Re: How to Prevent Non Proxy Use of Web Browsers
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Thu, 27 Mar 2008 09:13:28 -0500
"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:bbidnTgnVvGqtXbanZ2dnUVZ_tuonZ2d@xxxxxxxxxxxxxxx
I'm configuring several network segments behind our ISA to use web proxy.
So far I like that and really like being able to use DNS names instead of
IPs in my firewall rules through use of DNS objects. What is required
to *force* all web browsing to go through web proxy and forbid direct
browsing without web proxy?
Direct browsing is just simply not impossible in a properly designed
topology because the ISA is *physically* in the way. There is no way to go
through the ISA and somehow "not" use its services.
All that is happening is if the user removes the proxy settings in the
browser then the client will simply switch to being either a SecureNAT
Client or as a Firewall Client. This is not "direct browsing",..it is just
simply switching what service of ISA is being used.
To eliminate SecureNAT Clients just don't have anonymous Rules. SecureNAT
is not capable of authenticating, therefore "No anonymous rules = No
SecureNAT Clients". Also SecureNAT Clients rely on Layer3 routing,...that
is the ISA must be in the Default Routing Path to the Internet,...so if you
don't have ISA in the LAN's Default Routing Path,...or simply eliminate
Default Gateways on the LAN completely then there will be no SecureNAT
Clients.
To eliminate Firewall Clients, just simply don't install the Firewall Client
software.
1) We have web proxy enabled on the ISA on port 8080. So how is it that
firewall rules that authorize HTTP (port 80) access and HTTPS (port 443)
access are working through a web proxy on port 8080. Is there some kind
of implicit cooperation of the firewall rules for http/https/ftp when web
proxy is enabled?
Stop thinking of a proxy as if it was a "router". Proxys are not
"routers",...they do not route anything. Clients to not go "through" a
proxy they go *to* a proxy.
1. The user sends a http/https request to the web proxy service, then waits.
2. The proxy takes the requests and "does all the work" of going to Web,
retreiving the content,..and "copies" it back to the user
3. The client does not "go" anywhere.
So ISA is "listening" on port 8080 for "requests" from the Clients.
It is ISA that communicates to the web with http/https/ftp as long are the
Client is "allowed" those protocols. After retrieving the data it uses the
data to "answer" the Client's "request".
The same general process takes place with Firewall Clients. The "firewall
services" is really just a "Winsock Proxy Service". MS actually "just
called it that" in the old MS Proxy2, and they never should have changed
that and cause so much confusion in my opinion. So it is still a "proxying
service", but it is based on "Windows Sockets" instead of "WinInet". Being
based on Windows Sockets is what makes it vastly more capable than the Web
Proxy Service.
Only the SecureNAT Service is not a "proxying service",...it is a NAT
Service,...just like traditional "hardware firewalls" and the "home user
routers". It is based on NAT and not "routing",...however NAT by nature
depends on Layer3 routing as the underlying "engine".
It can do more protocols that the Web Proxy or Winsock Services which are
limited to TCP & UDP,...but it is limited by the fact that there is no
authentication so that Access Rules that are used by it must be anonymous.
2) I am quite confused by the option in web proxy configuration to allow
HTTPS as a separate proxy, with a certificate supplied. If we do NOT
configure that option, is HTTPS access simply bypassing web proxy and
reverting to direct HTTPS access?
That doesn't make any sense. I have no idea what you are looking at there.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
.
- Follow-Ups:
- References:
- How to Prevent Non Proxy Use of Web Browsers
- From: Will
- How to Prevent Non Proxy Use of Web Browsers
- Prev by Date: Re: blocking operation of "logmein" software
- Next by Date: use 2 connection internet with isa 2006
- Previous by thread: How to Prevent Non Proxy Use of Web Browsers
- Next by thread: Re: How to Prevent Non Proxy Use of Web Browsers
- Index(es):
Relevant Pages
|
