Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SecureNat and Web Proxy

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> SecureNat and Web Proxy Page: [1]
Login
Message << Older Topic   Newer Topic >>
SecureNat and Web Proxy - 19.Sep.2007 1:49:54 PM   
Ryanjkeen

 

Posts: 6
Joined: 19.Sep.2007
Status: offline 		Hi, Before I go out of my tiny little mind and miss the Man U match tonight I hope some one can help with with this little issue.

Setup -
3 Servers (win3k3 - 1 sql, 1 exch, 1 ISA 2006) 100 XP Pro pc's IE7, Cisco Pix.
ISA running in single Nic mode, customer only wants to use ISA as proxy.
IE is setup with following server4a 8080 for proxy, and Autodetect settings

the Issue is 80% of the users can still get out on the internet and by pass the http filters. I watched the filter screen and saw that the client was using securenat; the other 20% that show in the logs use Web Proxy. and they get blocked from going to banned sites.

Can some one please tell me how to block securenat clients?

Thanks

Ry

Post #: 1
RE: SecureNat and Web Proxy - 19.Sep.2007 4:39:51 PM   
elmajdal

 

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hi,

You are using your ISA Server with a single NIC, what we call a hork mode !

So if you clients are able to change their default gateway and their proxy setting, then they would easily bypass your ISA Server !

If you were using ISA Server as a backend Firewall with Two NICs, then you would have more control on your users.

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to Ryanjkeen)
Post #: 2
RE: SecureNat and Web Proxy - 19.Sep.2007 7:13:07 PM   
Ryanjkeen

 

Posts: 6
Joined: 19.Sep.2007
Status: offline 		No they cant change, Gateway or Proxy - its well screwed down! I have removed the default gateway from everyones pc now - still no joy.

Ry

(in reply to elmajdal)
Post #: 3
RE: SecureNat and Web Proxy - 19.Sep.2007 11:21:20 PM   
ferrix

 

Posts: 369
Joined: 16.Mar.2005
Status: offline 		Something seems wrong about your description..

The concept of "secure nat" mode only applies to hosts that use ISA as the default gateway, which is not your case because you're running single NIC and ISA's not in the exit path of your LAN.

With a single NIC the only way for ISA to inspect HTTP traffic is when browsers willingly connect to the ISA :8080 port.  Hitting ISA as the default gateway shouldn't even be possible in this configuration.

Anyway how you keep your proxy policy "screwed down" on your web clients is really not anything to do with ISA at all.  With your setup, it seems like the easiest way to force using ISA is to lock your pix down so only ISA can originate outbound HTTP connections.  That way anyone who doesn't use the right proxy settings will be unable to get out at all.

(in reply to Ryanjkeen)
Post #: 4
RE: SecureNat and Web Proxy - 28.Sep.2007 10:22:43 AM   
Ryanjkeen

 

Posts: 6
Joined: 19.Sep.2007
Status: offline 		Hi Everyone, Ok I have really banged my head now..

Isaserver 2003 sp2 R2
Single Nic 192.168.1.56
Pix 192.168.1.251
All systems have IE proxy server set and users not allowed to change the settings.
Pix is set to only allow out bound access from the ISA server.

When the below settingare in place
PC2 can access the Web fine, the filtering works.
PC1 cant access the Web

PC1 Win Xp, (firewall disable)
IP 192.168.1.122
Sub 255.255.255.0
Gateway 192.168.1.56 (outlook 2007 complains like hell when no ip in gateway)
DNS 192.168.1.7, 192.168.1.52, 192.168.1.56

PC2 Win Xp, (firewall disable)
IP 192.168.1.129
Sub 255.255.255.0
Gateway 192.168.1.56 (outlook 2007 complains like hell when no ip in gateway)
DNS 192.168.1.7, 192.168.1.52, 192.168.1.56

---------------------------------------------------------------------------------
Isaserver 2003 sp2 R2
Single Nic 192.168.1.56
Pix 192.168.1.251
All systems have IE proxy server set and users not allowed to change the settings.
Pix is set to ALLOW all PC's out bound

When the below setting are in place -
PC1 can access the Web fine, the filtering does NOT works.
PC2 can access the Web fine, the filtering works.

PC1 Win Xp, (firewall disable)
IP 192.168.1.122
Sub 255.255.255.0
Gateway 192.168.1.251 (outlook 2007 complains like hell when no ip in gateway)
DNS 192.168.1.7, 192.168.1.52, 192.168.1.56

PC2 Win Xp, (firewall disable)
IP 192.168.1.129
Sub 255.255.255.0
Gateway 192.168.1.56 or 192.168.1.251(outlook 2007 complains like hell when no ip in gateway)
DNS 192.168.1.7, 192.168.1.52, 192.168.1.56

Any Ideas?

< Message edited by Ryanjkeen -- 28.Sep.2007 10:39:50 AM >

(in reply to ferrix)
Post #: 5
RE: SecureNat and Web Proxy - 28.Sep.2007 10:29:31 AM   
ferrix

 

Posts: 369
Joined: 16.Mar.2005
Status: offline 		These settings are identical.

(in reply to Ryanjkeen)
Post #: 6
RE: SecureNat and Web Proxy - 28.Sep.2007 10:41:07 AM   
Ryanjkeen

 

Posts: 6
Joined: 19.Sep.2007
Status: offline 		edited - Sorry, my mind is not 100% today

(in reply to ferrix)
Post #: 7
RE: SecureNat and Web Proxy - 28.Sep.2007 10:46:11 AM   
ferrix

 

Posts: 369
Joined: 16.Mar.2005
Status: offline 		I'm pretty sure you can't use SecureNAT mode on a single NIC ISA server.  I don't know why it works at all in your testing; I would advise to stop trying to do it.

PIX should only allow http/s outbound from ISA server as in config 1.  Clients should have PIX as gateway as in config 2. 

There is clearly something wrong on PC 1 that is not shown via the things you are posting.  I recommend wiresharking your traffic to see what's going on, and correlate it with what's being seen in your ISA and pix logs.

(in reply to Ryanjkeen)
Post #: 8
RE: SecureNat and Web Proxy - 28.Sep.2007 10:58:38 AM   
Ryanjkeen

 

Posts: 6
Joined: 19.Sep.2007
Status: offline 		I do I stop securenat from working?, Thanks for helping with this!!, i am trying to think what else could be on the pc thats causeing this -

The config for all the PC's will be once this is sorted-
Isaserver 2003 sp2 R2
Single Nic 192.168.1.56
Pix 192.168.1.251
All systems have IE proxy server set and users not allowed to change the settings.
Pix is set to only allow out bound access from the ISA server.


PC1 Win Xp, (firewall disable)
IP 192.168.1.122
Sub 255.255.255.0
Gateway 192.168.1.251
DNS 192.168.1.7, 192.168.1.52, 192.168.1.56

(in reply to ferrix)
Post #: 9
RE: SecureNat and Web Proxy - 28.Sep.2007 11:26:27 AM   
ferrix

 

Posts: 369
Joined: 16.Mar.2005
Status: offline 		You stop it by the pix configuration set not to allow all PCs to use http/s.  That way if the user uses say a different browser or manages to change their proxy settings, they will still not succeed at bypassing isa.

I have no further suggestions about your PC1 issues beyond all my ones above.

(in reply to Ryanjkeen)
Post #: 10
RE: SecureNat and Web Proxy - 29.Sep.2007 5:26:46 AM   
Ryanjkeen

 

Posts: 6
Joined: 19.Sep.2007
Status: offline 		Ok thanks for your help anyway, i have just reloaed windows on pc1 and it now uses isa - must be something with in XP that doing it. only another 123 to go!

Ry

(in reply to ferrix)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> SecureNat and Web Proxy Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts