• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to prevent users from disabling the Firewall Client?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> How to prevent users from disabling the Firewall Client? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to prevent users from disabling the Firewall Client? - 28.Apr.2006 4:54:55 AM   
03Mini

 

Posts: 5
Joined: 28.Apr.2006
Status: offline
My question is this: Is there a simple (or difficult) way to "lock" the controls for the Firewall Client so a user can't disable it?

My requirements:

1) When laptop users leave the building they need to be able to surf from Internet Cafes, Home network, and so on. , they must be forced to use ISA when "in the building". I'm running ISA2004 with Surfcontrol.

2)Employees and guests MUST be forced through ISA. For guests, we don't have a problem informing guests that they must configure their browser to use our ISA box.

I will accomplish this by either making the ISA the default gateway or by configuring the internet router ignore all traffic unless it comes from ISA.

My Failures:

1) I configured a GPO to force IE to use ISA and disallowed clearing of the checkbox in Tools | Internet Options | Connections | Lan Settings | Use a Proxy Server...    This works for desktops that don't leave the building, but doesn't address the "Firefox issue"

2) This also failed because when the laptops left the building, they couldn't see the proxy server, and couldn't get to the internet. (woops, we learn by doing ) It also had no effect on users who have firefox, opera, and any other browser out there.

Thanks and regards,

_____________________________

-James
Post #: 1
RE: How to prevent users from disabling the Firewall Cl... - 1.May2006 1:37:19 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Check out WPAD and also look at autoconfig or PAC scripts

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to 03Mini)
Post #: 2
RE: How to prevent users from disabling the Firewall Cl... - 1.May2006 12:12:05 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi James,

if you only give outbound access to authenticated users than the users must be able to authenticate against the ISA server in the first place. That means that only Web Proxy and Firewall client requests will be allowed. SecureNAT client requests can never authenticate.

For corporate managed workstations, I like to configure the firewall client to automatically detect the ISA server and let the Firewall client configure IE with the configuration script if the ISA server is detected by the Firewall client. Else, the Firewall client will not touch the IE settings.

For more info, check out:
- http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html 
- http://www.isaserver.org/IsaNews/February2006-Update-Understanding-Web-Proxy-Firewall-Client-Automatic-Configuration.html 

HTH,
Stefaan

(in reply to Jason Jones)
Post #: 3
RE: How to prevent users from disabling the Firewall Cl... - 1.May2006 5:02:23 PM   
03Mini

 

Posts: 5
Joined: 28.Apr.2006
Status: offline
I had played with WPAD configuration but some of my clients were getting prompted to log in to ISA when they opened a browser.

Also, will this ENSURE that visitors will be configured to use the PROXY?

_____________________________

-James

(in reply to spouseele)
Post #: 4
RE: How to prevent users from disabling the Firewall Cl... - 1.May2006 5:07:56 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Make sure your ISA is SPacked and apply SkipAuthenticationForRoutingInformation
http://support.microsoft.com/default.aspx?scid=kb;en-us;885683

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to 03Mini)
Post #: 5
RE: How to prevent users from disabling the Firewall Cl... - 1.May2006 5:55:06 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi James,

quote:

Also, will this ENSURE that visitors will be configured to use the PROXY?


Let's put it in another way, if the visitors are not configured to use the proxy, they will not get through. How they are configured to use the proxy is of course another matter.

HTH,
Stefaan

(in reply to LLigetfa)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> How to prevent users from disabling the Firewall Client? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts