• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Enforcing proxy use

B

Bradtechonline

Senior member
I have a Windows 2003 server domain with around 400 users. I have a proxy server that has web filtering content *websense*. I have users that have tried to get around this by directly connecting to the internet by downloading third party browsers such as opera, and firefox.

I can enforce Internet Explorer via GPO to use port 8080 which is my web filtering server. However, users that are not part of my domain can still get unfiltered web access via using port 80, and a third party browser.

I've denied access to all websites I can find that allow downloading of these programs, denied access to files such as firefox.exe in my GPO's *which people just rename to somethign else to bypass*, and file downloads through internet explorer.

I'd really to have a setup where I don't have to worry about users bypassing the proxy. I'd like for any computer that is plugged into my network to be filtering via my proxy, or have no web access at all.

 
You're attacking this at the wrong level, you really should have a firewall at your border only allowing connections to the Internet from authorized machines like the proxy.
 
Originally posted by: Nothinman
You're attacking this at the wrong level, you really should have a firewall at your border only allowing connections to the Internet from authorized machines like the proxy.
Click to expand...

I'm running ISA Server 2004 at the moment. I'll look into the capabilities of it, and see if it can do this. I've been searching for a good hardware based firewall, and hopefully will be getting an ASA or Sonicwall.
 
Hmm Im curious what is warranting such strict restrictions on internet use? Seems pretty harsh to me.

That being said you could also prevent users who aren't on the domain from accessing anything on any port until they join the domain with a simple redirection that takes them to a web page you designed that tells them how hard you just pwned them 🙂.
 
Originally posted by: krotchy
Hmm Im curious what is warranting such strict restrictions on internet use? Seems pretty harsh to me.

That being said you could also prevent users who aren't on the domain from accessing anything on any port until they join the domain with a simple redirection that takes them to a web page you designed that tells them how hard you just pwned them 🙂.
Click to expand...


In a corporate scene, there are millions of reasons. An example is if one guy is surfing something and it has a NSFW ad, someone walks by and sees it, now the company is liable for sexual harrasment, because 1, they created the environment that put the employee into this situation (with the office and equipement), then did nothing to avoid it. In this world, this is a very big problem, so nearly every place stops almost all types of websites.

But back to the OP, I would also agree that you need to stop it at the firewall. If you do not, then you will always be spinnig your wheels on this issue. I was doing a very similar thing a few years back, and I found that 600 users were actually very determined and actually somewhat ingenious. Then I finally got the budget to get a symantec 5400 gateway. This allows me to create rules that allows me to group people into different catergories. So people from the Spa get one set of rules, the general staff get antoher, then the directors get a third. Sonic wall has great products too, so denifitly go that route. Good luck.
 
I would not suggest going with a Sonicwall. I have no firsthand experience but from my understanding much of their product line tanks when you start to enable additional services like URL filtering.
 
I'm not sure why you are having problems forcing clients to use ISA's Web Proxy. Assuming that you are forcing all traffic to the Internet to pass through the ISA Server, then you just block all TCP Port 80 connections from all your client PCs and force them to connect through the Proxy Server on port 8080. It won't make any difference WHAT browser the clients are using...they won't get out on Port 80.
 
Originally posted by: Tsaico
Originally posted by: krotchy
Hmm Im curious what is warranting such strict restrictions on internet use? Seems pretty harsh to me.

That being said you could also prevent users who aren't on the domain from accessing anything on any port until they join the domain with a simple redirection that takes them to a web page you designed that tells them how hard you just pwned them 🙂.
Click to expand...


In a corporate scene, there are millions of reasons. An example is if one guy is surfing something and it has a NSFW ad, someone walks by and sees it, now the company is liable for sexual harrasment, because 1, they created the environment that put the employee into this situation (with the office and equipement), then did nothing to avoid it.
Click to expand...

That is wrong....it is NOT the companies fault unless they knew the problem existed (someone browsing NSFW sites) and it was complained about, and THEN they didn't stop it.

The sexual harrasment thing is NOT as easy to push as some people think....
 
Originally posted by: RebateMonger
I'm not sure why you are having problems forcing clients to use ISA's Web Proxy. Assuming that you are forcing all traffic to the Internet to pass through the ISA Server, then you just block all TCP Port 80 connections from all your client PCs and force them to connect through the Proxy Server on port 8080. It won't make any difference WHAT browser the clients are using...they won't get out on Port 80.
Click to expand...


Indeed, whatever is your border router is the proper place to force the proxy server, either by redirecting all port 80 requests to an internal page with an AUP and info on setting up the proxy, redirecting the request to the proxy, or just flat out dropping the packets.
 
Perhaps, but the lawyers over here are always griping about the technical loopholes. Such as having hte ability to block the content, but not doing so. Their prediction on these things is that as IT
1. we do know the content is out there,
2. our logs can show people are visiting,
3 Because we chose to either not read the logs, not block the content,

It still opens us to litigation even if there is nothing else. Accoding to our lawyers, they only need to prove knowledge of situation (which apperently is true even if we technically did not know but should have because we have the eidence ot verify or not) and lack of action to correct the issue. They do not need to prove they complained and nothing was done.

While this may not be true, that is just what is being told to us all the time. (specially since I trust mweaver on many other issues!) Whether or not they will have a strong case, that is a totally different issue.
 
I had to take a huge Sexual Harrasment class (all management did) and it's more then someone overhearing a dirty joke....being a prude is NOT a protected class (yet) however...INAL

for more on this...----->P & N is that way (or maybe it's <-------that way for you)


anyway, forcing proxy use based on layer 3 (at your router) is a good way to do this. If you find people bypassing the proxy, it's time to get HR involved....bypassing security should be a fireable offense.
 
Another supporter of the simple solution of having your firewall blackhole all TCP_80 traffic that doesn't originate from the proxy server.

/waits for response from OP

- M4H
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top