Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Clients bypass HTTP filter

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Clients bypass HTTP filter Page: [1]
Login
Message << Older Topic   Newer Topic >>
Clients bypass HTTP filter - 24.Dec.2004 12:57:00 AM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline 		So we are using ISA 2004 on Win 2003 Server.
ISA is configured to allow Internet access only to authentificated users and is configured to allow both Firewall clients and Web Proxy clients.
We also use SurfControl to restrict access to certains sites.
The problem is that if the users remove web proxy settings in LAN connections on IE they can gain access to restricted sites since the authentification is made by firewall client.
So,how we can prevent this behavior ?
Thanks ?
Post #: 1
RE: Clients bypass HTTP filter - 24.Dec.2004 3:59:00 PM   
tshinder

 

Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Muntos,

All connections made by the Firewall client are passed to the Web Proxy filter when the Web Proxy filter is bound to the HTTP protocol, so they cannot bypass the Web Proxy when configured as Firewall clients.

Also, make sure your access rules require authentication, so that they cannot use the SecureNAT client config.

HTH,
Tom

(in reply to muntos)
Post #: 2
RE: Clients bypass HTTP filter - 24.Dec.2004 6:45:00 PM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline 		"All connections made by the Firewall client are passed to the Web Proxy filter when the Web Proxy filter is bound to the HTTP protocol, so they cannot bypass the Web Proxy when configured as Firewall clients."

Seems to me that's what I need,but I have a problem: how do I bound the Web Proxy filter to the HTTP protocol,or how can I verify this ?

Thanks

(in reply to muntos)
Post #: 3
RE: Clients bypass HTTP filter - 24.Dec.2004 10:03:00 PM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline 		"There is still value in configuring the clients as Web Proxy clients. While the Firewall client connections will be forwarded to the Web Proxy component when the Web Proxy filter is bound to the HTTP protocol (which it is by default)"

taken from other thread.

So if I understand good this bound is by default,then whats wrong in our configuration?
There are only rules that requires authentification,but when the clients remove proxy settings from their browsers they can access restricted sites ? Why ?

(in reply to muntos)
Post #: 4
RE: Clients bypass HTTP filter - 27.Dec.2004 2:38:00 PM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline 		Ok,I've verified HTTP protocol and he's bound to Web Proxy filter !
Any ideas please ?

(in reply to muntos)
Post #: 5
RE: Clients bypass HTTP filter - 28.Dec.2004 3:46:00 PM   
BlackPH

 

Posts: 3
Joined: 28.Dec.2004
From: RU.moscow
Status: offline 		It and the truth so, I have tried to check up. Whether a mistake of developers it?
With redirect FWC query on WebProxy follow whitout HTTP filter checking. Even in SQL logs field [DestHost] always not resolved ( in IP) when FWC web query redirected 80 -> 8080, but query on 8080 resolved fine.

(in reply to muntos)
Post #: 6
RE: Clients bypass HTTP filter - 31.Dec.2004 3:54:00 PM   
tshinder

 

Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

You can confirm that the ISA firewall does work correctly for both Web Proxy and Firewall clients.

Create a domain name set called CISCO. Then create an entry in that set:

*.cisco.com

Then create an Access Rule that Denies access to that site using all protocols for all users (or a specific users group, it doesn't matter)

Configure the clients as Web Proxy and Firewall clients.

When you go to www.cisco.com the connection is denied.

Now, remove the Web Proxy client configuation, so that the client is a Firewall client only. Go to www.cisco.com

Bingo! The Firewall client is also denied access to the Cisco site.

PROBLEM: The SuftControl app is broken and needs to be updated to fully support the new ISA firewall.

HTH,
Tom

(in reply to muntos)
Post #: 7
RE: Clients bypass HTTP filter - 1.Jan.2005 7:12:00 PM   
BlackPH

 

Posts: 3
Joined: 28.Dec.2004
From: RU.moscow
Status: offline 		Dear Tom, it would be desirable to clear a situation other example.

There is only one rule of access to HTTP protocol (From: Internal , To: External , Users: Internet_HTTP (AD group for web access) ). There is a restriction ( in HTTP filter) on HTTP headers, signatures etc.My ISA server not use SuftControl. -est computer have FWC client installed. When IE configured as web proxy client, HTTP filter workinng fine. But when i use mozilla whitout any configuration , HTTP filter not apply to this query.

How to force apply HTTP filter to redirected inquiries?

Excuse for bad English [Frown]
Happy NY!

[ January 02, 2005, 12:27 AM: Message edited by: BlackPH ]

(in reply to muntos)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Clients bypass HTTP filter Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts