How to prevent users from disabling the Firewall Client? (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client



Message


03Mini -> How to prevent users from disabling the Firewall Client? (28.Apr.2006 4:54:55 AM)

My question is this: Is there a simple (or difficult) way to "lock" the controls for the Firewall Client so a user can't disable it?

My requirements:

1) When laptop users leave the building they need to be able to surf from Internet Cafes, Home network, and so on. , they must be forced to use ISA when "in the building". I'm running ISA2004 with Surfcontrol.

2)Employees and guests MUST be forced through ISA. For guests, we don't have a problem informing guests that they must configure their browser to use our ISA box.

I will accomplish this by either making the ISA the default gateway or by configuring the internet router ignore all traffic unless it comes from ISA.

My Failures:

1) I configured a GPO to force IE to use ISA and disallowed clearing of the checkbox in Tools | Internet Options | Connections | Lan Settings | Use a Proxy Server...    This works for desktops that don't leave the building, but doesn't address the "Firefox issue"

2) This also failed because when the laptops left the building, they couldn't see the proxy server, and couldn't get to the internet. (woops, we learn by doing [image]http://forums.isaserver.org/image/s13.gif[/image]) It also had no effect on users who have firefox, opera, and any other browser out there.

Thanks and regards,




Jason Jones -> RE: How to prevent users from disabling the Firewall Client? (1.May2006 1:37:19 AM)

Check out WPAD and also look at autoconfig or PAC scripts




spouseele -> RE: How to prevent users from disabling the Firewall Client? (1.May2006 12:12:05 PM)

Hi James,

if you only give outbound access to authenticated users than the users must be able to authenticate against the ISA server in the first place. That means that only Web Proxy and Firewall client requests will be allowed. SecureNAT client requests can never authenticate.

For corporate managed workstations, I like to configure the firewall client to automatically detect the ISA server and let the Firewall client configure IE with the configuration script if the ISA server is detected by the Firewall client. Else, the Firewall client will not touch the IE settings.

For more info, check out:
- http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html 
- http://www.isaserver.org/IsaNews/February2006-Update-Understanding-Web-Proxy-Firewall-Client-Automatic-Configuration.html 

HTH,
Stefaan




03Mini -> RE: How to prevent users from disabling the Firewall Client? (1.May2006 5:02:23 PM)

I had played with WPAD configuration but some of my clients were getting prompted to log in to ISA when they opened a browser.

Also, will this ENSURE that visitors will be configured to use the PROXY?




LLigetfa -> RE: How to prevent users from disabling the Firewall Client? (1.May2006 5:07:56 PM)

Make sure your ISA is SPacked and apply SkipAuthenticationForRoutingInformation
http://support.microsoft.com/default.aspx?scid=kb;en-us;885683




spouseele -> RE: How to prevent users from disabling the Firewall Client? (1.May2006 5:55:06 PM)

Hi James,

quote:

Also, will this ENSURE that visitors will be configured to use the PROXY?


Let's put it in another way, if the visitors are not configured to use the proxy, they will not get through. How they are configured to use the proxy is of course another matter.

HTH,
Stefaan




Page: [1]