario you described). They kept going over and over how I had to uninstall or disable FWC to get traffic filtered. It was a concept he couldn't grasp, hundreds of workstations WOULD work with the settings, while others would not. So, it wasn't easy, but I managed to control my temper at his attitude and kept him on the phone testing various scenarios. Eventually, I stumbled upon the settings where if I disabled the "Automatically detect settings' and "Use automatic configuration script" settings, IE would start using the proxy again (Like you had described). And, since these settings were passed to IE from the FWC, which in turn gets them from the ISA server, I just had to make those changes in the Network Properties to get them passed out to all the workstations. The difference between my network settings and the one you described is that I didn't clear everything, I only cleared the "Automatically detect settings' and "Use automatic configuration script" settings. I have to have the others in place or the computers cannot find the right proxy port. As I was describing what I found, I could hear him typing away, copying down everything I did. So, that is probably where they got the information to pass to you... How ironic... As for passing the settings out via firewall client or policy settings, I ran into a dilemma with that. Since each sub-net needs to have different proxy settings, I could not put them in the Default Domain GPO. I then considered putting them in a lower-level user GPO, but that would not allow users to log into different sub-nets. So, I put them into the FWC settings, and thus they get set by the ISA server when they connect. One other option I heard later was a site-level GPO, which might do the trick with one exception; if the user takes the computer home or on a business trip, they have to manually go in and disable the proxy settings to get it working. This poses a problem because we had locked down that tab to keep people from disabling the proxy settings and therefore by-passing the filtering. I have a reference in my MS Official Course book about how to disable SecureNAT (which would solve a LOT of our problems), but I haven't had time to experiment with it much yet. ________________________________ From: Ara [mailto:ara@xxxxxxxxxxxxx] Sent: Thursday, March 24, 2005 00:29 To: [ISAserver.org Discussion List] Subject: possible fix RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 I think I have found a workaround for this. Today I got a call from surf control regarding the issue and fire fox clients by passing the filter. Accidentally I removed the proxy settings and set the internet explorer to use automatic detect settings. Guess what, even IE was bypassing the filter. What a nightmare. So I thought the case would be this control software's are not able to filter any direct access to internet, basically if the browser is not set to isa and port 8080, they won't be seen by filter and of course by pass the filter. On the other hand I needed my firewall client to be on as I wanted to do some application policies based on users. So we came up with this idea that set the browser setting using group policy to go through isa and port 8080. Also going to networks, right click on internal and hit properties. Go to firewall client tab and get rid everything except the enable firewall client for this network. In this case users can still use applications based on firewall client and also any direct access or automatic with any browser including fire fox and IE will get a big deny from ISA. This will force them either go through proxy and get caught or do nothing. I also appreciate any help or comment on this method. Also if there is anyway to force a direct connection to go through proxy and get filtered Hope this helps