• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Firewall clients bypass http filter

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Firewall clients bypass http filter Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Firewall clients bypass http filter - 24.Dec.2004 12:56:00 AM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline
So we are using ISA 2004 on Win 2003 Server.
ISA is configured to allow Internet access only to authentificated users and is configured to allow both Firewall clients and Web Proxy clients.
We also use SurfControl to restrict access to certains sites.
The problem is that if the users remove web proxy settings in LAN connections on IE they can gain access to restricted sites since the authentification is made by firewall client.
So,how we can prevent this behavior ?
Thanks ?
Post #: 1
RE: Firewall clients bypass http filter - 26.Dec.2004 2:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Muntos,

The Firewall client automatically sends connections through to the Web Proxy filter, since the Web Proxy filter is bound to the HTTP protocol. So, there is no way the Firewall client connections can bypass the ISA firewall's Web Proxy filter unless you've unbound the filter from the HTTP protocol.

HTH,
Tom

(in reply to muntos)
Post #: 2
RE: Firewall clients bypass http filter - 26.Dec.2004 5:33:00 PM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline
So,how do I verify if the filter is bound to the HTTP Protocol ?
Thanks.

(in reply to muntos)
Post #: 3
RE: Firewall clients bypass http filter - 27.Dec.2004 2:46:00 PM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline
Ok,I've verified HTTP protocol and he's bound to Web Proxy filter !
Any ideas please?

(in reply to muntos)
Post #: 4
RE: Firewall clients bypass http filter - 28.Dec.2004 4:20:00 PM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline
By BlackPH:

"It and the truth so, I have tried to check up. Whether a mistake of developers it?
With redirect FWC query on WebProxy follow whitout HTTP filter checking. Even in SQL logs field [DestHost] always not resolved ( in IP) when FWC web query redirected 80 -> 8080, but query on 8080 resolved fine. "

(in reply to muntos)
Post #: 5
RE: Firewall clients bypass http filter - 28.Dec.2004 5:53:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Muntos,

Can you provide an example of a failure in the Web Proxy filter? I will try to replicate the config.

Thanks!
Tom

(in reply to muntos)
Post #: 6
RE: Firewall clients bypass http filter - 29.Dec.2004 3:35:00 PM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline
Let's see:
Windows 2003 Server ,ISA 2004
DNS Server on same machine with ISA.
Surf Control installed.
Internal Network configured in ISA to accept both firewall clients and Web Proxy Clients.
No anonymous rules in ISA (since that if I disable both firewall client and proxy in browser bye bye Internet access).

Client:
Windows XP SP2,IE 6 browser.
Firewall client installed.

Case 1:
Web Proxy enabled in IE.
Trying cu access www.xxx.com....access denied by SurfControl
In ISA logs I see the domain address (www.xxx.com)

Case 2:
Web Proxy disabled in IE.
Trying cu access www.xxx.com....successfully !
In ISA logs I see the IP address.

(in reply to muntos)
Post #: 7
RE: Firewall clients bypass http filter - 29.Dec.2004 7:37:00 PM   
ev@n

 

Posts: 21
Joined: 29.Dec.2004
Status: offline
We have an ISA 2004 "farm" behind a hardware load-balancer. Websense Enterprise (v5.5) filtering and policy servers sit on each of the ISA servers behind the load-balancer's VIP (Virtual IP). There is a Websense ISAPI web filter installed by default on each of the ISA servers. The ISAPI filter handles the HTTP URL filtering from the ISA Web Proxy application filter which is bound by default to the HTTP protocol. There is a single rule that provides outbound internet access (which is limited to authenticated users).
Now, we have the same problem! There is a serious issue here. I have not done enough research to determine why the Websense ISAPI filter is not filtering Firewall Client requests. Web Proxy requests work just fine and get filtered by Websense.
Anybody have any ideas?

(in reply to muntos)
Post #: 8
RE: Firewall clients bypass http filter - 30.Dec.2004 8:04:00 AM   
ev@n

 

Posts: 21
Joined: 29.Dec.2004
Status: offline
ttt... Anybody have any ideas??

(in reply to muntos)
Post #: 9
RE: Firewall clients bypass http filter - 30.Dec.2004 4:38:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by muntos:
Let's see:
Windows 2003 Server ,ISA 2004
DNS Server on same machine with ISA.
Surf Control installed.
Internal Network configured in ISA to accept both firewall clients and Web Proxy Clients.
No anonymous rules in ISA (since that if I disable both firewall client and proxy in browser bye bye Internet access).

Client:
Windows XP SP2,IE 6 browser.
Firewall client installed.

Case 1:
Web Proxy enabled in IE.
Trying cu access www.xxx.com....access denied by SurfControl
In ISA logs I see the domain address (www.xxx.com)

Case 2:
Web Proxy disabled in IE.
Trying cu access www.xxx.com....successfully !
In ISA logs I see the IP address.

Hi Muntos,

OK, you're mentioning SurfControl issues here, not ISA firewall issues.

What happens when you create a Domain Name Set and block that domain? When I test it, it blocks both the Firewall and Web Proxy clients.

So, this is a SurfControl problem, not an ISA firewall issue.

HTH,
Tom

(in reply to muntos)
Post #: 10
RE: Firewall clients bypass http filter - 30.Dec.2004 4:42:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by ev@n:
We have an ISA 2004 "farm" behind a hardware load-balancer. Websense Enterprise (v5.5) filtering and policy servers sit on each of the ISA servers behind the load-balancer's VIP (Virtual IP). There is a Websense ISAPI web filter installed by default on each of the ISA servers. The ISAPI filter handles the HTTP URL filtering from the ISA Web Proxy application filter which is bound by default to the HTTP protocol. There is a single rule that provides outbound internet access (which is limited to authenticated users).
Now, we have the same problem! There is a serious issue here. I have not done enough research to determine why the Websense ISAPI filter is not filtering Firewall Client requests. Web Proxy requests work just fine and get filtered by Websense.
Anybody have any ideas?

Hi Even,

Again, try the same thing. Create a Domain Name Set or a URL set and block the site via one of those sets. You'll find that the site is blocked. So, the ISA firewall works, its the add-on software that's whack.

HTH,
Tom

(in reply to muntos)
Post #: 11
RE: Firewall clients bypass http filter - 31.Dec.2004 12:40:00 AM   
ev@n

 

Posts: 21
Joined: 29.Dec.2004
Status: offline
I agree with you, but the Websense ISAPI filter is not picking up the Firewall Client requests, which are essentially Web Proxy requests anyways as defined by Microsoft in ISA 2004. We had more control over this in ISA 2000 with the HTTP redirector filter. This is not a good thing for an enterprise environment. Does anyone know if SurfControl has an ISAPI filter for ISA 2004?

(in reply to muntos)
Post #: 12
RE: Firewall clients bypass http filter - 31.Dec.2004 3:01:00 PM   
muntos

 

Posts: 61
Joined: 30.Jul.2004
Status: offline
I'm using SurfControl with ISA 2004 and the same problem.Indeed it's a SurfControl filter issue not ISA Web Proxy Filter.

(in reply to muntos)
Post #: 13
RE: Firewall clients bypass http filter - 1.Jan.2005 2:41:00 AM   
ev@n

 

Posts: 21
Joined: 29.Dec.2004
Status: offline
Well, I'm calling Websense about this on Monday. This is ridiculous. I don't understand how these companies release software that is "certified" for ISA 2004, only to find out it has serious flaws! This is making my company project much more difficult to complete. If no solution, I may have to send Firewall and SecureNAT requests to an upstream ISA 2004 server via Firewall Chaining. There, I can add a rule to these requests that blocks HTTP, as well as any other protocol I choose. This is a good workaround I believe. Thanks!

(in reply to muntos)
Post #: 14
RE: Firewall clients bypass http filter - 2.Jan.2005 5:56:00 PM   
angel_kit

 

Posts: 9
Joined: 2.Jan.2005
From: Algeria
Status: offline
hello

i think your problFme not rTside on your ISA server but your application surfcontrol yours users he use the translation site if you can restricted the catTgories "Information Technologies" sub categories "Url Translation " i think you can resolv your problFme. [Roll Eyes]

(in reply to muntos)
Post #: 15
RE: Firewall clients bypass http filter - 17.Feb.2005 5:25:00 PM   
rbaker@ziegler.com

 

Posts: 1
Joined: 17.Feb.2005
From: West Bend, WI
Status: offline
Been fighting the same issue.

I found in the Websense install PDF on page 180 instructions to add a file called "Ignore.txt" to the System32 folder of the ISA server. This file should contain the name of the ISA server in it.

After restarting the ISA server Websense now blocks both the firewall client and Proxy client requests.

The only question I have not had time to test is what else might have broken or been compromised by doing this.

One more thing. I had to give Websense port 15871 access from internal to local so that blocking pages would appear when running just firewall client.

(in reply to muntos)
Post #: 16
RE: Firewall clients bypass http filter - 17.Feb.2005 6:10:00 PM   
franck_dohin

 

Posts: 7
Joined: 14.Feb.2005
Status: offline
I had the same problem and i find a solution

You should first create a new protocol definition wich use the port 80 with tcp on outgoing and YOU MUST NOT ASSOCIATE IT WITH THE WEB FILTER.

Then you create a new firewall rule that says : i refuse all connection from my network to external for the protocol that you've just created and you place this rule at the first place.

In fact this rule forbidden all connections who trie to go the internet without passing by the proxy.

It worked for me, so i think it should work for you !

(in reply to muntos)
Post #: 17
RE: Firewall clients bypass http filter - 21.Feb.2005 3:15:00 PM   
pauli1

 

Posts: 1
Joined: 21.Feb.2005
Status: offline
We got similar problem. But users doing http and ftp requests via the proxyclient should be allowed but should be routed to the ISA webfilters. And this is currently not the case. That's why it's bypassing eg Antivirus and Surfcontrol. It's an long standing issue in ISA2000 and did they forget to solve it in ISA2004 ?
The issue: for a number of reasons (special applications which needed to have internet access) we have to deploy the proxy client. With that proxy client the user can - if they disable the proxy in the Internet Explorer - circumvent the security plugins (Antivirus and Surfcontrol) in ISA - AND IT SEEMS NOT HAVE CHANGED in ISA2004.

(in reply to muntos)
Post #: 18
RE: Firewall clients bypass http filter - 23.Feb.2005 10:18:00 PM   
Guest
you could also turn off the firewall client if it's not needed. corse for those who do need a "transparent" proxy then this is going to cause some issues.

(in reply to muntos)
  Post #: 19
RE: Firewall clients bypass http filter - 16.Mar.2005 9:58:00 PM   
iq90

 

Posts: 1
Joined: 16.Mar.2005
Status: offline
Yes, it works! You're great!
quote:
Originally posted by Francky 35:
...You should first create a new protocol definition wich use the port 80 with tcp on outgoing and YOU MUST NOT ASSOCIATE IT WITH THE WEB FILTER...


(in reply to muntos)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Firewall clients bypass http filter Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts