[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Bypass Proxy Server Settings For Laptops Used Outside Office LAN

Posted on 2006-04-14
15
Medium Priority
?
1,310 Views
Last Modified: 2010-05-18
Hi,
We have a Windows 2003 domain of about 100 users and use ISA 2004 as a proxy server. We are about to add about twenty laptop users who will frequently need to access the internet from outdside the office network. Company policy states that all laptop users must log onto the domain even when out of the office (using cahced credentials), all of them are set up for DHCP. The problem is that a group policy is applied to all machines to apply the internet explorer proxy settings that are used in the office.  We do not want users changing any settings on their machines (they all have standard user level accounts - none of them are even power users). How do we ensure the machines are able to access the internet as standalone PC's through their default gateway (logged onto the domain with cached credentials) while out of the office but through the ISA proxy when on the office LAN?  We don't want to set for autodetect of proxy server because most of the users are company directors (you know what they can be like!) and they complain that it takes too long to connect when we do.

Thank You
0
Comment
Question by:ShinyApples
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16457552
In short, you cannot with standard tools. this is one of th most frequent questions I deal with for ISA server. That said, the options are:

1. I hear you about the settings however, the group policy can be set to 'set the proxy' but you do not have to take away the option. On your internal network, only allow external access from the ISA server and your servers. therefore when in the office, users will have to have the proxy enabled else they will not get out to the Internet. When they are outside they can remove the proxy to get to sites as required.

2. Get a hold of the MS Action Packs. I cannot recall the name of the issue but there is a tool that oes exactly wjat you are asking for.

Regards
Keith
ISA MCT
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16457560
PS. I'll see if I can find the Action Pak but it was sometime ago.
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 16458387
I've been subscribing to this service for the past 4 years so if you know the name of it I can try it out with ISA 2004 and in a Windows 2003 native domain.


Pen
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 9

Expert Comment

by:jjoseph_x
ID: 16458925
Keith is much better in ISA 2004 than I am, so he could probably tell you how to do this, but a good solution might be to use ISA 2004 as a transparent proxy in your office.

That way, the clients wouldn't need to configure IE to use a proxy, because any requestthat go out to the internet will automatically go through ISA and be proxied.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16459084
Hello Pentrix. long time no see :). i've emailed a colleague to ask the name. If you have access to it, that will be a real help; thanks. I remember that it was a utility that detected whether you were connected to the domain or not. That can be the trigger on whether the group policy is applied or not.
JJoseph, you do fine in ISA yourself as well you know. the above is simply my view given the info, if I have missed something though, please throw it in lol.

Shiny, is the box in Proxy only mode or are you using it as a firewall as well?

0
 

Author Comment

by:ShinyApples
ID: 16459916
Hi Keith and others thanks for the advice - sorry I didn't reply earlier but I've been asleep in Bed! We've only just started using ISA but find it's a fantastic piece of software - the most flexible and intuitive firewall product I have ever used, trouble is we're not that familiar with it yet. Anyway, The ISA box is in firewall as well as proxy mode.  We are also action pack and MSDN subscribers so the name of any such tool would be really usefull. By the way what is transparent proxy mode?

Cheers

Shiny
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16459956
Transparent mode is when you forward traffic to ISA (within ie proxy settings) on port 80 rather than port 8080 which is the normal IS proxy setting.

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx

It will take me till Tuesday to get the name of the pack as I am unsure if my colleagues will pick up their emails until we are back to work. If you are subscribers as well, the utility allowed you to detect whether you were connected to the domain or not (running online to the server or in cached-credential mode and therefore offline to the servers). I don't use it at home but I know they subscribe personally as it is so cheap.

0
 

Author Comment

by:ShinyApples
ID: 16460212
Thanks Keith,
I am in the middle of an Easter holiday domain migration at the moment so am a bit busy to say the least. I will check out your advice as soon as I get the chance and get back to you asap.

Thanks again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16460386
Not really given any advice as yet; just been questions..... but we can go for it when you are ready.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16460583
What about using autoconfig file and setting up a proxy.pac script? See below.  Notes for below sample:

     a.b.c.d is your IP subnet and e.f.g.h is your subnet mask
     a.b.c.x is the IP address of your proxy server and 8080 is the port it listens on

You place the sample script ON each laptop and then in IE configuration options specify:

     file://c:/inetpub/wwwroot/autoproxy.pac

in the automatic configuration script address (yes the slash must be forward slashes, NOT backward slashes).  It must be on the laptop, or it can't find it when it attempts to use it.

Saving the below sample in the C:\inetpub\wwwroot\autoproxy.pac file (or whereever you want):

function FindProxyForURL(url, host)
{
/* --------------------------------------------------------------- */
/* If IP address is inside our LAN use proxy. */                  
/* Otherwise go direct. */
/* --------------------------------------------------------------- */
if (isInNet(myIpAddress(), "a.b.c.d", "e.f.g.h"))
   {
    return "PROXY a.b.c.x:8080";
    }
else
   {
    return "DIRECT";
    }
}
0
 

Author Comment

by:ShinyApples
ID: 16496376
Hi Giltjr

I would like to use the proxy.pac and was wondering if this can be used in conjunction with an internal web site and how I would go about doing this?

After your suggestion I did a bit of investigation online which says you can set GP on the Domain to specify automatic configuration script that points to an internal web site. As you suggested this sends the user out through the proxy server.

Will this work when the user is at home being that the script points to an internal site?

Example

function FindProxyForURL(url, host)
{
 if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
  return "PROXY 192.168.1.1:8080";
 else
  return "DIRECT";
}

If this is possible how do we setup the web site? So that browsers run the script?  

Cheers shiny

I will be giving you the points








0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 16496629
hey Keith, been busy with work so haven't gotten a chance to assist members as often as I would like.  Let me know the name of the utility if you find out, but in the meantime I'll search through my collection.


Pentrix2
0
 
LVL 57

Accepted Solution

by:
giltjr earned 750 total points
ID: 16497296
ShinyApples, yes, technically you can set it up to point to an internal web server, you would just code:

    http://webserver/proxy.pac

instead of:

   ffile://c:/inetpub/wwwroot/autoproxy.pac

However, think about this.  You want this to work on laptops when they are NOT connected to your LAN.  How are they going to get the proxy.pac file from your internal web server when they are not connected to your Internal LAN?
0
 

Author Comment

by:ShinyApples
ID: 16557069
Thanks for your comments they were very helpful

I have spoken to a colleague of mine about the proxy.pac web site, he has this implemented at there current place of work and it works.

he informs me that once the browser use's the http://webserver/proxy.pac script that it caches the information and continue to use's it. even when the user goes home and can no longer contact the internal web site.

thanks

Shiny


0
 
LVL 57

Expert Comment

by:giltjr
ID: 16557146
I was thinking about it, it would cache it just like anyother page.  I would also assume that if it could not load the file, that it would just act like the file did not exist.

I have it on my laptop because I used proxies at work and at home.  Glad to see it works.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 10 hours left to enroll

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question