I have a customer who wants to filter HTTP requests of a guest network.
The users browser would not necessarily have auto detect or manual proxy settings configured. However the users are expected to receive DHCP for IP, gateway and DNS server details.
So my question is this: If ISA server is configured as a firewall (possibly with DNS forwarding) and so is transparent to the client can WEBSENSE still work and wil it receive URLs with names and not resolved IP addresses?
In my original question I said that the system is a guest network. There is no administrative controll of the guest PC. The only requirment is that they obtain an IP address via DHCP. This means that they may or may not have auto detect enabled. So we can not rely on that method.
I think I have since found the answer and its not good. In order to have URL logging in ISA if the guest user does not have any client proxy settings ISA must have transparent proxy enabled, unfortunately this then prevents a number of VPN clients from working.
I don't see how SecureNAT clients on the internal Network would affect inbound VPN connections to the ISA Firewall. That sounds more like a coincidence.
The default settings on IE is to use autodiscovery. The users would have had to make a change to their settings manually to not have autodiscovery enable, in which case, they would not be able to connect anyhow because the SecureNAT client configure would be overridden by the incorrect Web proxy settings.
Please forgive my lack of ISA and General MS knowledge.
I did not know that AutoDetect was default, probably because I play around with my OS all the time.
The ISA server would not be a VPN concentrator. The only function of the ISA is to interface with "Websense" and police the URLs of the guest users. However when the user is connected back to their own VPN concentrator the web content is of no importance to my client.
So I suppose a better question to ask is ...
Can an ISA server be a transparent proxy? If yes the when the ISA sevrer is acting as a transparent proxy does it stop VPN clients from making successfull connections to their remote VPN concentrators through the ISA server interfaces?
OK, these sound like outbound VPN connections. In order to allow outbound VPN connections, the ISA Firewall needs to be configured in full firewall mode, with at least an internal and external interface, then the rules on the ISA Firewall need to be configured to allow the outbound VPN protocols they need to use.
The ISA Firewall allows SecureNAT clients to be Web proxy clients without Web proxy configuration client configuration, but you won't get the FQDNs becasue the SecureNAT client doesn't send that information to the ISA Firewall's Web proxy filter. In addition, I believe that Websense requires the clients to be configured as Web proxy clients, in which case autodiscovery via WPAD works fine.