Firewall clients bypass http filter (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client



Message


muntos -> Firewall clients bypass http filter (24.Dec.2004 12:56:00 AM)

So we are using ISA 2004 on Win 2003 Server.
ISA is configured to allow Internet access only to authentificated users and is configured to allow both Firewall clients and Web Proxy clients.
We also use SurfControl to restrict access to certains sites.
The problem is that if the users remove web proxy settings in LAN connections on IE they can gain access to restricted sites since the authentification is made by firewall client.
So,how we can prevent this behavior ?
Thanks ?




tshinder -> RE: Firewall clients bypass http filter (26.Dec.2004 2:14:00 PM)

Hi Muntos,

The Firewall client automatically sends connections through to the Web Proxy filter, since the Web Proxy filter is bound to the HTTP protocol. So, there is no way the Firewall client connections can bypass the ISA firewall's Web Proxy filter unless you've unbound the filter from the HTTP protocol.

HTH,
Tom




muntos -> RE: Firewall clients bypass http filter (26.Dec.2004 5:33:00 PM)

So,how do I verify if the filter is bound to the HTTP Protocol ?
Thanks.




muntos -> RE: Firewall clients bypass http filter (27.Dec.2004 2:46:00 PM)

Ok,I've verified HTTP protocol and he's bound to Web Proxy filter !
Any ideas please?




muntos -> RE: Firewall clients bypass http filter (28.Dec.2004 4:20:00 PM)

By BlackPH:

"It and the truth so, I have tried to check up. Whether a mistake of developers it?
With redirect FWC query on WebProxy follow whitout HTTP filter checking. Even in SQL logs field [DestHost] always not resolved ( in IP) when FWC web query redirected 80 -> 8080, but query on 8080 resolved fine. "




tshinder -> RE: Firewall clients bypass http filter (28.Dec.2004 5:53:00 PM)

Hi Muntos,

Can you provide an example of a failure in the Web Proxy filter? I will try to replicate the config.

Thanks!
Tom




muntos -> RE: Firewall clients bypass http filter (29.Dec.2004 3:35:00 PM)

Let's see:
Windows 2003 Server ,ISA 2004
DNS Server on same machine with ISA.
Surf Control installed.
Internal Network configured in ISA to accept both firewall clients and Web Proxy Clients.
No anonymous rules in ISA (since that if I disable both firewall client and proxy in browser bye bye Internet access).

Client:
Windows XP SP2,IE 6 browser.
Firewall client installed.

Case 1:
Web Proxy enabled in IE.
Trying cu access www.xxx.com....access denied by SurfControl
In ISA logs I see the domain address (www.xxx.com)

Case 2:
Web Proxy disabled in IE.
Trying cu access www.xxx.com....successfully !
In ISA logs I see the IP address.




ev@n -> RE: Firewall clients bypass http filter (29.Dec.2004 7:37:00 PM)

We have an ISA 2004 "farm" behind a hardware load-balancer. Websense Enterprise (v5.5) filtering and policy servers sit on each of the ISA servers behind the load-balancer's VIP (Virtual IP). There is a Websense ISAPI web filter installed by default on each of the ISA servers. The ISAPI filter handles the HTTP URL filtering from the ISA Web Proxy application filter which is bound by default to the HTTP protocol. There is a single rule that provides outbound internet access (which is limited to authenticated users).
Now, we have the same problem! There is a serious issue here. I have not done enough research to determine why the Websense ISAPI filter is not filtering Firewall Client requests. Web Proxy requests work just fine and get filtered by Websense.
Anybody have any ideas?




ev@n -> RE: Firewall clients bypass http filter (30.Dec.2004 8:04:00 AM)

ttt... Anybody have any ideas??




tshinder -> RE: Firewall clients bypass http filter (30.Dec.2004 4:38:00 PM)

quote:
Originally posted by muntos:
Let's see:
Windows 2003 Server ,ISA 2004
DNS Server on same machine with ISA.
Surf Control installed.
Internal Network configured in ISA to accept both firewall clients and Web Proxy Clients.
No anonymous rules in ISA (since that if I disable both firewall client and proxy in browser bye bye Internet access).

Client:
Windows XP SP2,IE 6 browser.
Firewall client installed.

Case 1:
Web Proxy enabled in IE.
Trying cu access www.xxx.com....access denied by SurfControl
In ISA logs I see the domain address (www.xxx.com)

Case 2:
Web Proxy disabled in IE.
Trying cu access www.xxx.com....successfully !
In ISA logs I see the IP address.

Hi Muntos,

OK, you're mentioning SurfControl issues here, not ISA firewall issues.

What happens when you create a Domain Name Set and block that domain? When I test it, it blocks both the Firewall and Web Proxy clients.

So, this is a SurfControl problem, not an ISA firewall issue.

HTH,
Tom




tshinder -> RE: Firewall clients bypass http filter (30.Dec.2004 4:42:00 PM)

quote:
Originally posted by ev@n:
We have an ISA 2004 "farm" behind a hardware load-balancer. Websense Enterprise (v5.5) filtering and policy servers sit on each of the ISA servers behind the load-balancer's VIP (Virtual IP). There is a Websense ISAPI web filter installed by default on each of the ISA servers. The ISAPI filter handles the HTTP URL filtering from the ISA Web Proxy application filter which is bound by default to the HTTP protocol. There is a single rule that provides outbound internet access (which is limited to authenticated users).
Now, we have the same problem! There is a serious issue here. I have not done enough research to determine why the Websense ISAPI filter is not filtering Firewall Client requests. Web Proxy requests work just fine and get filtered by Websense.
Anybody have any ideas?

Hi Even,

Again, try the same thing. Create a Domain Name Set or a URL set and block the site via one of those sets. You'll find that the site is blocked. So, the ISA firewall works, its the add-on software that's whack.

HTH,
Tom




ev@n -> RE: Firewall clients bypass http filter (31.Dec.2004 12:40:00 AM)

I agree with you, but the Websense ISAPI filter is not picking up the Firewall Client requests, which are essentially Web Proxy requests anyways as defined by Microsoft in ISA 2004. We had more control over this in ISA 2000 with the HTTP redirector filter. This is not a good thing for an enterprise environment. Does anyone know if SurfControl has an ISAPI filter for ISA 2004?




muntos -> RE: Firewall clients bypass http filter (31.Dec.2004 3:01:00 PM)

I'm using SurfControl with ISA 2004 and the same problem.Indeed it's a SurfControl filter issue not ISA Web Proxy Filter.




ev@n -> RE: Firewall clients bypass http filter (1.Jan.2005 2:41:00 AM)

Well, I'm calling Websense about this on Monday. This is ridiculous. I don't understand how these companies release software that is "certified" for ISA 2004, only to find out it has serious flaws! This is making my company project much more difficult to complete. If no solution, I may have to send Firewall and SecureNAT requests to an upstream ISA 2004 server via Firewall Chaining. There, I can add a rule to these requests that blocks HTTP, as well as any other protocol I choose. This is a good workaround I believe. Thanks!




angel_kit -> RE: Firewall clients bypass http filter (2.Jan.2005 5:56:00 PM)

hello

i think your problFme not rTside on your ISA server but your application surfcontrol yours users he use the translation site if you can restricted the catTgories "Information Technologies" sub categories "Url Translation " i think you can resolv your problFme. [Roll Eyes]




rbaker@ziegler.com -> RE: Firewall clients bypass http filter (17.Feb.2005 5:25:00 PM)

Been fighting the same issue.

I found in the Websense install PDF on page 180 instructions to add a file called "Ignore.txt" to the System32 folder of the ISA server. This file should contain the name of the ISA server in it.

After restarting the ISA server Websense now blocks both the firewall client and Proxy client requests.

The only question I have not had time to test is what else might have broken or been compromised by doing this.

One more thing. I had to give Websense port 15871 access from internal to local so that blocking pages would appear when running just firewall client.




franck_dohin -> RE: Firewall clients bypass http filter (17.Feb.2005 6:10:00 PM)

I had the same problem and i find a solution

You should first create a new protocol definition wich use the port 80 with tcp on outgoing and YOU MUST NOT ASSOCIATE IT WITH THE WEB FILTER.

Then you create a new firewall rule that says : i refuse all connection from my network to external for the protocol that you've just created and you place this rule at the first place.

In fact this rule forbidden all connections who trie to go the internet without passing by the proxy.

It worked for me, so i think it should work for you !




pauli1 -> RE: Firewall clients bypass http filter (21.Feb.2005 3:15:00 PM)

We got similar problem. But users doing http and ftp requests via the proxyclient should be allowed but should be routed to the ISA webfilters. And this is currently not the case. That's why it's bypassing eg Antivirus and Surfcontrol. It's an long standing issue in ISA2000 and did they forget to solve it in ISA2004 ?
The issue: for a number of reasons (special applications which needed to have internet access) we have to deploy the proxy client. With that proxy client the user can - if they disable the proxy in the Internet Explorer - circumvent the security plugins (Antivirus and Surfcontrol) in ISA - AND IT SEEMS NOT HAVE CHANGED in ISA2004.




Guest -> RE: Firewall clients bypass http filter (23.Feb.2005 10:18:00 PM)

you could also turn off the firewall client if it's not needed. corse for those who do need a "transparent" proxy then this is going to cause some issues.




iq90 -> RE: Firewall clients bypass http filter (16.Mar.2005 9:58:00 PM)

Yes, it works! You're great!
quote:
Originally posted by Francky 35:
...You should first create a new protocol definition wich use the port 80 with tcp on outgoing and YOU MUST NOT ASSOCIATE IT WITH THE WEB FILTER...





Page: [1] 2   next >   >>