Welcome to ISAserver.org

URGENT - Help Pls

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> URGENT - Help Pls

Page: [1]

Message

<< Older Topic Newer Topic >>

URGENT - Help Pls - 12.Nov.2002 7:11:00 AM

zombrax

Posts: 17
Joined: 14.Aug.2002
Status: offline

Our network consists of an ISA Server acting as a proxy with IP 172.20.0.8:8080 along with a Watchguard Firewall that obviously is our firewall.

Now we have setup rules in ISA to stop students from accessing certain sites but if they untick Use a proxy server option in Internet Options, they can bypass the restricted sites list.

In the report generated I have a

UNKNOWN protocol with 76231 requests
Http protocol with 15694 requests and
SSL-tunnell with 4 requests.

What’s this “UNKNOWN” protocol? Does this indicate that when ppl bypass the proxy it doesn’t know what it is but still keeps a record of it?

How can we block all the traffic that doesn’t go through the proxy ie users must have the specified proxy server in their settings?

thanx once again
Zombrax "[Smile]"

Post #: 1

Featured Links*

RE: URGENT - Help Pls - 12.Nov.2002 7:12:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Zombrax,

Configure the HTTP Redirector to drop all requests from SecureNAT and Firewal clients. That will fix their wagons [Big Grin]

HTH,
Tom

(in reply to zombrax)

Post #: 2

RE: URGENT - Help Pls - 12.Nov.2002 7:45:00 AM

zombrax

Posts: 17
Joined: 14.Aug.2002
Status: offline

Tom,

I went throught Extensions, Application Filters and HTTP Redirector Filter Properties and changed the setting from Redirect to local Web Proxy Service to Reject HTTP requests from Firewall and SecureNAT clients.

I still get through without the use of a Proxy in options of the browser! help pls..

thanks
Zombrax

(in reply to zombrax)

Post #: 3

RE: URGENT - Help Pls - 12.Nov.2002 2:18:00 PM

MCain

Posts: 85
Joined: 5.Sep.2002
From: New Jersey, USA
Status: offline

Hi Zombrax,

Have you thought of putting your users(students?) in a Win2k OU and applying policy to restrict their ability to change the Web Proxy settings in IE? I'm picking through some of the same issues here and that is currently my preferred setup. It's not very effective for mobile users who may go off site and need to get in through VPN services but for proxy clients it works quite well.

Also, if you've changed your HTTP redirector settings and you can still get through, are you sure that you're going through the ISA Server? Is there another physical route that could bypass the ISA Server?

-Matt

(in reply to zombrax)

Post #: 4

RE: URGENT - Help Pls - 12.Nov.2002 6:46:00 PM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Matt,

Good point. If the HTTP Redirector is configured to drop HTTP requests from SecureNAT and Firewall clients, then there's no way they can go through the ISA Server without being configured as a Web Proxy client.

Thanks!
Tom

(in reply to zombrax)

Post #: 5

RE: URGENT - Help Pls - 13.Nov.2002 2:04:00 AM

zombrax

Posts: 17
Joined: 14.Aug.2002
Status: offline

arghh.. this is confusing in the sense that we have ISA as the proxy and Watchguard as the firewall.

I suspect that when one untick the option to use a proxy server in the browser settings, it goes direct to the firewall and out through port 80.

Is there any way that i can find out from a system what route its using to get out along with the port? when i do a tracert it shows as 172.20.0.1 which is the IP for wathguard firewall.

bit frustrated when you dont know what the heck is happening and where the hole is [Confused]

thanks again
Zombrax.

(in reply to zombrax)

Post #: 6

RE: URGENT - Help Pls - 13.Nov.2002 3:57:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi zombrax,

Dump the Watchguard and use ISA Server as a Firewall. ISA Server is a *much better* firewall and it obviously can give you a higher level of control.

HTH,
Tom

(in reply to zombrax)

Post #: 7

RE: URGENT - Help Pls - 13.Nov.2002 5:45:00 AM

zombrax

Posts: 17
Joined: 14.Aug.2002
Status: offline

tom,

run a microsoft product as a firewall??! gotta be joking [Smile]

aint stable enough, our simple file servers running w2k advanced server needs to be rebooted every 20-25 days!

imagine a firewall..

but thats beside the point; I'll simply have to learn this product.

(in reply to zombrax)

Post #: 8

RE: URGENT - Help Pls - 13.Nov.2002 6:45:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi zombrax,

My ISA Servers have been up for months, and I have several Exchange Servers that have been up for years except for requiring reboots for service packs. Its the hardware and 3rd party drivers that are usually buggy and unstable, not Win2k or Windows servers.

IMHO,
Tom

(in reply to zombrax)

Post #: 9

RE: URGENT - Help Pls - 13.Nov.2002 3:02:00 PM

MCain

Posts: 85
Joined: 5.Sep.2002
From: New Jersey, USA
Status: offline

Hi Zombrax,

If your file servers require rebooting every 20-25 days you really need to sort those issues out. I agree that Microsoft has made it easy to misconfigure their software in many instances. And to Tom's point the hardware you are using seriously contributes to system stability.

On the ISA specific issue, the clients should not know a route to the internet other than through the ISA Server. Clearly something in your routing setup is letting the clients know that they can get to the internet through the watchguard. And, if you have Windows 2000 domain controllers that authenticate users, put those users in an OU and apply policies so they can't change the Web Proxy settings in IE. Maybe looking at it as a domain security issue rather than just an internet access issue will reflect it in a different light for you.

Regarding the firewall, mixing and matching firewall and access control technologies, while recommended by some, gets to be a bit hairy and can open up holes in the network that otherwise wouldn't be there.

Good luck,

-Matt

(in reply to zombrax)

Post #: 10

RE: URGENT - Help Pls - 13.Nov.2002 4:55:00 PM

MichaelOutterside

Posts: 2
Joined: 13.Nov.2002
Status: offline

Zombrax,

Not wishing to ask the obvious here...

How is your access set up on the Firebox system for internet use (if it is internet use that is causing you the problems)?

From what you describe the only IP's that should be allowed outbound internet access should be your ISA server and any other machines that need to bypass the proxy for internet access. It sounds like more IP's than this are enabled on your Firebox.

Watchguard policy manager will show you a list of the protocols that are permitted for outbound traffic, and you should have a list of the IP addresses that are allowed out under the authentication -->Aliases tab.

HTH

Mike.

(in reply to zombrax)

Post #: 11

RE: URGENT - Help Pls - 14.Nov.2002 12:52:00 AM

zombrax

Posts: 17
Joined: 14.Aug.2002
Status: offline

Firstly, thanx a lot guys, your feedback helps me and gives me the hope of fixing this very frustrating problem soon. [Smile]

now my first step would be to find out where the leak in the network is. how can i find out the IP address the internet is going out on.. tracert only points to 172.20.0.1 which is the firewall.

Just checked the firewall and in the Aliases box, there is a entry for ISA Server with 2 IP addresses, 172.20.0.8 which is internal NIC Card and 172.100.0.2 which is the external NIC Card IP addy.

but i've checked accessing a blocked site with both this ip as the proxy address and both gets firewall authentication prompts!??! so i presume this is not where it is going out through to access blocked sites??!??

So does anyone know how to find out the IP addy its going out through?

thanx
Zombrax

(in reply to zombrax)

Post #: 12

RE: URGENT - Help Pls - 14.Nov.2002 2:49:00 AM

zombrax

Posts: 17
Joined: 14.Aug.2002
Status: offline

tested again and found this..

if i have in the Proxy address of the browser..
172.20.0.8:1080 and port 1080
it bypasses all blocked sites in the ISA list!

can someone explain how/what is happening cause i'm at a very confused level now [Frown]

((

thanks
Zombrax

(in reply to zombrax)

Post #: 13

RE: URGENT - Help Pls - 14.Nov.2002 5:27:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Zom,

Make sure you configure the clients as Web Proxy clients and configure the HTTP Redirector to drop requests from SecureNAT and Firewall clients.

Finally, disable the SOCKS application filter.

HTH,
Tom

(in reply to zombrax)

Post #: 14

RE: URGENT - Help Pls - 14.Nov.2002 10:39:00 AM

asasyn2

Posts: 54
Joined: 24.Oct.2002
From: London
Status: offline

Is your Firewall Service in ISA active ? (I know you use another firewall but I've seen setups where people use the firewall service but only to get access to non-cern apps).
Anyway, if you do have it, disable it and see if that fixes your problem.
If you have your firewall service running people can use that to bypass your proxy rules (by unticking the "use proxy" in IE) and bypass all your rules.
Not sure if this applies to you, but I thought I'd mention it as I've seen nothing about it in previous emails.

(in reply to zombrax)

Post #: 15

RE: URGENT - Help Pls - 16.Dec.2002 4:55:00 AM

zombrax

Posts: 17
Joined: 14.Aug.2002
Status: offline

where is the Firewall Service Options in ISA?
Can someone please let me know how to turn this off?

thanks in advance
Zombrax

(in reply to zombrax)

Post #: 16

RE: URGENT - Help Pls - 16.Dec.2002 6:20:00 AM

zzz343

Posts: 757
Joined: 19.Feb.2002
From: World's 7th Nuclear Power
Status: offline

Open ISA MMC, under SERVER/Services, in the right colum, you will find WEB PROXY n FIREWALL SERVICE.

(in reply to zombrax)

Post #: 17

RE: URGENT - Help Pls - 16.Dec.2002 11:37:00 PM

zombrax

Posts: 17
Joined: 14.Aug.2002
Status: offline

sorry i cant seem to find SERVER/Services anywhere?? i also tried doing a search for it with no avail.
Can you please outline the step again?

thanks
Zombrax

(in reply to zombrax)

Post #: 18