Welcome to ISAserver.org

User bypassing ISA

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> User bypassing ISA

Page: [1]

Message

<< Older Topic Newer Topic >>

User bypassing ISA - 4.Mar.2003 4:54:00 PM

infantry sgt

Posts: 11
Joined: 17.Jan.2002
From: Madison, WI
Status: offline

There are two ways out of our network. We have our link to HQ that we use for internal buisness. We have our own ISP that we use for internet access to take all the web traffic off the link to HQ.

Our own ISP is the link that the ISA is pointed to. Users must have the proxy settings to get access though the ISP or they can get internet though the HQ link if they have DNS entries (we are still using WINS).

Here is the problem.

A user without DNS settings can change the proxy IP from 192.168.0.200:8080 to .168.0.200 and remove the port data they get full access through the HQ link. All they have do is remove the first octet, leaving the "." and off they go. They do not have DNS settings to resolve names. I have also gotten this address to work, .1.1.1 with no port settings.

I hope I explained this well enough, it's to explain.

Post #: 1

Featured Links*

RE: User bypassing ISA - 5.Mar.2003 3:57:00 PM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Sarge,

Not sure exactly how you have things set up, but you can prevent SecureNAT clients from accessing the Web by configuring the HTTP redirector to drop requests from SecureNAT and Firewall clients. That will force the Web Proxy client config.

Also, remember defense in depth. Use group policy to prevent users from changing browser and TCP/IP settings.

HTH,
Tom

(in reply to infantry sgt)

Post #: 2