• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FWC for inbound authentication??

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> FWC for inbound authentication?? Page: [1]
Login
Message << Older Topic   Newer Topic >>
FWC for inbound authentication?? - 9.Jan.2007 5:43:09 PM   
randy_ray

 

Posts: 59
Joined: 7.Sep.2002
From: Houston, TX
Status: offline
Our district uses ISA2k4 and  previously all clients were SNAT, but due to how our content filter (Secure Computing's Bess ISA plug-in) handles SSL sites we had to make them web proxy clients.  The proxy settings are set via group policy.

The next issue was laptop clients were unable to reach the proxy server from outside the district's network.  I registered a public name as proxy.school.com and have an internal copy of our public DNS using internal IP for internal use.  I created a publishing rule and some access rules to allow external access to the proxy server (ISA) over port 8080; that worked great for about 6-8 weeks.

Unfortunately the proxy was discovered by 'others' and is being abused to the point that it becomes unavailable even for internal usage.  As soon as I remove external access to the server publishging rule the proxy server immediately begins to respond to internal requests.  I need to authenticate or restrict public access to the proxy.

Can the FWC be used to authenticate public access for inbound requests to ISA's proxy?  Would it be secure?  I'm open to any and all ideas that may even require something other than ISA. 

Why the need?  We are beginning an initiative to provide laptops to all students w/ 150 students already assigned and an additional 1200 coming online in Aug (eventually we could have 40000 laptops by 2010). This will be a growing problem for school districts in Texas and around the country as the demand for using school owned laptops outside of district networks increases but the requirement to protect/filter student Internet activities remains (see Children's Internet Protection Act).

Randy D.
Klein, Texas

Post #: 1
RE: FWC for inbound authentication?? - 10.Jan.2007 2:46:01 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Randy,

I think you are tackeling the problem the wrong way. If you properly configure IE, IE will automatically detect if a proxy server is available or not. So, no need to setup such an insecure configuration at all.

For more info, check out my article Understanding the Web Proxy and Firewall Client Automatic Configuration.

HTH,
Stefaan

(in reply to randy_ray)
Post #: 2
RE: FWC for inbound authentication?? - 10.Jan.2007 3:08:56 PM   
randy_ray

 

Posts: 59
Joined: 7.Sep.2002
From: Houston, TX
Status: offline
Thanks, but unfortunately, federally funded public schools must filter Internet content accessed with school equipment. This is being interpretted to mean regardless of location.  As it is, we noticed a huge drop in computer problems when students were filtered outside the district.  They were no longer able to access myspace or other nefarious sites.  The computers started actually getting used for school work.  Imagine that....

So its not a matter of choice for us and many other school districts are or will be faced with the same challenge.  How to ensure district computers are filtered regardless of location.

(in reply to spouseele)
Post #: 3
RE: FWC for inbound authentication?? - 10.Jan.2007 3:55:47 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Randy,

that sounds a "stupid" requirement to me! How can you be responsible for something that is inherently out of your control when used outside your network?
I wil  never understand the US law...

Nevertheless, I suggest you contact tshinder@isaserver.org. He is from Texas and *the* ISA God.

HTH,
Stefaan




(in reply to randy_ray)
Post #: 4
RE: FWC for inbound authentication?? - 10.Jan.2007 5:09:21 PM   
randy_ray

 

Posts: 59
Joined: 7.Sep.2002
From: Houston, TX
Status: offline
There are definite pros and cons to consider when it comes to filtering student Internet usage outside of the district's network. With filtering in general it helps protect our equipment while it is off the network.  Granted, there are work arounds such as mobile Firefox, but as we find those we deny those applications via hash rules pushed through group policy.  The legal and political factor is this, consider the frivilous lawsuits that occur everyday, it is not beyond conception for someone to sue the district for a student that gets kidnapped or sexually abused by someone they met in a chat room while using a district provided computer at the local WI-FI hotspot.  They could conceivably lay blame on the district for creating the opportunity for that student to use the Internet while unmonitored (forget any parental or even personal responsibility).  Sort of like going after the bartender who served the drunk drive that has a wreck.  By forcing filtering regardless of where the laptop is used we can lay claim to taking reasonable precautionary and protective measures as opposed to saying we knew of the possibility but did nothing.  Thanks again... I'm hoping Mr. Shinder will see this post but I may email him directly as you suggested.

(in reply to spouseele)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> FWC for inbound authentication?? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts