Help blocking proxy servers on my network

I work for a very small company that is on limited budget, but would like to do there best at preventing access to proxy servers via the web to circumvent our web policies or blocked sites. The current layout for my infrastructure is a PIX 506E at the Firewall (Cisco PIX Firewall Version 6.3(1)) and I have implemented a real on the cheap solution for web filtering by running an Windows 2003 server with DNS/DHCP and IIS on it. I route all DNS through the Windows server where I created Forward Lookup Zones for the sites that I want to block to point back to my IIS server where they receive a warning page (my local index.html) if there is no zone then it passing along to our ISPs DNS for accurate resolution.

Is there a way to better protect the company from users going to the numerous amounts of proxy sites to circumvent the in-house DNS?

Please let me know your thoughts on this one.  
Who is Participating?

Improve company productivity with a Business Account.Sign Up

mccrackyConnect With a Mentor Commented:
As you mention small company on a limited budget, I'd look into OpenDNS ( for your filtering.  That way others are helping you pick up new sites.  

The next thing would be to put together a policy like enzogoy mentioned.

Other than that, the technical things to do would be:

1. Something like OpenDNS above.
2. At the firewall, block outgoing DNS for anyone other than your servers so they can't just change DNS servers to get around your blocking.
3. Set up a proxy server, maybe Squid, (transparent or not) on your network and force everyone through that by blocking outgoing connections from machines other than your proxy server and have the proxy resolve all DNS queries.
4. Set up log reports from the proxy logs that get sent monthly to the person in charge of the Internet policy enforcement.
Seriously, proxy website is created everyday and it's really hard to block them all.  I'm working for an education organisation, they found a new proxy everyday after you block the old one.

The best method to stop this is to talk to your boss to create a internet policy.  If anyone violate the rules, then do something.  It's working hour anyway and they're not supposed to surf those site during that time.

Just a thought.
Do you have budget to implement TMG 2010?
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

jlindeAuthor Commented:
Enzogoy, I total get that trying to create even the simplest of FW rules or adding them to my fwd-zones would take forever given the amount of sites out there and also as you stated the fact that they are creating new ones every day, but I wasn't sure if I could address this at the HTTP protocol level that would prevent connections?

Bhzdkh, I am reading now over the Forefront Threat Management now.
Forefront is amazing, you can block anything u want based on category.
So u can filter proxy servers, pornography, terrorism, and anything you want based on category.

It also does malware-Virus checking online, so any traffic to your network is scanned before it gets to the users.
In order to enable these features you will need to pay an annual fee per user, which is $12/user if I'm not mistaken (This is in addition to the cost of TMG which is $1500)
dmcoopConnect With a Mentor Commented:
I manage several small offices that branch off our main.  We prevent proxies by using OpenDNS for webfiltering and using DD-WRT on their Linksys router (nothing fancy here cause we have just a few clients at each office).  I then enter a special piece of code (found on the DD-WRT forum) on the DD-WRT to redirect all DNS request to OpenDNS.  With OpenDNS you can block proxies as a category too.  Also I have taken the additional step of blocking the keywords "proxy" and "prox" in the DD-WRT router so no page with that word loads.  That last option may not work for your business model but it does for ours.  
Enzogoy is correct in that proxies come online everyday so the solution is not bullet proof.  However - you have a reasonable expectation that anyone trying to use a proxy will be unsuccessful because OpenDNS will always be updating.  Also like Enzogoy said having a good Acceptable Usage Policy in place will go a long way towards stopping it - especially if they know their job may be on the line.  They can also proxy by IP address if they find one (OpenDNS would not prevent this and neither would the router) but again - they have to find it and then be willing to implement it.  By watching the logging I have going on I found a guy doing this.  I blocked the IP outright and reported him to HR.  Since he was in violation of a AUP he was given a warning.  As far as we can tell - and we check often - this has pretty much stopped people from proxing out.
I have no idea how to use the Cisco product to force all DNS request through the DNS servers you specify - but I imagine that if a free product like DD-WRT will do it then surely Cisco will too.
I have not gone into specific steps here of how to achieve all this.  If you want to implement this solution let me know and I will outline in this thread specifically what you will need to do to make it work.  You will have to have help from a Cisco guru though for that part.
I just re-read this thread.  I stepped away and came back an hour later to finish typing the post I did above.  Sorry for the duplication of mccracky's post.  I like his idea of an internal proxy server too.
jlindeAuthor Commented:
Many thanks to both mccracky and dmcoop for your help. All of your helpful suggestions I believe have me on the right path now.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.