RE: possible fix RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 25 Mar 2005 23:18:20 -0500
Now I'm really confused, your previous message said only GPO was
effective, now you're saying GPO is not for pushing down proxy settings?
Okay, let's look at this in a little more detail.
IE, as in all Windows-based browsers, defaults to using port 80 on the
default gateway to contact websites. This is where the problem we were
discussing comes in, utilizing this method causes it to bypass
SurfControl.
So, to get around this problem, IE, as in all Windows-based browsers,
must use a "proxy" so SurfControl can filter it. These proxy settings,
in IE and almost all other Windows-based browsers, are stored as
Registry entries. When you go into the menus within these browsers to
make the proxy settings, they are merely a GUI interface into making
these registry changes.
You can visit each and every workstation, and enter the proxy settings
manually. However, most of the time in AD environments, if a proxy
server is in use, administrators use GPO to make these registry changes
upon login. Unfortunately, IE is the only program that is "natively"
capable of managing settings via GPO.
The scenario we're discussing having a problem also involves all clients
using the Firewall Client. The FWC also has the ability to update these
registry entries without the use of GPO. Whenever the Firewall Client
is refreshed, it will make the necessary registry entries to make IE use
a proxy server.
Thus, in order for a browser (in this case we're talking about IE) to
use a proxy server, it needs to have the necessary registry entries.
Whether you use GPO to set these proxy settings, or the FWC, or entering
them by hand makes ABSOLUTLEY NO DIFFERENCE!
I hope this will clear this up a bit more for you...
________________________________
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Thursday, March 24, 2005 15:19
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: possible fix RE: ISAserver.org - Review of
SurfControl Web Filter 5.0 for ISA Server 2004
http://www.ISAserver.org
GPO is not for pushing down the IE proxy setting, it is for lock the
setting
tab at user's IE, then FCW with webproxy setting is fixed and
unchangable
at user's side!
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
To: [ISAserver.org Discussion List]
<mailto:isalist@xxxxxxxxxxxxx>
Sent: Friday, March 25, 2005 4:06 AM
Subject: [isalist] RE: possible fix RE: ISAserver.org - Review
of SurfControl Web Filter 5.0 for ISA Server 2004
http://www.ISAserver.org
Could you please explain this a bit more? I fail to see how it
would make a difference whether the proxy settings were pushed out via
FWC or GPO. Either way, you have the proxy settings in IE, and they can
disable them.
________________________________
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Thursday, March 24, 2005 14:39
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: possible fix RE: ISAserver.org - Review
of SurfControl Web Filter 5.0 for ISA Server 2004
http://www.ISAserver.org
To make a consistant filter to user's web access, only GPO is
effective because
user under FWC only can disable web proxy server for a while
until FWC
is refreshed! If some bad boy would like to see a prohibited
site, they can
uncheck webproxy tab!
Other related posts:
