Bypass Proxy Server Settings For Laptops Used Outside Office LAN

Hi,
We have a Windows 2003 domain of about 100 users and use ISA 2004 as a proxy server. We are about to add about twenty laptop users who will frequently need to access the internet from outdside the office network. Company policy states that all laptop users must log onto the domain even when out of the office (using cahced credentials), all of them are set up for DHCP. The problem is that a group policy is applied to all machines to apply the internet explorer proxy settings that are used in the office.  We do not want users changing any settings on their machines (they all have standard user level accounts - none of them are even power users). How do we ensure the machines are able to access the internet as standalone PC's through their default gateway (logged onto the domain with cached credentials) while out of the office but through the ISA proxy when on the office LAN?  We don't want to set for autodetect of proxy server because most of the users are company directors (you know what they can be like!) and they complain that it takes too long to connect when we do.

Thank You
ShinyApplesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
In short, you cannot with standard tools. this is one of th most frequent questions I deal with for ISA server. That said, the options are:

1. I hear you about the settings however, the group policy can be set to 'set the proxy' but you do not have to take away the option. On your internal network, only allow external access from the ISA server and your servers. therefore when in the office, users will have to have the proxy enabled else they will not get out to the Internet. When they are outside they can remove the proxy to get to sites as required.

2. Get a hold of the MS Action Packs. I cannot recall the name of the issue but there is a tool that oes exactly wjat you are asking for.

Regards
Keith
ISA MCT
0
Keith AlabasterEnterprise ArchitectCommented:
PS. I'll see if I can find the Action Pak but it was sometime ago.
0
Pentrix2Commented:
I've been subscribing to this service for the past 4 years so if you know the name of it I can try it out with ISA 2004 and in a Windows 2003 native domain.


Pen
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

jjoseph_xCommented:
Keith is much better in ISA 2004 than I am, so he could probably tell you how to do this, but a good solution might be to use ISA 2004 as a transparent proxy in your office.

That way, the clients wouldn't need to configure IE to use a proxy, because any requestthat go out to the internet will automatically go through ISA and be proxied.
0
Keith AlabasterEnterprise ArchitectCommented:
Hello Pentrix. long time no see :). i've emailed a colleague to ask the name. If you have access to it, that will be a real help; thanks. I remember that it was a utility that detected whether you were connected to the domain or not. That can be the trigger on whether the group policy is applied or not.
JJoseph, you do fine in ISA yourself as well you know. the above is simply my view given the info, if I have missed something though, please throw it in lol.

Shiny, is the box in Proxy only mode or are you using it as a firewall as well?

0
ShinyApplesAuthor Commented:
Hi Keith and others thanks for the advice - sorry I didn't reply earlier but I've been asleep in Bed! We've only just started using ISA but find it's a fantastic piece of software - the most flexible and intuitive firewall product I have ever used, trouble is we're not that familiar with it yet. Anyway, The ISA box is in firewall as well as proxy mode.  We are also action pack and MSDN subscribers so the name of any such tool would be really usefull. By the way what is transparent proxy mode?

Cheers

Shiny
0
Keith AlabasterEnterprise ArchitectCommented:
Transparent mode is when you forward traffic to ISA (within ie proxy settings) on port 80 rather than port 8080 which is the normal IS proxy setting.

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx

It will take me till Tuesday to get the name of the pack as I am unsure if my colleagues will pick up their emails until we are back to work. If you are subscribers as well, the utility allowed you to detect whether you were connected to the domain or not (running online to the server or in cached-credential mode and therefore offline to the servers). I don't use it at home but I know they subscribe personally as it is so cheap.

0
ShinyApplesAuthor Commented:
Thanks Keith,
I am in the middle of an Easter holiday domain migration at the moment so am a bit busy to say the least. I will check out your advice as soon as I get the chance and get back to you asap.

Thanks again.
0
Keith AlabasterEnterprise ArchitectCommented:
Not really given any advice as yet; just been questions..... but we can go for it when you are ready.
0
giltjrCommented:
What about using autoconfig file and setting up a proxy.pac script? See below.  Notes for below sample:

     a.b.c.d is your IP subnet and e.f.g.h is your subnet mask
     a.b.c.x is the IP address of your proxy server and 8080 is the port it listens on

You place the sample script ON each laptop and then in IE configuration options specify:

     file://c:/inetpub/wwwroot/autoproxy.pac

in the automatic configuration script address (yes the slash must be forward slashes, NOT backward slashes).  It must be on the laptop, or it can't find it when it attempts to use it.

Saving the below sample in the C:\inetpub\wwwroot\autoproxy.pac file (or whereever you want):

function FindProxyForURL(url, host)
{
/* --------------------------------------------------------------- */
/* If IP address is inside our LAN use proxy. */                  
/* Otherwise go direct. */
/* --------------------------------------------------------------- */
if (isInNet(myIpAddress(), "a.b.c.d", "e.f.g.h"))
   {
    return "PROXY a.b.c.x:8080";
    }
else
   {
    return "DIRECT";
    }
}
0
ShinyApplesAuthor Commented:
Hi Giltjr

I would like to use the proxy.pac and was wondering if this can be used in conjunction with an internal web site and how I would go about doing this?

After your suggestion I did a bit of investigation online which says you can set GP on the Domain to specify automatic configuration script that points to an internal web site. As you suggested this sends the user out through the proxy server.

Will this work when the user is at home being that the script points to an internal site?

Example

function FindProxyForURL(url, host)
{
 if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
  return "PROXY 192.168.1.1:8080";
 else
  return "DIRECT";
}

If this is possible how do we setup the web site? So that browsers run the script?  

Cheers shiny

I will be giving you the points








0
Pentrix2Commented:
hey Keith, been busy with work so haven't gotten a chance to assist members as often as I would like.  Let me know the name of the utility if you find out, but in the meantime I'll search through my collection.


Pentrix2
0
giltjrCommented:
ShinyApples, yes, technically you can set it up to point to an internal web server, you would just code:

    http://webserver/proxy.pac

instead of:

   ffile://c:/inetpub/wwwroot/autoproxy.pac

However, think about this.  You want this to work on laptops when they are NOT connected to your LAN.  How are they going to get the proxy.pac file from your internal web server when they are not connected to your Internal LAN?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ShinyApplesAuthor Commented:
Thanks for your comments they were very helpful

I have spoken to a colleague of mine about the proxy.pac web site, he has this implemented at there current place of work and it works.

he informs me that once the browser use's the http://webserver/proxy.pac script that it caches the information and continue to use's it. even when the user goes home and can no longer contact the internal web site.

thanks

Shiny


0
giltjrCommented:
I was thinking about it, it would cache it just like anyother page.  I would also assume that if it could not load the file, that it would just act like the file did not exist.

I have it on my laptop because I used proxies at work and at home.  Glad to see it works.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.