Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Firewall clients bypass http filter
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Firewall clients bypass http filter - 24.Dec.2004 12:56:00 AM
|
|
|
muntos
Posts: 61
Joined: 30.Jul.2004
Status: offline
|
So we are using ISA 2004 on Win 2003 Server.
ISA is configured to allow Internet access only to authentificated users and is configured to allow both Firewall clients and Web Proxy clients.
We also use SurfControl to restrict access to certains sites.
The problem is that if the users remove web proxy settings in LAN connections on IE they can gain access to restricted sites since the authentification is made by firewall client.
So,how we can prevent this behavior ?
Thanks ?
|
|
|
|
|
RE: Firewall clients bypass http filter - 26.Dec.2004 2:14:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Muntos,
The Firewall client automatically sends connections through to the Web Proxy filter, since the Web Proxy filter is bound to the HTTP protocol. So, there is no way the Firewall client connections can bypass the ISA firewall's Web Proxy filter unless you've unbound the filter from the HTTP protocol.
HTH,
Tom
|
|
|
|
|
RE: Firewall clients bypass http filter - 26.Dec.2004 5:33:00 PM
|
|
|
muntos
Posts: 61
Joined: 30.Jul.2004
Status: offline
|
So,how do I verify if the filter is bound to the HTTP Protocol ?
Thanks.
|
|
|
|
|
RE: Firewall clients bypass http filter - 27.Dec.2004 2:46:00 PM
|
|
|
muntos
Posts: 61
Joined: 30.Jul.2004
Status: offline
|
Ok,I've verified HTTP protocol and he's bound to Web Proxy filter !
Any ideas please?
|
|
|
|
|
RE: Firewall clients bypass http filter - 28.Dec.2004 4:20:00 PM
|
|
|
muntos
Posts: 61
Joined: 30.Jul.2004
Status: offline
|
By BlackPH:
"It and the truth so, I have tried to check up. Whether a mistake of developers it?
With redirect FWC query on WebProxy follow whitout HTTP filter checking. Even in SQL logs field [DestHost] always not resolved ( in IP) when FWC web query redirected 80 -> 8080, but query on 8080 resolved fine. "
|
|
|
|
|
RE: Firewall clients bypass http filter - 28.Dec.2004 5:53:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Muntos,
Can you provide an example of a failure in the Web Proxy filter? I will try to replicate the config.
Thanks!
Tom
|
|
|
|
|
RE: Firewall clients bypass http filter - 29.Dec.2004 3:35:00 PM
|
|
|
muntos
Posts: 61
Joined: 30.Jul.2004
Status: offline
|
Let's see:
Windows 2003 Server ,ISA 2004
DNS Server on same machine with ISA.
Surf Control installed.
Internal Network configured in ISA to accept both firewall clients and Web Proxy Clients.
No anonymous rules in ISA (since that if I disable both firewall client and proxy in browser bye bye Internet access).
Client:
Windows XP SP2,IE 6 browser.
Firewall client installed.
Case 1:
Web Proxy enabled in IE.
Trying cu access www.xxx.com....access denied by SurfControl
In ISA logs I see the domain address (www.xxx.com)
Case 2:
Web Proxy disabled in IE.
Trying cu access www.xxx.com....successfully !
In ISA logs I see the IP address.
|
|
|
|
|
RE: Firewall clients bypass http filter - 29.Dec.2004 7:37:00 PM
|
|
|
ev@n
Posts: 21
Joined: 29.Dec.2004
Status: offline
|
We have an ISA 2004 "farm" behind a hardware load-balancer. Websense Enterprise (v5.5) filtering and policy servers sit on each of the ISA servers behind the load-balancer's VIP (Virtual IP). There is a Websense ISAPI web filter installed by default on each of the ISA servers. The ISAPI filter handles the HTTP URL filtering from the ISA Web Proxy application filter which is bound by default to the HTTP protocol. There is a single rule that provides outbound internet access (which is limited to authenticated users).
Now, we have the same problem! There is a serious issue here. I have not done enough research to determine why the Websense ISAPI filter is not filtering Firewall Client requests. Web Proxy requests work just fine and get filtered by Websense.
Anybody have any ideas?
|
|
|
|
|
RE: Firewall clients bypass http filter - 30.Dec.2004 8:04:00 AM
|
|
|
ev@n
Posts: 21
Joined: 29.Dec.2004
Status: offline
|
ttt... Anybody have any ideas??
|
|
|
|
|
RE: Firewall clients bypass http filter - 30.Dec.2004 4:38:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by muntos:
Let's see:
Windows 2003 Server ,ISA 2004
DNS Server on same machine with ISA.
Surf Control installed.
Internal Network configured in ISA to accept both firewall clients and Web Proxy Clients.
No anonymous rules in ISA (since that if I disable both firewall client and proxy in browser bye bye Internet access).
Client:
Windows XP SP2,IE 6 browser.
Firewall client installed.
Case 1:
Web Proxy enabled in IE.
Trying cu access www.xxx.com....access denied by SurfControl
In ISA logs I see the domain address (www.xxx.com)
Case 2:
Web Proxy disabled in IE.
Trying cu access www.xxx.com....successfully !
In ISA logs I see the IP address.
Hi Muntos,
OK, you're mentioning SurfControl issues here, not ISA firewall issues.
What happens when you create a Domain Name Set and block that domain? When I test it, it blocks both the Firewall and Web Proxy clients.
So, this is a SurfControl problem, not an ISA firewall issue.
HTH,
Tom
|
|
|
|
|
RE: Firewall clients bypass http filter - 30.Dec.2004 4:42:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by ev@n:
We have an ISA 2004 "farm" behind a hardware load-balancer. Websense Enterprise (v5.5) filtering and policy servers sit on each of the ISA servers behind the load-balancer's VIP (Virtual IP). There is a Websense ISAPI web filter installed by default on each of the ISA servers. The ISAPI filter handles the HTTP URL filtering from the ISA Web Proxy application filter which is bound by default to the HTTP protocol. There is a single rule that provides outbound internet access (which is limited to authenticated users).
Now, we have the same problem! There is a serious issue here. I have not done enough research to determine why the Websense ISAPI filter is not filtering Firewall Client requests. Web Proxy requests work just fine and get filtered by Websense.
Anybody have any ideas?
Hi Even,
Again, try the same thing. Create a Domain Name Set or a URL set and block the site via one of those sets. You'll find that the site is blocked. So, the ISA firewall works, its the add-on software that's whack.
HTH,
Tom
|
|
|
|
|
RE: Firewall clients bypass http filter - 31.Dec.2004 12:40:00 AM
|
|
|
ev@n
Posts: 21
Joined: 29.Dec.2004
Status: offline
|
I agree with you, but the Websense ISAPI filter is not picking up the Firewall Client requests, which are essentially Web Proxy requests anyways as defined by Microsoft in ISA 2004. We had more control over this in ISA 2000 with the HTTP redirector filter. This is not a good thing for an enterprise environment. Does anyone know if SurfControl has an ISAPI filter for ISA 2004?
|
|
|
|
|
RE: Firewall clients bypass http filter - 31.Dec.2004 3:01:00 PM
|
|
|
muntos
Posts: 61
Joined: 30.Jul.2004
Status: offline
|
I'm using SurfControl with ISA 2004 and the same problem.Indeed it's a SurfControl filter issue not ISA Web Proxy Filter.
|
|
|
|
|
RE: Firewall clients bypass http filter - 1.Jan.2005 2:41:00 AM
|
|
|
ev@n
Posts: 21
Joined: 29.Dec.2004
Status: offline
|
Well, I'm calling Websense about this on Monday. This is ridiculous. I don't understand how these companies release software that is "certified" for ISA 2004, only to find out it has serious flaws! This is making my company project much more difficult to complete. If no solution, I may have to send Firewall and SecureNAT requests to an upstream ISA 2004 server via Firewall Chaining. There, I can add a rule to these requests that blocks HTTP, as well as any other protocol I choose. This is a good workaround I believe. Thanks!
|
|
|
|
RE: Firewall clients bypass http filter - 17.Feb.2005 5:25:00 PM
|
|
|
rbaker@ziegler.com
Posts: 1
Joined: 17.Feb.2005
From: West Bend, WI
Status: offline
|
Been fighting the same issue.
I found in the Websense install PDF on page 180 instructions to add a file called "Ignore.txt" to the System32 folder of the ISA server. This file should contain the name of the ISA server in it.
After restarting the ISA server Websense now blocks both the firewall client and Proxy client requests.
The only question I have not had time to test is what else might have broken or been compromised by doing this.
One more thing. I had to give Websense port 15871 access from internal to local so that blocking pages would appear when running just firewall client.
|
|
|
|
|
RE: Firewall clients bypass http filter - 17.Feb.2005 6:10:00 PM
|
|
|
franck_dohin
Posts: 7
Joined: 14.Feb.2005
Status: offline
|
I had the same problem and i find a solution
You should first create a new protocol definition wich use the port 80 with tcp on outgoing and YOU MUST NOT ASSOCIATE IT WITH THE WEB FILTER.
Then you create a new firewall rule that says : i refuse all connection from my network to external for the protocol that you've just created and you place this rule at the first place.
In fact this rule forbidden all connections who trie to go the internet without passing by the proxy.
It worked for me, so i think it should work for you !
|
|
|
|
|
RE: Firewall clients bypass http filter - 21.Feb.2005 3:15:00 PM
|
|
|
pauli1
Posts: 1
Joined: 21.Feb.2005
Status: offline
|
We got similar problem. But users doing http and ftp requests via the proxyclient should be allowed but should be routed to the ISA webfilters. And this is currently not the case. That's why it's bypassing eg Antivirus and Surfcontrol. It's an long standing issue in ISA2000 and did they forget to solve it in ISA2004 ?
The issue: for a number of reasons (special applications which needed to have internet access) we have to deploy the proxy client. With that proxy client the user can - if they disable the proxy in the Internet Explorer - circumvent the security plugins (Antivirus and Surfcontrol) in ISA - AND IT SEEMS NOT HAVE CHANGED in ISA2004.
|
|
|
|
|
RE: Firewall clients bypass http filter - 23.Feb.2005 10:18:00 PM
|
|
|
Guest
|
you could also turn off the firewall client if it's not needed. corse for those who do need a "transparent" proxy then this is going to cause some issues.
|
|
|
|
RE: Firewall clients bypass http filter - 16.Mar.2005 9:58:00 PM
|
|
|
iq90
Posts: 1
Joined: 16.Mar.2005
Status: offline
|
Yes, it works! You're great!
quote:
Originally posted by Francky 35:
...You should first create a new protocol definition wich use the port 80 with tcp on outgoing and YOU MUST NOT ASSOCIATE IT WITH THE WEB FILTER...
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Roll Eyes]](/image/smiles/rolleyes.gif)
