ISA Server - Bypass web proxy when users are outside the network

forsyths_au
forsyths_au used Ask the Experts™
on
I inherited an ISA Server 2004 in a single adaptor configuration and have 2 related problems

1. Company policy does not allow me to enforce all traffic through ISA and therefore logged traffic but I suddenly have large amounts of download traffic per day I need to identify. Our ISP cannot help due to privacy policies?? and as a managed service I have no admin access to the router to try and identify the traffic/user. Any ideas how to easily trace this? Of course I would love to have ISA set up with 2 nics to solve this but I am not permitted to make that change.

2. The hole above is created by laptop users who needed to be able to change proxy settings for when they are in the field and somewhere in the past they were loaded with Firefox to bypass Group Policy proxy locks on IE and given the direct router address which of course they now use instead of the proxy when they are in the office, otherwise all other users are proxy locked by Group Policy.
How can I proxy block them so they cannot change it in the office but allow them to modify it away from the office and can this be done with Firefox?

As I am not that familiar with ISA, any and all suggestions valued
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Lock down the router to allow only traffic from the ISA .. This way you will have to go through the ISA to access the internet.. You can put the router on a different VLAN as well.
Mohamed KhairyEnterprise Solutions Architect

Commented:
You can use firewall client with those users instead of web proxy clients.

http://www.isaserver.org/tutorials/isa_clients__part_3_the_firewall_client.html

Author

Commented:
Thanks Lance & mkhairy for the quick replies but I cannot make changes to the router. As for the client it is my understanding that it would require changing ISA mode to using 2 nics (Edge Mode) and that change has already been ruled out by powers above.. a little knowledge overrules what should be done :/
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
You can lock down the router to allow only traffic from one IP... If you cannot make any changes then your options are limited.

Author

Commented:
Thats the wall I was hitting Lance which lead me to asking those like yourself with more knowledge than me.
The first problem of identifying the download traffic/user I'm hoping may then lead to being allowed to make changes to the ISA mode configuration

Commented:
Well the simple answer to your management would be that if the user is not going through the ISA .. then you cannot manage the traffic, and to manage it you  need to make some changes. If they will not allow you to do so .. then they cannot ask you to be accountable for the excess traffic.

This is the final option although I stopped using this years ago. Force this through GPO and you should ensure all users are going through the proxy in the office only!

http://sysadminhell.blogspot.com/2009/03/proxy-pac-files-how-to-use-with-laptops.html
Most Valuable Expert 2011
Commented:
Company policy does not allow me to enforce all traffic through ISA and therefore logged traffic but I suddenly have large amounts of download traffic per day I need to identify. Our ISP cannot help due to privacy policies?? and as a managed service I have no admin access to the router to try and identify the traffic/user.

First,..if you don't have the authority to "do your job",...then why are you trying to do something that you don't have the authority to do,...we are basically wasting our time here.

Anyway,..back to the beginning.

Assuming you had the authority to actually "do your job",.....

1.  Forget GPO,..period.  It is too rigid to meet "real life" needs when it comes to proxys.  It also does not work on non-IE browsers as you have noticed.

2. Don't allow anyone to be a Local Administrator on their machine,...particularly Laptops,...they are the worst.  Then they cannot install things on the Laptops that they can use to do things you don't want them to do.

3. Use Proxy Auto-Detection via WPAD.  In IE the Proxy Settings should all be left blank,..except the very first "auto detection" Checkbox,...everything else blank,...just check the first check box.  Do the same thing in any browser as well.  The user still might monkey with it,...but if you do everything I tell you the only thing the user can do is "break it",...they aren't going to "get away" with anything by monkeying with it.

Do not enable any other "pac" file stuff and do not point it an any "pac" files.

When you do #3 properly the Laptops will be intelligent enough to recognize that there is no proxy available and will work normally when the user is out traveling.  But when they are brought onto the LAN they will detect and use the proxy.  This is what GPO is not capable of compensating for,...don't use GPO for this.

On the Firewall that you don't have any control over,...you call the people who do control it and tell them to make some changes for you,...that is their job to do this,...that is why you pay them money to manage the firewall for you.  They need to change the Firewall so that the only source IP#s that can use HTTP and HTTPS are the Proxy IP# and the IP#s of any of the Servers, Appliances, etc that you want to access HTTP and HTTPS without going though the proxy.

Lastley,...here is a link to the details for configuring the whole WPAD thing.  Do it exactly how it is laid out in this material,....except,...only check the first auto-detecion check-box in the browser's proxy settings,...leave the rest blank and do the corresponding dialog boxes the same way in the ISA Settings when configuring WPAD.  You'll see that in the second screen shot in the group of three shorts near the end of the article,...I show many things being enabled, but just do the first one only as I said.

http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/

Author

Commented:
Thanks heaps for the responses
I intend to try some of the suggestions over the next 4 - 5 working days and I'll report back
Most Valuable Expert 2011

Commented:
Looking back at my post I wanted to clarify something.  When I said,

 "Assuming you had the authority to actually "do your job",....."

It meant nothing negative toward you,..I was only expressing annoyance at the situation you find yourself in.

Author

Commented:
No problem, It did sound that way on first read but after that I didnt read anything in to it.. I needed help so wasnt about to judge or get precious :)

Commented:
Well forsyths_au,

  If you do get someone to change the firewall settings, then all you need to do is allow the ISA and other 'important' devices to connect directly, Everything else must go through the ISA to get internet access (via the ISA proxy ofcourse) That should solve your problem once and for all, and you wont have to worry about WPAD's or PAC's or GPO's.

If you still have high bandwidth usage, you can assume it's one of those direct IP's.

TC.

Author

Commented:
Hi Lance_P,

It turns out it is my DC sucking it all down from the internet, working on downloading what now and investigating whether to use your suggestion or pwindell's as the final solution to my 2nd question

Author

Commented:
Lance_P had some good input and ideas but in the end it was pwindell's suggestion that proved the best solution in my particular situation

Thanks everyone

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial