Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1699
  • Last Modified:

How to force public wireless users to surf safe

We have a wireless network for public users.

We also use the ScanSafe service for safe web access for our internal users.

On our internal users we have access to their desktops where we set the ScanSafe server IP address in the IE proxy settings.

My question:
How does one go about making the public wireless users surf through the ScanSafe service when we don’t have access to their laptops?

We are using a Cisco ASA5510 and AIR-CT5508 wireless controller but are willing to change things around to make public users surf  through ScanSafe.

1 Solution
At a minimum, you will need a firewall to block outbound TCP 80 and TCP 443 except for the IP addresses needed to connect to the ScanSafe service.
dalvaAuthor Commented:
We don't want to block anything at the firewall.  We want to redirect all Internet requests to pass through the ScanSafe servers.
As rdmustang correctly points out, you need to block at the firewall level, or guest users can just bypass ScanSafe manually.
To deliver the proxy settings to them, you need Web proxy Autodiscovery Protocol (WPAD). See for more info on how it works.
It involves a webserver, a DHCP server and DNS server to get working. You also need to configure a specific file, called a .pac file with the options that suit your needs.
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

One option is to use WCCP to redirect traffic on the ASA. I don't know if ScanSafe supports that.
Another option is to use PBR but that is supported only on the routers.
dalvaAuthor Commented:
ScanSafe does not support WCCP.

If we had to, we could place a router between the ASA and the Internet.  PBR may be an option we can look into more.
dalvaAuthor Commented:
I heard the SonicWall FW TZ 200 has the option Web Proxy Forwarding.  I have ordered one and will post back in a few weeks when it has been installed and tested.
dalvaAuthor Commented:
Turns out the SonicWall product does have the Web Proxy Forwarding and IT WORKS to solve our problem.  We are using the SonicWall FW TZ 200 because it is the model which fits our size requirements.

We just placed the SonicWall between our current PIX firewall and the Internet.  We opened up the SonicWall so it does no firewalling just web proxy.

Thanks to all who made suggestions.
dalvaAuthor Commented:
Author has posted a solution.
dalvaAuthor Commented:
The SonicWall product worked therefore question should be closed and no points awarded.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now