Welcome to ISAserver.org

ISA 2K6 & Firewall Client HTTP Redirection

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Web Proxy] >> General >> ISA 2K6 & Firewall Client HTTP Redirection

Page: [1]

Message

<< Older Topic Newer Topic >>

ISA 2K6 & Firewall Client HTTP Redirection - 5.Dec.2007 12:46:48 PM

MDHughes

Posts: 1
Joined: 5.Dec.2007
Status: offline

Is there a way to force re-direction to the local web proxy service (ala the HTTP Redirector Filter in ISA 2000) with ISA 2K6?

I'm currently running 2000 in our production array with Websense as our webfilter (which can't read / unwrap firewall client traffic.)

We force proxy settings by GPO but smart users can remove this from their browser and then utilize the firewall client to direct traffic to the array and bypass the web filter. Using the redirector in 2000 sends these requests back to the web proxy service. However I don't see a method available to do the same thing in 2006 so, in testing, I can remove the proxy from my browser, point my firewall client at the 2006 array and then bypass the web filter for browsing.

Is there a method to overcome this in 2006?

Post #: 1

Featured Links*

RE: ISA 2K6 & Firewall Client HTTP Redirection - 5.Dec.2007 11:09:27 PM

ferrix

Posts: 547
Joined: 16.Mar.2005
Status: offline

If you have the http protocol hooked to the Web Proxy Filter (you should) then S-NAT http connections will get filtered just fine.

(in reply to MDHughes)

Post #: 2

RE: ISA 2K6 & Firewall Client HTTP Redirection - 27.Dec.2007 10:52:22 AM

abqtech

Posts: 216
Joined: 9.Mar.2004
Status: offline

We've faced the same issue, and also have the firewall client deployed so that media plugins can access HTTP (TCP Port 80) media objects as firewall clients, and have implemented the following Rules:

DENY_TCP_80_FirewallClients:
Action: Deny
Procotols: create a new protocol - TCP Port 80 Outbound (with NO filters applied)
From: Internal
To: External
Users: Authenticated Users
Content Types: This rule applies to Selected content types
   Application
   Application Data Files
   Compressed Files
   Documents
   HTML Documents
   Images
   Macro Documents
   Text
   VRML

Allow_TCP_80_EmbeddedMedia
Action: Allow
Procotols: create a new protocol - TCP Port 80 Outbound (with NO filters applied)
From: Internal
To: External
Users: Authenticated Users
Content Types: This rule applies to Selected content types
   Audio
   Video

And if you need to allow HTTP (TCP Port 80) access from firewall clients to certain Internet sites, just create a Domain Name Set and add the sites needed into it, then apply that Domain Name Set as an exlude on the "To:" within the DENY_TCP_80_FirewallClients Access Rule.

(in reply to ferrix)

Post #: 3