Our district uses ISA2k4 and previously all clients were SNAT, but due to how our content filter (Secure Computing's Bess ISA plug-in) handles SSL sites we had to make them web proxy clients. The proxy settings are set via group policy.
The next issue was laptop clients were unable to reach the proxy server from outside the district's network. I registered a public name as proxy.school.com and have an internal copy of our public DNS using internal IP for internal use. I created a publishing rule and some access rules to allow external access to the proxy server (ISA) over port 8080; that worked great for about 6-8 weeks.
Unfortunately the proxy was discovered by 'others' and is being abused to the point that it becomes unavailable even for internal usage. As soon as I remove external access to the server publishging rule the proxy server immediately begins to respond to internal requests. I need to authenticate or restrict public access to the proxy.
Can the FWC be used to authenticate public access for inbound requests to ISA's proxy? Would it be secure? I'm open to any and all ideas that may even require something other than ISA.
Why the need? We are beginning an initiative to provide laptops to all students w/ 150 students already assigned and an additional 1200 coming online in Aug (eventually we could have 40000 laptops by 2010). This will be a growing problem for school districts in Texas and around the country as the demand for using school owned laptops outside of district networks increases but the requirement to protect/filter student Internet activities remains (see Children's Internet Protection Act).
I think you are tackeling the problem the wrong way. If you properly configure IE, IE will automatically detect if a proxy server is available or not. So, no need to setup such an insecure configuration at all.
Thanks, but unfortunately, federally funded public schools must filter Internet content accessed with school equipment. This is being interpretted to mean regardless of location. As it is, we noticed a huge drop in computer problems when students were filtered outside the district. They were no longer able to access myspace or other nefarious sites. The computers started actually getting used for school work. Imagine that....
So its not a matter of choice for us and many other school districts are or will be faced with the same challenge. How to ensure district computers are filtered regardless of location.
There are definite pros and cons to consider when it comes to filtering student Internet usage outside of the district's network. With filtering in general it helps protect our equipment while it is off the network. Granted, there are work arounds such as mobile Firefox, but as we find those we deny those applications via hash rules pushed through group policy. The legal and political factor is this, consider the frivilous lawsuits that occur everyday, it is not beyond conception for someone to sue the district for a student that gets kidnapped or sexually abused by someone they met in a chat room while using a district provided computer at the local WI-FI hotspot. They could conceivably lay blame on the district for creating the opportunity for that student to use the Internet while unmonitored (forget any parental or even personal responsibility). Sort of like going after the bartender who served the drunk drive that has a wreck. By forcing filtering regardless of where the laptop is used we can lay claim to taking reasonable precautionary and protective measures as opposed to saying we knew of the possibility but did nothing. Thanks again... I'm hoping Mr. Shinder will see this post but I may email him directly as you suggested.