Announcement

Collapse
No announcement yet.

Isa 2006 - Web Proxy Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Isa 2006 - Web Proxy Issue

    I have just deployed ISA Server 2006 in my company and I have created a URL set to deny access to certain websites, I have created a GPO which gives all users the proxy settings in IE for my ISA server and when they try to access these sites they get the standard 'network access message', but if the users take these proxy settings out they can access what ever they like (as though they aren't going through the ISA server)

    Is there anything I need to do to ensure all web access MUST go through the ISA server?

    Thanks

  • #2
    Re: Isa 2006 - Web Proxy Issue

    Is the ISA server in a single nic or is it acting as your firewall?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Isa 2006 - Web Proxy Issue

      Single NIC

      Comment


      • #4
        Re: Isa 2006 - Web Proxy Issue

        Well an other way to do this is to use the auto configuration URL.
        you only need to set auto detect in the proxy settings within ISA.

        Second you should harden your regular firewall do disable all inbound traffic from the internal network Except traffic from the ISA server, mail server and other servers.

        There is no other way, because the issue isn't on the ISA server itself.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Isa 2006 - Web Proxy Issue

          Additionally, ensure that you have DHCP option 3 (Router) set to point to the ISA server as the default gateway on all clients. Wherever possible, ensure that users aren't running as administrators, so that they can't change the default gateway. Keep in mind though that this is only a little bit of extra cover - Dumber's suggestions are the ones that you need to implement to achieve what you want. You might also want to consider adding another NIC to the server and put ISA between the internet and your LAN.
          Last edited by gforceindustries; 19th December 2008, 12:12.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Isa 2006 - Web Proxy Issue

            Errr gateway to a single nic ISA server?
            Hmmmm, then you are going to route back on the same interface which can give you the most weirdest issues. I wouldn't do that unless ISA is putting back as a firewall instead of a proxy only configuration.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Isa 2006 - Web Proxy Issue

              For the cost of a NIC card I'd be tempted to install a second one and re-install ISA as a firewall/proxy. It's such a good product that I'd want to get the most out of it. That's just me though.

              I think though that the GPO may not be correctly configured, because users shouldn't be able to change proxy settings that are enforced by GPO. I may be wrong on that one, it's been so long since I set it up.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: Isa 2006 - Web Proxy Issue

                Users can change the proxy settings if it's set by a GPO - what you would need to do is deny them access to the relevant section of the IE options dialog.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Isa 2006 - Web Proxy Issue

                  Originally posted by gforceindustries View Post
                  Users can change the proxy settings if it's set by a GPO - what you would need to do is deny them access to the relevant section of the IE options dialog.
                  I knew there was a way to do it, just couldn't remember what it was.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment


                  • #10
                    Re: Isa 2006 - Web Proxy Issue

                    Originally posted by cruachan View Post
                    For the cost of a NIC card I'd be tempted to install a second one and re-install ISA as a firewall/proxy. It's such a good product that I'd want to get the most out of it. That's just me though.
                    Yes I know, ISA is one of the best firewalls out there but many companies don't want to switch as they know the other product.
                    Keep in mind that Check Point, Cisco (ASA) and Juniper has also very good firewalls.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: supplying classical styles of brand name shoes

                      And another spammer bites the dust
                      A mod will be along to delete the post in a while
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment

                      Working...
                      X