• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Internet Explorer Auto Detect

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> Internet Explorer Auto Detect Page: [1]
Message << Older Topic   Newer Topic >>
Internet Explorer Auto Detect - 17.Mar.2005 11:33:00 AM   


Posts: 7
Joined: 17.Mar.2005
Status: offline
I have a couple of questions if you can help me please.

My environment..

ISA 2004 working as a proxy. It is configured to only allow internet access to users of the web_users group. This works fine. However if you are not a member of this group you can still go into internet control panel and enable auto detect and this lets you out on the web.

So I thought simple iÆll make a group policy in AD and deny access to the internet control panel and at the same time configure it to use a proxy server called.. fake_proxy. This also works.

I have an OU called Internet users. This is where the security group, Web_users is. On this OU I created a group policy to allow access to the Internet control panel and configured the proxy settings to use my correct proxy server.

On this OU I blocked inheritance and on this specific policy I configured it to: æNo Override: Prevents other group policy objects from overriding policy set in this one.Æ

My User account exits in an OU called IT and I made myself a member of the Web_users group and relogged onto the network, applying the security settings. I got blocked access to internet control panel and try to use a fake_proxy address, denying me access to the internet. But because I am a member of the web_users group I should have been allowed.

I moved my user account into the Internet_users OU, relogged on and I got the correct settings and allowed access to the internet.

So why wont the group policy allow me to apply it to members that belong to the web_users group. I donÆt really want to move all those users into that OU as I have the AD structured to the layout of the company.

Or does anyone know how to prevent autodetect all together, or explain to me how auto detect works and how a users can get internet access as this by passess the proxy.

Many Thanks
Post #: 1
RE: Internet Explorer Auto Detect - 17.Mar.2005 2:38:00 PM   


Posts: 7
Joined: 17.Mar.2005
Status: offline
Ok I have configured all the users internet exporers to go throught the proxy and only those who belong to the web users group can get out on the internet. However if someone was to plug there own laptop onto the network and log onto itself and not the domain the group policy isnt being applied. The user can then set their ie 6 to auto detect and they can get access to the internet, bypassing the proxy.

Does anyone know how to stop this from happening. How does auto detect work?? via DNS etc?

please help

(in reply to bunj)
Post #: 2
RE: Internet Explorer Auto Detect - 17.Mar.2005 2:44:00 PM   


Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Sounds to me like you have a rule in ISA that allows access without authentication. Rather than do a GPO kludge to work around it, fix the rule.

(in reply to bunj)
Post #: 3
RE: Internet Explorer Auto Detect - 17.Mar.2005 5:03:00 PM   


Posts: 7
Joined: 17.Mar.2005
Status: offline
I have looked at the rules. And they seem ok.

I have one that allows access on all_traffic for web_users group.

Another rule saying deny all_traffic for All_users.

Works ok if i am logged onto the domain. and Internet explorer is configured to use that proxy.

Auto detect seems to bypass the proxy

and therefore no rules are applied.

(in reply to bunj)
Post #: 4
RE: Internet Explorer Auto Detect - 18.Mar.2005 3:33:00 PM   


Posts: 107
Joined: 26.Feb.2004
From: UK
Status: offline
I agree it sounds like clients are defaulting back to secure NAT (their Default Gateway is pointing at the ISA server) which only works if there is a rule that allows un-authenticated access. Remember the order of your rules is very important, double check that if you think all your rules are ok.

(in reply to bunj)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> Internet Explorer Auto Detect Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts