Is it possible to configure ISA so that only the firewall client is allowed to access the internet? The scenario is that some users have admin access on systems and can manually configure the proxy settings in their web browser and uninstall the firewall client. We want to prevent those users from being able to access the internet, and since the web proxy will prompt for a username (and the user can then enter the domain user information), if the user can uninstall the firewall client and enter the appropriate proxy information it undermines the security. TIA.
The easiest way to do this is to disable the Web Proxy listener on the Internal network, and any other protected network that Web Proxy clients might be located. Then, make sure there are no anonymous access rules. This will prevent the SecureNAT clients from connecting. The only client then that can access external resources will be the Firewall client
Note that even if you disable the Web Proxy listener, the Firewall client will still be able to benefit from the Web cache. The only requirement is that the Web Proxy filter be enabled on the rule that the Firewall clients are using to access the external Web sites.
quote:Note that even if you disable the Web Proxy listener, the Firewall client will still be able to benefit from the Web cache. The only requirement is that the Web Proxy filter be enabled on the rule that the Firewall clients are using to access the external Web sites.
Awesome news Tom. Thanks! I'll be posting a followup question about the firewall client configuration in another thread. Thanks!
If I did what you have described above, does this mean that all users would need to be able to do DNS lookups, and all the log data would show IP addresses visited, rather than specific pages?
By doing this surely users would no longer be using a proxy to browse the web?
or, would the firewall route all http requests to the web proxy??
BUT, if you disable securenat completely wouldn't this cause some serious issues with some servers which are not supposed to have the FW client installed?