RE: possible fix RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004
- From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 24 Mar 2005 23:36:19 +0800
[isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA
Server 2004To make filter work, it must go through webproxy, whenever force
user in webproxy
setting, it is fine!
----- Original Message -----
From: Thomas W Shinder
To: [ISAserver.org Discussion List]
Sent: Thursday, March 24, 2005 10:40 PM
Subject: [isalist] RE: possible fix RE: ISAserver.org - Review of SurfControl
Web Filter 5.0 for ISA Server 2004
http://www.ISAserver.org
Hi Dan,
I have to say that none of this makes sense to me. From what I understand, in
order for this to work, you need to configure the clients as Web proxy clients.
So, autodetect or manual proxy config should work fine.
Tom
------------------------------------------------------------------------------
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, March 24, 2005 8:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: possible fix RE: ISAserver.org - Review of SurfControl
Web Filter 5.0 for ISA Server 2004
http://www.ISAserver.org
When I was on the phone with them last week, they were still in the mindset
that SurfControl would NOT work with the FWC installed. I was calling because
one of our subnets was passing through unfiltered (even with IE) while the
others were working just fine, and they both had the same settings (same
scenario you described). They kept going over and over how I had to uninstall
or disable FWC to get traffic filtered. It was a concept he couldn't grasp,
hundreds of workstations WOULD work with the settings, while others would not.
So, it wasn't easy, but I managed to control my temper at his attitude and kept
him on the phone testing various scenarios.
Eventually, I stumbled upon the settings where if I disabled the
"Automatically detect settings' and "Use automatic configuration script"
settings, IE would start using the proxy again (Like you had described). And,
since these settings were passed to IE from the FWC, which in turn gets them
from the ISA server, I just had to make those changes in the Network Properties
to get them passed out to all the workstations. The difference between my
network settings and the one you described is that I didn't clear everything, I
only cleared the "Automatically detect settings' and "Use automatic
configuration script" settings. I have to have the others in place or the
computers cannot find the right proxy port.
As I was describing what I found, I could hear him typing away, copying down
everything I did. So, that is probably where they got the information to pass
to you. How ironic.
As for passing the settings out via firewall client or policy settings, I ran
into a dilemma with that. Since each sub-net needs to have different proxy
settings, I could not put them in the Default Domain GPO. I then considered
putting them in a lower-level user GPO, but that would not allow users to log
into different sub-nets. So, I put them into the FWC settings, and thus they
get set by the ISA server when they connect. One other option I heard later
was a site-level GPO, which might do the trick with one exception; if the user
takes the computer home or on a business trip, they have to manually go in and
disable the proxy settings to get it working. This poses a problem because we
had locked down that tab to keep people from disabling the proxy settings and
therefore by-passing the filtering.
I have a reference in my MS Official Course book about how to disable
SecureNAT (which would solve a LOT of our problems), but I haven't had time to
experiment with it much yet.
------------------------------------------------------------------------------
From: Ara [mailto:ara@xxxxxxxxxxxxx]
Sent: Thursday, March 24, 2005 00:29
To: [ISAserver.org Discussion List]
Subject: possible fix RE: ISAserver.org - Review of SurfControl Web Filter
5.0 for ISA Server 2004
I think I have found a workaround for this. Today I got a call from surf
control regarding the issue and fire fox clients by passing the filter.
Accidentally I removed the proxy settings and set the internet explorer to use
automatic detect settings. Guess what, even IE was bypassing the filter. What a
nightmare. So I thought the case would be this control software's are not able
to filter any direct access to internet, basically if the browser is not set to
isa and port 8080, they won't be seen by filter and of course by pass the
filter. On the other hand I needed my firewall client to be on as I wanted to
do some application policies based on users. So we came up with this idea that
set the browser setting using group policy to go through isa and port 8080.
Also going to networks, right click on internal and hit properties. Go to
firewall client tab and get rid everything except the enable firewall client
for this network. In this case users can still use applications based on
firewall client and also any direct access or automatic with any browser
including fire fox and IE will get a big deny from ISA. This will force them
either go through proxy and get caught or do nothing.
I also appreciate any help or comment on this method. Also if there is anyway
to force a direct connection to go through proxy and get filtered
Hope this helps
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
roy_tsao@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
